International Journal of Computer Network and Information Security (IJCNIS)
IJCNIS Vol. 10, No. 5, 8 May 2018
Cover page and Table of Contents: PDF (size: 673KB)
A Novel Approach to Thwart Security Attacks on Mobile Pattern Authentication Systems
Full Text (PDF, 673KB), PP.18-27
Views: 0 Downloads: 0
Author(s)
Bh Padma
1,*
GVS Raj Kumar
2
Index Terms
Android, dictionary attacks, salt, pepper, brute-forcing, Strict Avalanche Effect, TEE, SHA-1
Abstract
Providing security to mobile devices by means of password authentication using robust cryptographic techniques is vitally important today, because they protect sensitive data. Especially for pattern locking systems of Android, there is a lack of security awareness in the people about various pre-computation attacks such as dictionary attacks, rainbow tables and brute-forcing. Hash functions such as SHA-1 are not secure for pattern authentication, because they suffer from dictionary attacks. The latest OS versions of Android such as Marshmallow make use of salted hash functions for pattern locks, but they do need additional hardware support such as TEE (Trusted Execution Environment) and a Gatekeeper function. If random salts are used for pattern passwords, they are also vulnerable, because the stored salt may be compromised and consequently the passwords can be speculated using brute-forcing. To avoid such a security breaches on pattern passwords, many methodologies have been proposed so far such as an elliptic curve based salt generation techniques. But security is never easy to obtain 100%. The attacker may perform brute-forcing successfully on pattern password hashes by gaining some information about the application. Brute-forcing becomes harder always by using longer salts and passwords and by stretching the execution time of hash generation. Therefore the current research addresses these difficulties and finds a solution to these problems by extending the existing salt generation scheme, by generating a dynamic 128-bit pepper (or a long salt) value for SHA-1 hashes to avoid such attacks without using an added hardware, for mobile computers using elliptic curves. The current scheme employs genetic algorithms to generate the pepper and finally makes brute-forcing even harder for the cryptanalysts. A comparison of this new hashing technique, with the existing techniques such as SHA-1 and salted SHA-1 with respect to brute-force analysis, Strict Avalanche Criterion and execution times is also presented in this paper.
Cite This Paper
Bh Padma, GVS Raj Kumar, "A Novel Approach to Thwart Security Attacks on Mobile Pattern Authentication Systems", International Journal of Computer Network and Information Security(IJCNIS), Vol.10, No.5, pp.18-27, 2018. DOI:10.5815/ijcnis.2018.05.03
Reference
[1]Haichang Gao, Wei Jia, Fei Ye and Licheng Ma, “A Survey on the Use of Graphical Passwords in Security”, JOURNAL OF SOFTWARE, VOL. 8, NO. 7, JULY 2013.
[2]Bh.Padma, GVS Raj Kumar, “A Review on Android Authentication system vulnerabilities”, International Journal of Modern Trends in Engineering and Research(IJMTER), volume 3, Issue 8, 2016 pp 118-123, ISSN: 2349.
[3]Sukhchain Singh,Amith Gover “Study and Analysis of Dictionary attack and Throughput in WEP for CRC-32 and SHA-1” , International Journal of Computer Applications (0975 – 8887) Volume 96– No.17, June 2014.
[4]Bh Padma, “Efficient Computation of Point Multiplication in the Implementation of Elliptic Curve Cryptograph” E - Commerce for Future &Trends,STM Journals, Jan-April, 2014,Volume 1 , Issue 1.
[5]Dr. D. Singh,P.Rani, Dr. R. Kumar ,”To design a GA for cryptography to enhance the security” ,International Journal of computer Applications, issue 2 April 2013.
[6]Noor HasnahMoin, Ong Chung Sin, and Mohd Omar, “Hybrid Genetic Algorithm with Multiparents Crossover for Job Shop Scheduling Problems”, Mathematical Problems in Engineering, Hindawi Publishing corporation, Volume 2015, Article ID 210680, http://dx.doi.org/10.1155/2015/210680.
[7]I.F. Blake, G. Seroussi, and N. P. Smart,” Elliptic Curves in Cryptography”,Number 256 in London Mathematical Society Lecture Note Series, Cambridge University Press, 1999.
[8]Bh.Padma, “Encoding and Decoding of a message in the implementation of Elliptic curve Cryptography using Koblitz Method”, International Journal On Computer Science and Engineering (IJCSE), volume-2 issue:5, 2010 pp 1904-1907, ISSN: 0975- 3397.
[9]Bh Padma,GVS Raj Kumar, “Design and Analysis of An Enhanced SHA-1 Hash Generation Scheme for Android Mobile Computers”, International Journal of Applied Engineering Research(IJAER), volume 11,Number 4, 2016, pp 2359-2363,ISSN: 0973-9769.
[10]I.F.Blake G. Seroussi, and N. P. Smart,”Advances in Elliptic Curve Cryptography”. Number 317 in London Mathematical Society Lecture Note Series, Cambridge University Press, 2005.
[11]Kefa Rabah,”Theory and Implementation of Elliptic Curve Cryptography”, Journal of Applied Sciences 5(4):604-633, 2005, ISSN: 1812-5654.
[12]Ajay Shrestha and Ausif Mahmood, “Improving Genetic Algorithm with Fine-Tuned Crossover and Scaled Architecture”, Journal of Mathematics, Volume 2016 (2016), Article ID 4015845.
[13]S Jawaid, Adeeba Jamal2014.,”Generating the best fit key in cryptography using GA”, International Journal of Computer Applications (IJCA),0975-8887,volume 98, no 20, July 2014.
[14]Adarsh Singh et al, “Implementation of Color based Android Shuffling Pattern Lock” IJCSMC, Vol. 5, Issue. 3, March 2016, pg.357 –362.
[15]Lashkari, A.H., et al., Shoulder Surfing attack in graphical password authentication. International Journal of Computer Science and Information Security, 2009. 6(9).
[16]Harshvardhan Tiwari and Dr. Krishna Asawa “A Secure Hash Function MD-192 with Modified Message Expansion”, (IJCSIS) International Journal of Computer Science and Information Security, Vol. VII, No. II, FEB 2010.
[17]L.Thulasimani and M.Madheswaran, “Security and Robustness Enhancement of Existing Hash Algorithm”, Proc of IEEE International Conference on Signal Processing Systems, 15-17 May, 2009.
[18]Padma, Bh. And Raj Kumar, G.V.S. (2017), Dynamic salt generation for mobile data security using elliptic curves against precomputation attacks, Int.J. Image Mining (Inderscience Publishers), Vol. 2, Nos. 3/4, pp.179–194.
[19]Android Explorations, Password Storage in Android M”, http://nelenkov.blogspot.in/2015/06/password-storage-in-android-m.html.
[20]Michael Brown, Darrel Hankerson, Julio Lopez, and Alfred Menezes, ”Software Implementation of the NIST Elliptic Curves over Prime Fields”, D. Naccache, editor, Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer Science, pp. 250-265. Springer-Verlag, 2001.
[21]Mohammad Reza. Hasani Ahangar, Mohammad Reza. Esmaeili Taba, Arash.Ghafouri, "On a Novel Grid Computing-Based Distributed Brute-force Attack Scheme (GCDBF) By Exploiting Botnets", International Journal of Computer Network and Information Security(IJCNIS), Vol.9, No.6, pp. 21-29, 2017.DOI: 10.5815/ijcnis.2017.06.03.
[22]Mohsen Pourpouneh, Rasoul Ramezanian, Afshin Zarei,"A Note on Group Authentication Schemes", International Journal of Computer Network and Information Security(IJCNIS), Vol.8, No.5, pp.18-24, 2016.DOI: 10.5815/ijcnis.2016.05.03.
[23]Hassen Mestiri, Fatma Kahri, Belgacem Bouallegue, Mohsen Machhout, "Efficient FPGA Hardware Implementation of Secure Hash Function SHA-2", IJCNIS, vol.7, no.1, pp.9-15, 2015. DOI: 10.5815/ijcnis.2015.01.02.
[24]Bh Padma, GVS Rajkumar., Preventing Security Attacks on Mobile Pattern Passwords, Journal of Theoretical and Applied Information Technology, Vol.96. No 4, 2018.
[25]V. Miller, “Uses of elliptic curves in cryptography", Advances in Cryptology: proceedings of Crypto'85, Lecture Notes in Computer Science, vol. 218. New York: Springer-Verlag, 1986, pp. 417-426.