Number of Pages: 86

File Size: 4855 KB

File Type: MS Word & PDF

Chapters: 1 - 5

5,000.00

ABSTRACT

Authentication is unavoidable in any environment where sensitive information is utilized. In accessing resources via the Internet, the most common means of identification required for authentication is the user’s identity and a secret passphrase known as a password. Studies have shown that the birth of graphical password which uses images/pictures/objects was out of the trivial password generated by users because of the inability to remember complex passwords when using text-based password. Graphical password is stronger and increases memorability. However, graphical-based password is faced with several challenges including, a high storage capacity for all the images/pictures/objects, no assistance for users in browsing through an array of images/pictures/objects and vulnerability to shoulder surfing attacks.

This work develops a graphical authentication for web based application that tackles the aforementioned issues by using cued recall technique which utilizes a grid system populated with pair of values and set of colored rows and columns. A shoulder surfing resistant interface was designed to assist users in generating a robust password.To improve the security of the system, One Time Password (OTP) was used. The technologies and tools used were Apache web server, MySQL database management system, PHP Hypertext Pre-processor (PHP) all running on the WAMP platform, Hypertext Markup Language (HTML), cascading style sheet (CSS) and JavaScript.

The graphical authentication scheme was evaluated using Magic Triangle Evaluation model. The results showed that the password space and entropy were2.61*104and 14.39 respectively. The scheme showed a level of resistance of about 85% towards shoulder surfing attacks.

The study concluded that the graphical authentication scheme has a high level of resistance against shoulder surfing attacks but a low password space and entropy making it vulnerable to brute force attacks. It is therefore recommended to be used in an environment where shoulder surfing is inevitable and additional security mechanism should be added to reduce its vulnerability to brute force attacks. It can also be used as a Completely Automated Turing Test to tell Computers and Humans Apart (CAPTCHA).

Keywords: Graphical authentication, Shoulder surfing attack, Brute force attack, Web-based

application, Password space and Entropy.

Word Count:329

 

TABLE OF CONTENTS

Content                                                                                                                       Page

Title Page                                                                                                                                     i

Certification  ii

Dedication  iii

Acknowledgements  iv

Abstract v

Table of Contents  vi

List of Tables  x

List of Figures  xi

Abbreviations                                                                                                                          xiii

Appendices                                                                                                                               xv

CHAPTER ONE: INTRODUCTION

1.1 Background to the Study  1

1.2 Statement of the Problem   2

1.3 Objective of the Study  3

1.4 Methodology  3

1.5 Significance of the Study  4

1.6 Scope of the Study  4

CHAPTER TWO: REVIEW OF LITERATURE

2.0 Introduction  5

2.1 Types of Authentication  5

2.1.1 Knowledge Based Authentication  5

2.1.1.1 Graphical Based authentication  5

2.1.2 Token Based Authentication  6

2.1.3 Biometrics Based Authentication  6

2.2Factors of Authentication  7

Content                                                                                                                                    Page

2.3Historical Background of Graphical authentication  7

2.4One-Time Password  8

2.5Challenge/Response Authentication Mechanism   9

2.6Cryptographic Hash Function  9

2.6.1 Un-keyed Hash Function  9

2.6.2 Keyed Hash Function  9

2.7Magic Triangle Evaluation  10

2.7.1 Internet Attacks  10

2.7.2 Password Space  11

2.7.3 Password Entropy  11

2.8Review of related works  13

2.9Limitations of existing works  24

CHAPTER THREE: METHODOLOGY

3.0 Introduction  26

3.1 Interface Design  26

3.1.1  Creating/Setting up a Graphical Password  31

3.1.2 Generating a Graphical Password  32

3.2 Password Hashing and One Time Password  32

3.3 Database Design  33

3.3.1 Registration Phase  34

3.3.2 Authentication Phase  36

3.3.3 Password Reset Phase  38

3.4 User Requirements  39

3.5 Hardware Requirements  40

3.6 System Development Tools  40

3.6.1 Sublime Text Editor 40

Content                                                                                                                                    Page

3.6.2 WAMP Package  40

3.7 Extreme Prototyping  41

3.8 Post Research Benefits  42

3.9 Ethical Consideration  42

CHAPTER FOUR: DATA ANALYSIS, RESULTSAND

DISCUSSION OF FINDINGS

4.0 Introduction  43

4.1 Implementation of the Scheme  43

4.2 System Testing  43

4.2.1 Usability Testing  43

4.2.2 Security Testing  44

4.2.3Component Testing  44

4.2.4Integration Testing  44

4.3 Basic Operations that make up the Graphical Authentication  44

4.3.1 User registration  44

4.3.1.1 User identity  44

4.3.1.2 User graphical password  46

4.3.1.3 Recovery Password  49

4.3.2 User Authentication  49

4.3.2.1 Input User Identity  49

4.3.2.2 Generate User Graphical Password  49

4.3.3 Password Recovery  51

4.4 Discussion of Findings  52

4.4.1 Password Space  53

4.4.2 Password Entropy                                                                                                            52

4.4.3        Shoulder Surfing Attacks  53

Content                                                                                                                                    Page

CHAPTER FIVE: SUMMARY, CONCLUSION AND

RECOMMENDATIONS

5.0 Introduction  55

5.1 Summary  55

5.2 Conclusion  55

5.3 Recommendations  55

5.4 Contribution to Knowledge  56

5.5Suggestionfor Further Studies  56

REFERENCES  57

APPENDICES                                                                                                        61

 

 

LIST OF TABLES

Table                                                                                                                                         Page

2.1: Comparative Table Based on “Password Space”  11

2.2: Comparative Table Based on “Password Entropy”  12

3.1:           Coloured columns and their associative value         27

3.2: Coloured rows and their associative value  27

3.3: Cardinal Points and their associative values  28

3.4: Data dictionary of Table user in the database  33

3.5: Data dictionary of Table otp in the database  34

4.3: Summary of shoulder surfing experiment 54

 

 

LIST OF FIGURES

Figure                                                                                                                                       Page

2.1:   Magic triangle for Graphical Authentication security evaluation  10

2.2:           Passpoint                                                                                                                12

2.3: Passblot 14

2.4: Riddiford picture password  15

2.5: One-Time Password based on image recognition  16

2.6: Colorlogin  17

2.7: Passface  18

2.8: Pass-Doodle: A light weight Authentication model 18

2.9: Draw-a-Secret 19

2.10: Pass-Go  20

2.11: Graphical One Time Password  21

2.12: The Shoulder Surfing Resistant Graphical Password Authentication Technique  22

2.13: Graphical Password Authentication  23

2.14: Novel Shoulder Surfing Resistant Authentication Schemes using

Text-Graphical Passwords                                                                                              22

2.15: (a) Spiral Inward pattern (b) Downward Zig-Zag pattern (c) -45 Degree pattern  24

3.1: Unique rows, columns and their intersections  27

3.2: Cells and their co-ordinates  29

3.3: The grid populated with pair of values in each cell 30

3.4: Moving values in the cell within the grid  31

3.5: Entity relational diagram for the graphical authentication model 34

3.6: Flow Diagram for registration  35

3.7: Flow Diagram for authentication  37

3.8: Flow chart for password reset 39

3.9: Extreme Prototyping  41

Figure                                                                                                                                       Page

4.0: Inputting a valid unique email address  45

4.1: Inputting an invalid email address  45

4.2: Inputting an existing email address  46

4.3: Select one row and column  46

4.4: Notification to choose a row and column before proceeding  47

4.5: Selecting a cell relative to the intersection  48

4.6: Authentication page  50

4.7: Dashboard of a web application  51

4.8: Recovery page step one, type in user identity  51

4.9: Recovery step two, selecting one row and column  52

4.10: Recovery step three  51

   ABBREVIATIONS

CSS                                                     Cascading Style Sheet

DAS                                                    Draw A Secret

E                                                          East

HMAC                                                Key-hash Message Authentication Code

HMAC-MD 5                                     Hash Message Authentication Code – Message Digest 5

HMAC-SHA 1                                   Hash Message Authentication Code – Secure Hash

Algorithm 1

HTML                                                 Hyper Text Mark-up Language

ID                                                        Identity

MAC                                                   Message Authentication Code

MD5                                                    Message Digest 5

N                                                         North

NE                                                       North East

NW                                                     North West

OTP                                                     One Time Password

PHP                                                     PHP Hypertext Pre-processor

POI                                                     Point of Interest

QR                                                      Quick Response

ROA                                                   Region of Answer

S                                                          South

SE                                                       South East

SHA 1                                                 Secure Hash Algorithm 1

SHA 2                                                 Secure Hash Algorithm 2

SHA 256                                             Secure Hash Algorithm 256

SMS                                                    Short Message Service

SSL                                                     Secure Socket Layer

SW                                                      South West

TLS                                                     Transport Layer Security

URI                                                     Uniform Resource Identifier

WAMP                                                Windows Apache MySQL PHP

WWW                                                 World Wide Web

 

APPENDICES

Appendix

  1. Login Page
  2. Registration Page
  3. Recovery Page
  4. Informed Consent
  5. Turnitin Report

 

CHAPTER ONE

INTRODUCTION

1.1 Background to the Study

Networking in computer science is simply the connection of multiple electronic devices known as nodes for the purpose of exchanging information and this concept was groomed out of the need for man to connect and share information (which may be in the form of voice, video or data). The largest network in the world is the Internet and is described as a collection of vast mixture of networks in terms of topologies, architecture and communication technologies which however, utilizes a common set of protocols to offer certain services. In short, it is termed the network of networks (Ciubotaru & Muntean, 2013; Forcht & Fore, 1995). The Internet has aided in many major advancement and development today in our society. There has been an alarming rate of internet users from 400 million in 2000 to more than 3 billion internet users in 2015 (International Telecommunication Union, 2015).

Many organizations utilize the World Wide Web (www), one of the major and widely used service of the Internet to share information. The World Wide Web (www) is an information space in which relevant items, known as resources (e.g. image, audio, video or any other file), are identified by global identifiers called Uniform Resource Identifiers (URI) (Berners-Lee, et al., 2004); in 2001 Google, a multinational technology company announced it provided customers direct ac1cess to 3 billion web documents on the Internet (Googlepress, 2001).

This technical wizardry of communication around the world has begotten the proliferation of computers and other ubiquitous devices since the 1960s and with it, a demand for organization to protect their digital information from unauthorized users and provide services to authorized users. The concern to protect information is a product of the Internet being a fully decentralized network and depends on voluntary cooperation between the thousands of network administrators throughout the world to provide individuals with access to this network of tremendously varied resources. Thus, the Internet is a public network owned by no one and sensitive information should be made exclusive to only the rightful recipient (Forcht & Fore, 1995; Menezes, Van Oorschot & Vanstone, 1997).

Furthermore, by the very nature of the Internet, access is very easy, attracting individuals of different kind and with different aim. While some individualsare aimed at sharing information others tend to conduct malicious activities. As a result, information security is of great importance to any service provider.Information security can be described asactions that implement services which assure adequate protection for information systems used by or hosted within an organization.From the description, services are technical or managerial methods used with respect to the information being protected.Information systems are computer systems or communication systems that handle the information being protected, and protection implies the conjunction of integrity, confidentiality, authenticity, and availability (Shimeall & Spring, 2014).

Confidentiality, availability, data integrity and authentication are few of the major security features provided by information security in ensuring the reliability of information. The importance of each of these varies depending on the type of organization (e.g. confidentiality will be of most importance to the military).Authentication is related to identification and it is the most fundamental procedure to ensure security and provide access to sensitive web resources to users over the Internet. The most utilized and popularauthentication method is the Text-based password authentication which requires a valid user I.D. (Identity) and password in other to prevent unauthorized access (Liao & Lee, 2010; Menezeset al, 1997). This mechanism is easy and inexpensive to implement; however, this static password comes with major security drawbacks. For example, users tend to implement easy to guess password, use the same password in multiple accounts, write the passwords or store them on their machines making it susceptible to numerous attacks including dictionary attack, brute force attack, phishing attack, shoulder surfing etc.(Prakash, Infant & Shobana, 2010).

This trivial password mania by users has become a bedrock for computer hackers/crackers and therefore, the focus of this work is to create a platform to enable users to generate a stronger password that is easy to remember and implement but difficult for unauthorized personnel.

1.2 Statement of the Problem

Over the years, other authentication methods have been developed which involves the use of secondary object (token based authentication) or biometric system (biometric based authentication) (Abdulkader, Ayman & Mostafa, 2015). Though more secured, these methods require more infrastructure/equipment.

Since the mid-1990s, several graphical based password schemes have been developed aimed at strengthening security and enhancing the password memorability. (Alsaiari, Papadaki, Dowland & Furnell, 2016). Graphical password is based on the use of images/pictures rather than text. The idea of graphical passwordhasstirred several experiments, theories and assumptions showing that presenting items as pictures is easier to remember than presenting items as words. Thus, the pictures superiority effect appears to significantly increase memorability. (Paivio, 1991; Standing, Conezio & Haber, 1970). Graphical based password provides some benefits such as enlarging the passwords space (in some graphical authentication), reducing choice oftrivial passwords, and making it difficult to share and write passwords (Golofit, 2007). However, this method is still vulnerable to various types of attacks especiallyshoulder-surfing (Biddle, Chiasson & Oorschot, 2011). In addition, in some graphical schemes, users have to browse through the entire set of images/pictures/objects, pictures have larger size than text, and therefore the server is expected to allocate a reasonable amount of space in storing these pictures. (Wiedenbeck, Waters, Birget, Brodskiy & Memon, 2005).

Therefore, this research proposes a graphical authentication that increases memorability, resistant to shoulder surfing, aid in searching and requires no upload of pictures/imagesduring registration and authentication.

1.3 Objective of the Study

The main objective of this study is to develop a secure graphical authentication for web based applications. The specific objectives are to:

  1. present a comparativeanalysis of existing graphical authentication technique;
  2. design a shoulder surfing resistant graphical technique for generating user’s graphical password;
  3. perform a One-Time password challenge response for every authentication and
  4. evaluate the password space, entropy and resistance to shoulder surfing attack.

1.4 Methodology

To achieve the set of objectives, existing graphical authentication schemes were analysed for improvements. HTML (Hyper Text Mark-up Language), CSS (Cascading Style Sheet) and JavaScript (front and back end)were utilized for the design of the authentication scheme, interaction between clientand server and for generating graphical password.

Storing of user’s credentials, handling of the One-Time password and performing authentication was done by the application suite, WAMP (Windows Apache MySQL PHP). The scheme was evaluatedusing magic triangle evaluation.

1.5  Significance of the Study

Thisresearch provides a graphical environment to assist users in implementing a robust password and increase memorability, optimize storage utilization capacity of the server makes it impractical to share password, therefore immune to phishing attacks and contributes to the existing solutions which researchers have developed in mitigating attacks such as dictionary, brute force, and most especially shoulder surfing attack.

1.6 Scope of the Study

The study focused on the development of an authentication scheme for identification and authorization of users in accessing web systems/applications, particularly, on the interface that interacts with the user in generatingunique passwords. In addition, given the size of the image (in terms of height and width) utilized for this research, a device of very large screen size of about 650 by 450 pixels is used in order to provide the full description of the work. The research will cover the aspect of user registration and authentication.

DOWNLOAD THE FULL WORK

DISCLAIMER: All project works, files and documents posted on this website, UniProjectTopics.com are the property/copyright of their respective owners. They are for research reference/guidance purposes only and some of the works may be crowd-sourced. Please don’t submit someone’s work as your own to avoid plagiarism and its consequences. Use it as a reference/citation/guidance purpose only and not copy the work word for word (verbatim). The paper should be used as a guide or framework for your own paper. The contents of this paper should be able to help you in generating new ideas and thoughts for your own study. UniProjectTopics.com is a repository of research works where works are uploaded for research guidance. Our aim of providing this work is to help you eradicate the stress of going from one school library to another in search of research materials. This is a legal service because all tertiary institutions permit their students to read previous works, projects, books, articles, journals or papers while developing their own works. This is where the need for literature review comes in. “What a good artist understands is that nothing comes from nowhere. All creative work builds on what came before. Nothing is completely original.” - Austin Kleon. The paid subscription on UniProjectTopics.com is a means by which the website is maintained to support Open Education. If you see your work posted here by any means, and you want it to be removed/credited, please contact us with the web address link to the work. We will reply to and honour every request. Please notice it may take up to 24 – 48 hours to process your request.

WeCreativez WhatsApp Support
Administrator (Online)
I am online and ready to help you via WhatsApp chat. Let me know if you need my assistance.