Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 17

3-Way Handshake Approach towards

Secure Authentication Schemes
Gaurav Kumar Tak, Ashok Rangnathan and
Pankaj Srivastava

Abstract—Computer crime can easily be defined as the criminal activity that involves an information technology infrastructure,
including illegal access (unauthorized access), illegal interception, data interference (unauthorized damaging, deletion,
deterioration, alteration or suppression of computer data),unethical access of information and web services , disturbance of
social-peace, systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
This paper introduces a new methodology against the intruder as well as phishing attackers. Proposed methodology is based
on the 3-way handshake concept between end user and the online portal server. The methodology provides a secure
st nd rd
environment for the online transactions using 3 layers: 1 layer following username and password authentication, 2 and 3
layers following the cross validation via e-mail and SMS respectively.

Index Terms—Cross Validation, e-mail, Handshake, Phishing.

——————————  ——————————
1 INTRODUCTION
In the field of computer security or network security,
hacking is the criminally fraudulent process of
attempting to acquire sensitive information such as
usernames, passwords, security key and credit card (or
debit card details , master card details) details by
masquerading as a trustworthy entity in an electronic
communication. Communications purporting to be from
popular social web sites, auction sites, online payment
gateway or IT administrators are commonly used to lure
the unsuspecting public.
A secure system depends upon the following factors:
Confidentiality, Authenticity, Integrity and Non-
Repudiation constituting the acronym “CAIN” [10].
IP spoofing (usurp the IP-address of certain PC), TCP
(transmission control protocol) hijacking (Interception
————————————————
 Gaurav Kumar Tak, is with the Department of Information
and Communication Technology, ABV- Indian Institute of
Information Technology and Management Gwalior (M.P.),
INDIA.
 Alok Ranjan is with the Department of Information and
Communication Technology, ABV- Indian Institute of
Information Technology and Management, Gwalior (M.P.),
INDIA.
 Rajeev Kumar is with the Department of Information and
Communication Technology, ABV- Indian Institute of
Information Technology and Management, Gwalior (M.P.),
INDIA.
 Ashok Rangnathan is with the Department of Information and
Communication Technology, ABV- Indian Institute of
Information Technology and Management, Gwalior (M.P.),
INDIA.
 Pankaj Srivastava is with the Department of Applied Sciences,
ABV- Indian Institute of Information Technology and
Management Gwalior (M.P.), INDIA.
of TCP-session), ARP spoofing (re-link the network traffic
from one or more PCs to the PC of malefactor), DNS
(Domain Name System) spoofing (Basically DNS IP
spoofing and DNS cache poisoning) are the common
attacks over any type of network [1], [2].
2 RELATED WORK
Many Scientists and researchers have proposed several
schemes to secure the password and to prevent the
external attacks, but it has yet been proved to be
impossible to build a completely (100%) secure system. In
[11], Yang et al. presented couple password validation
schemes based on smart cards. One validation approach
use timestamp approach and the other is nonce-based
approach. In these schemes, a user can choose according
to its choice and it can, any time, modify its password
independently. The remote web server does not need to
maintain the users’ passwords directory for their
validation or a verification table to authenticated users,
and the login validation can be carried out without the
disturbance of a third party.
An OTP card schemes also proposed to provide the
security of authentication. It generates single time
passwords, single-time password sheets; a laptop armed
using the protocols of secure validation and it also shows
the good transparency [12]. But this scheme has its own
limitations.
Chan and Cheng (2001) introduced some of
vulnerabilities to forgery attacks of YS scheme. They
focused on the attackers’ approach that an attacker can
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
easily be successful in forging a login request from the
intercepted previous login request to pass the validation
of the web server [13].
In [14], Chen et al. presented a new attack on the system
which is based on Fan’s scheme. They also guaranteed
that the system is not still secure against some forgery
attacks even if they blocked all the ID formats.
Sun et al. proved that the YS scheme is secure against
Chan and Cheng’s forgery attack [15].They also described
a new and effective forgery attack on the YS scheme [16].
The methodologies presented in [17], [18], [19] use
passwords that are extremely easy to remember, but they
are not so much secure because attacks pertaining to
eavesdropping can easily break the passwords. Some
cryptography research tried to solve this issue, but
methodologies proposed by them are either not safe with
the efficient way in the proper manner [20], [21]. In paper
[22], Richter et al. proposed Safety mechanism against
shoulder surfing, but the given mechanism is also not
always able to protect users against the eavesdropping
adversaries.
3 PROBLEM DESCRIPTION
Generally, in password validation schemes, every
authorized user has its own personal identity
representing its personal existence in the system and a
password corresponding to the user identity. Identity and
password both are stored in the password table
maintained at the server. This table is confidential and
should be preserved from the external attacks. During the
authentication of user in the system, details input by the
user (identity/username/userid and password) are
validated with the help of password table. The traditional
password scheme works. However, it can be awfully
dangerous if password is somehow revealed.
Now we consider the problem of secure access or login
to e-banking system or e-commerce and payment gateway
services (credit card, debit card details, master card
details) as well.
In this paper, we are proposing the new technique for
providing the secure system as well as stopping phishing
attacks by introducing the concept of 3 -Way Handshake
Approach using SMS and email. It provides a secure
environment using 3 layers: 1st layer is username and
password, 2nd layer is email and 3rd layer is SMS. This 3-
Way Handshake Approach methodology provides a
secure environment for transactions taking place through
online portals and detects phishing website by using
encrypted key method.
2 PROPOSED METHODOLOGY AND
IMPLEMENTATION
The  proposed  methodology  is  called  3‐Way  Handshake  person  is  not  operational  temporarily,  the
Approach because it provides a secure environment using  proposed methodology has an alternate approach
3 layers: the 1st layer is based on username and password  which  is  relatively  less  secure.  In  this  alternate
18
authentication,  2nd  layer  and  3rd  layer  are  based  on  the 
Email  and  SMS  cross  validation  respectively.  In  the 
proposed  scheme,  at  the  time  of  registration,  the  user 
registers  its  email  id  and  contact  number  along  with  the 
other details. 
The  proposed  methodology  also  provides  a  secure 
environment against phishing attackers.  
The proposed scheme works in the following 2 phases: 
1. Registration Phase: At the time of online account 
registration, the user is asked to enter its primary contact 
number  and  primary  email  id  that  are  to  be  used  for  the 
secure  3‐Way  Handshake  Approach  methodology  for 
securing  the  transactions.  In  case  of  change  of  primary 
email  id  or  primary  contact  number,  the  user  has  to 
update the changes with the website. The user also needs 
to  answer  a  private  question  at  the  time  of  registration 
which  will  be  used  in  the  alternate approaches  in  the  3‐
Way Handshake Approach methodology. 
 2.   Login Phase: At the time of login, the user needs 
to  enter  his  username  and  password  and  needs  to 
select an option from the following three options: 
1. Send encrypted keys on email and SMS 
2. Send  the  key  on  email  and  private 
question 
3. Send  the  key  on  SMS  and  private 
question 
 
1. Send  encrypted  keys  on  email  and  SMS:  The 
user  enters  his  correct  username  and  password 
and he receives an encrypted key on his email as 
well  as  SMS.  The  encryption  procedure  is  as 
follows: 
     The encrypted key sent via email has alternate 
characters revealed and the characters which are 
not  revealed  are  marked  by  ‘#’.  The  SMS  sent  to 
the  user  has  those  characters  visible  which  were 
not  revealed  by  the  encrypted  key  in  the  email 
and  has  those  characters  marked  by  ‘#’  which 
were  revealed  by  the  email.  For  instance,  the 
encrypted  key  sent  via  email  is  G#E#T#U#  and 
the key received via SMS is *R*A*G*Y. G#E#T#U# 
and  *R*A*G*Y  together  need  to  be  decrypted  to 
form  ‘GREATGUY’.  The  user  needs  to  enter  this 
decrypted key to log in as an authenticated user. 
2. Send the key on email and private question: At 
the  time  of  login,  if  the  mobile  phone  of  the 
 
 
 
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 19
approach,  the  user  enters  his  correct  username 
and password and he receives a key on his email. 
The user has to enter this key and has to give the 
same  answer  to  the  private  question  asked 
during the registration phase page to log in as an 
authenticated user. This  method is less secure as 
the key is sent without encryption. 

3. Send  the  key  on  SMS  and  private  question:  At 

the time of login, if the email cannot be sent due 
to  temporary  problem  with  email  service,  the 
proposed methodology has an alternate approach 
which  is  less  secure.  In  this  alternate  approach, 
the  user  enters  his  correct  username  and 
password  and  he  receives  a  key  on  his  mobile 
Fig. 2. Screen when user receives encrypted keys and enters the
phone corresponding to the contact number used  decrypted key
at  the  time  of  registration.  The  user  has  to  enter 
this  key  and  has  to  give  the  same  answer  to  the  We  have  implemented  the  3‐Way  Handshake  Approach 
private  question  asked  during  the  registration  using HTML, script languages, AJAX, XML,  MySQL and 
phase  page  to  log  in  as  an  authenticated  user.  Javascript  for  the  online  transaction  portal  and  recorded 
This  method  is  less  secure  as  the  key  is  sent  all  activities  of  the  genuine  user  and  intruder  over  the 
without encryption.  portal. We have analyzed all security aspects of the online 
transaction.  

3 SECURITY ANALYSIS AND DISCUSSIONS

Fig. 1. Screen when user enters valid username and password
In this section, the security of the proposed methodology 
is examined. In the proposed methodology, after selecting 
one of the 3 options, the key is sent via email and/or SMS, 
the box is displayed for entering the decrypted key and/or 
the  private  question  is  displayed  and  the  box  for  its 
answer  is  displayed.  These  functions  are  accomplished 
using  AJAX  and  XML  technology,  which  provides  for  a 
secure  communication  between  the  website  and  the 
confidential database. 
The encrypted key is randomly generated every time the 
user logs in and is stored corresponding to the user in the 
temporary  database  at  the  server.  The  key  is  destroyed 
after the transaction session is over. 
The 3‐Way Handshake Approach provides security in the 
following ways: 
1. Prevent intruders’ attack on the user’s
transactions:

If an intruder tries to log in with the username and

password of a user, he will not be able to log in as
he does not know the email id of the user to which
the encrypted key is sent and does not have the
mobile phone access to the user to which the
encrypted key is sent. The intruder needs to access
both the email id as well as the mobile phone of
user to be able to log in successfully. Thus he will
not be able to enter the decrypted key and log in as
authenticated user. If the intruder tries to log in
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 20
using the alternate approaches, he will not be able
to log in because he does not know the answer to
the private question of the user. Even if he answers
the private question correctly, he would not be able
to log in as he does not know the email id of the
user and does not have the mobile phone of the
user.
2. Verifies whether the website is a genuine website
or a phishing website:

If the website is a phishing website, then it cannot

access the confidential database for email id and
contact number that the original site accesses for
sending the encrypted key.

Fig. 4. User logs in into the secure website

Fig. 3. User performs account registration for the online portal Fig. 5. Intruder logs in into the secure website
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 21
[1] Ollmann G., The Phishing Guide Understanding & Preventing
Phishing Attacks, NGS Software Insight Security Research
[2] Yu, W.D.; Nargundkar, S.; Tiruthani, N., "A phishing vulnerability
analysis of web based systems," Computers and Communications, 2008.
ISCC 2008. IEEE Symposium on, vol., no., pp.326-331, 6-9 July 2008
[3] Maher Ragheb Aburrous, Alamgir Hossain, Keshav Dahal, Fadi
Thabatah, "Modelling Intelligent Phishing Detection System for E-
banking Using Fuzzy Data Mining," cw, pp.265-272, 2009 International
Conference on CyberWorlds, 2009
[4] Abu-Nimeh, S.; Nair, S., "Bypassing Security Toolbars and Phishing
Filters via DNS Poisoning," Global Telecommunications Conference,
2008. IEEE GLOBECOM 2008. IEEE , vol., no., pp.1-6, Nov. 30 2008-Dec.
4 2008
[5] Alnajim, A. and Munro, M. 2009. An Anti-Phishing Approach that Uses
Training Intervention for Phishing Websites Detection. In Proceedings
of the 2009 Sixth international Conference on information Technology:
New Generations (April 27 - 29, 2009). ITNG. IEEE Computer Society,
Washington, DC, 405-410. DOI=
http://dx.doi.org/10.1109/ITNG.2009.109
[6] Juan Chen and Chuanxiong Guo, Online Detection and Prevention of
Phishing Attacks, in Proc. Chinacom 06
[7] Beginning PHP5, Apache, and MySQL Web Development by Elizabeth
Fig. 6. In case of phishing website Naramore, Jason Gerner, Yann Le Scouarnec, Jeremy Stolz, Michael K.
Glass; ISBN: 9780764579660
[8] PHP, AJAX, MySql and JavaScript Tutorials,
4 CONCLUSION AND LIMITATION http://www.w3schools.com/
[9] Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford.
Currently phishing attacks are so common because it can  CAPTCHA: Using Hard AI Problems for Security. In Eurocrypt
attack  globally  and  capture  and  store  the  users’  [10] Gedam,Dhiraj Nilkanthrao, RSA BASED CONFIDENTIALITY AND
confidential  information.  This  information  is  used  by  the  INTEGRITY ENHANCEMENTS IN SCOSTA-CL, A thesis
report,Department of Computer Science and engineering,Indian
attackers  (which  are  indirectly  involved  in  the  phishing  Institute of Technology ,Kanpur,India, July, 2009
process).  In  this  paper,  3‐way  Handshake  approach  [11] Yang,W.H., and S.P.Shieh(1999). Password authentication schemes with
provides a more secure platform to the end users for their  smart cards. Computers & Security,18(8),727–733
[12] M. Naor and B. Pinkas. Visual authentication and identification. In Proc.
online  transactions.  In  this  methodology,  attackers  can’t 
Advances in Cryptology, pages 322–336, 1999
attack on the email and SMS simultaneously. Information  [13] Chan, C.K., and L. M. Cheng . Cryptanalysisof time stamp-based
stealing will  be  minimized  and  more  secure  password authentication scheme. Computers & Security, 21(1),74–76,
communication  (transmission)  will  occur  using  the  2001
[14] Chen, K.F. and S. Zhong .Attackson the (enhanced)Yang–Shieh
proposed methodology. If any intruder wants to peek into  authentication. Computer & Security,22(8),725–727, 2003
the  transmission  of  the  confidential  data,  he  will  not  be  [15] Chan, C. K., and L. M. Cheng Cryptanalysis of timestamp-based
able  to  recognize  the  patterns  of  encrypted  data.  So  the  password authentication scheme. Computers & Security, 21(1),74–76,
2001
data  will  be  more  secure.  The  Proposed  methodology  is 
[16] Sun, H. M., and H. T. Yeh. Further cryptanalysis of a password
useful  to  prevent  the  attacks  of  intruder  as  well  as  authentication scheme with smart cards IEICE Transactionson
phishing  websites  on  financial  web  portal,  payment  Communications, E86-B(4),1412–1415, 2003
gateway  portal,  banking  portal,  e‐shopping  market  (e.g.  [17] Real User Corporation. The Science Behind Passfaces. In
http://www.realuser.com/published/ScienceBehindPassfaces.pdf ,
eBay,  PayPal,  etc.).  We  can  also  work  on  the  survey  June, 2004
analysis  from  the  data  generated  using  the  concept  of  [18] R. Dhamija and A. Perrig. Deja vu: A user study using images for
proposed methodology.  authentication. In Proc. 9th USENIX Security Symposium, 2000.
[19] Y. Zhu X. Suo and G. Scott. Owen. Graphical passwords: A survey. In
  The  above  methodology  needs  more  hardware  for  the 
Proc. 21st Annual Computer Security Applications Conference, 2005
implementation.  Thus,  it  increases  the  workload  of  the  [20] S. Li and H.-Y. Shum. SecHCI: Secure human-computer identification
mail  server  as  well  as  SMS  server.  Owing  to  more  (interface) systems against peeping attacks, 2003.
hardware  specification,  the  cost  of  implementation  of  [21] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996
proposed methodology is relatively higher.    [22] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996
ACKNOWLEDGEMENT
The authors would like to thank ABV‐Indian Institute of 
About the Authors
Information Technology and Management, Gwalior for 
the kind support provided for this work. 

REFERENCES
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 22
Ashok Ranganathan is a
student of Atal Bihari Vajpayee
Indian Institute of Information
Technology and Management,
nd
Gwalior pursuing 2 year of
B.Tech in Information
Technology. His areas of
research are Internet security,
trust and privacy, Database
management, Cloud computing
and applications.

Gaurav Kumar Tak is a

student of 4th Year Integrated
Post Graduate Course (B.Tech.
+ M.Tech. in Information and
Communication Technology) in
ABV-Indian Institute of
Information Technology and
Management Gwalior, India.
His fields of research are data
mining, internet security and
wireless ad-hoc network.

Dr. Pankaj Srivastava is an

Assistant Professor in the
area of Applied Sciences
(Physics) of the Institute. He
achieved his doctoral degree
in physics from physics
department, Allahabad
University, India. His current
area of research is
nanotechnology investigating
various physical properties of
materials in the form of
nanowires, nanoclusters and nanotubes w.r.t. electronic
devices and information technology applications. Dr.
Srivastava is also working in the area of Quantum
Computing and Information and many other projects on
nanoCMOS and nanoMOSFET technology. He has till now
published more than 43 research papers in reputed
international and national journals, conferences and
seminars.