Secure authentication using dynamic virtual ... - Semantic Scholar

10 downloads 326 Views 308KB Size Report
movie tickets, and maintaining financial services user can take advantage of Internet ... A virtual keyboard is a software component that allows a user to enter ...
International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India

Secure Authentication using Dynamic Virtual Keyboard Layout M Agarwal

M Mehra

R Pawar

D Shah

Lecturer Sardar Patel Institute of Technology

Lecturer Sardar Patel Institute of Technology

Lecturer Sardar Patel Institute of Technology

Professor Sardar Patel Institute of Technology

Mumbai, India

Mumbai, India

Mumbai, India

Mumbai, India

mahendra488@gmail .com

renuka.pawar.21@g mail.com

devenshahin@yahoo .com

[email protected] om

ABSTRACT

rely on this fact, such as phishing [2] attacks. Key loggers [3] [4], spyware, bots etc. generally run in background without the knowledge of the user. These programs record the compete sequence of the data entered by the user. They transmit this information over Internet and use them to gain access to confidential user information like their PIN, ATM numbers, passwords etc. These tools have become more and more sophisticated. As a result of this sometimes even the most secure and updated version of anti-virus, anti-malware program is unable to detect them. Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009 [5]. In this paper we describe how a dynamically generated virtual keyboard could solve most of the authentication issues. In this paper we propose a dynamic virtual keyboard that shuffles the arrangement of keys after every click. It also hides the position of the key before the user presses the key. This approach overcomes most of the drawbacks faced by today’s virtual keyboard. The proposed approach provides protection against key loggers, over the shoulder spoofing, screen capturing after click event.

Virtual Keyboard authentication has helped users to protect their username and passwords from being captured by key loggers, spyware and malicious bots. However Virtual Keyboard still suffers from numerous other fallacies that an attacker can take advantage of. These include click based screenshot capturing, over the shoulder spoofing and co-ordinate position noting. To overcome these drawbacks, we have designed a virtual keyboard that is generated dynamically each time the user access the web site. Also after each click event of the user the arrangement of the keys of the virtual keyboard are shuffled. The position of the keys is hidden so that a user standing behind may not be able to see the pressed key. Our proposed approach makes the usage of virtual keyboard even more secure for users and makes it tougher for malware programs to capture authentication details.

General Terms Security, Reliability.

Keywords

Our paper is organized as follows. The paper begins with an explanation of the concept of Virtual Keyboard. The next section describes the issues associated with the current implementation of virtual keyboard. Next we describe our proposed concept. This is followed by the basic implementation and testing details. The last part concludes our paper.

Authentication, Virtual Keyboard, Security, Password, Spyware

1. INTRODUCTION

With the increasing technology, more and more services are made available to the users online. Right from buying goods, houses, movie tickets, and maintaining financial services user can take advantage of Internet and complete all the transactions online. Online user authentication [1] is required by most of the services offered over the Internet to the users.

2. Virtual Keyboard

A virtual keyboard is a software component that allows a user to enter characters. The virtual keyboard is generally a visual representation of the real keyboard on the standard output. A virtual keyboard can usually be operated with multiple input devices, which may include an actual keyboard, a computer mouse, an eye mouse, and a head mouse. A typical virtual keyboard is shown in Figure 1.

This is typically carried out by sending a sequence of username and password to the server for authentication. Some attacks just Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICWET’11, February 25–26, 2011, Mumbai, Maharashtra, India. Copyright © 2011 ACM 978-1-4503-0449-8/11/02…$10.00.

288

International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India

‘a’ Captured

‘b’ Captured d’ Captured ‘g’ Captured

Figure 1. Virtual Keyboard. Virtual keyboard were used to provide an alternative input mechanism for users with disabilities or limited hand mobility or who were unable to use a physical keyboard. Another major use for an on-screen keyboard is for bi- or multi-lingual users, who continually need to switch between different character sets or alphabets.

Figure 2. Spy program that capture screenshots after every click resulting in capturing of entire user password

3.2 Behind the shoulder spoofing

Here a person standing behind the person entering his / her password via virtual keyboard remembers or notes his / her sequences of clicks thereby knowing his / her password. The user unaware of this feels his / her password has been entered securely but in reality his / her password has been compromised.

Recently virtual keyboard have made their way for authentication of users. Most of financial websites now present users with a virtual keyboard for taking their authentication details. Key loggers, spyware and other malicious programs that capture the entire sequence of characters entered via the physical keyboard. The use of virtual keyboard helps to bypass these malicious programs since these programs record keystrokes generated by a physical keyboard and not via virtual keyboard. The virtual keyboard offers number of benefits as listed below. Portability Accuracy Speed of text entry Lack of need for flat or large typing surface Ability to minimize the risk for repetitive strain injuries Flexibility An easy way to comply with the conference paper formatting requirements is to use this document as a template and simply type your text into it.      

Figure 3. User standing behind observing the mouse movements to track the password.

3.3 Unshuffled Keyboard Implementation

Generally the arrangements of alphabets in a virtual keyboard are same as in normal QWERTY keyboard. Though this helps user enter his / her password a bit fast, but this compromises security again. An attacker can note the coordinates of the mouse clicks and predict the sequence of the password. For e.g., consider the following

3. Existing Technology and Issues

In the current scenario a virtual keyboard is displayed on the screen asking user to enter his / her username and password. Though this approach is safe and protects his / her credentials from key loggers, this approach has following drawbacks:

3.1 Screen Capture Technique

Here an attacker can write a program that captures the screen after user clicks with a mouse. For e.g., a password “abdg” though entered by a virtual keyboard is captured by the spyware program by capturing a screenshot after user clicks on virtual keyboard.

289

International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India

keyboard layout generation as before. Figure 4. Noting co-ordinate position of mouse click and guessing password

Figure 6. Dynamic virtual keyboard after pressing “Hide Keys” button

If the recording of sequence of co-ordinates is (3, 1) the key pressed is ‘v’. Similarly the entire sequence of co-ordinates summed up lets the attacker know the users password.

This proposed approach overcomes the drawbacks of the current implementation of virtual keyboard. Benefits of the proposed approach:

4. Proposed Dynamic Virtual Keyboard

4.1 Screenshot mechanism would not work

As seen above, current implementation of virtual keyboard does not guarantee a fool proof mechanism against various attacks. Here we are proposing a dynamic virtual keyboard with following features: 

Dynamic Keyboard Layout Generation



Hidden keys to prevent screenshot capturing



Shuffled keyboard after every click



A sample dynamic virtual keyboard of our proposed concept is shown below.

Since the keys are hidden after user presses the hide keys button, even if the screen shot is recorded it would make no sense to the attacker. For example for the same password “abdg” the screen capture would record the following things. This makes no sense to attacker and user password is thus secure.

Figure 7. Spy program that capture screenshots after every click, rendered useless since no information about the password can be obtained Though the screen is captured by the spy program but since the key are darkened no trace of user password is left.

4.2 Shuffled Keyboard Implementation

As against the current implementation of unshuffled arrangements of alphabets, in our proposed approach we shuffle the keyboard after every click. As a result if a person is standing behind to spoof the password over the shoulder, he cannot remember the password since the layout and arrangements of alphabet change after every click. Also noting the coordinates would be of no help since even if the position is noted, the next click would again reshuffle the keyboard. Thus if “v” was currently at position (3, 1), the next click would have some other alphabet at the same position (3, 1).

Figure 5. Dynamic virtual keyboard, translucent shade so that user can note the position of letter Let us assume that the password of the user is “xyz”. Here the user is allowed to enter one character at a time. Initially the user should note the position of character he wishes to enter. It is ‘x’ in our case. We have made colour coding so that it is easier to remember. In this case we see that ‘x’ is in yellow color and second from top. After that the user has to click hide keys button. This button converts the translucent colour into opaque colours of the same shade as shown below in Figure. Now user can click the yellow button, second from top to type ‘x’. After the user clicks ‘x’, the layout of the keyboard changes again and the procedure is repeated once more. In case the user forgets the position of the character after clicking hide keys, he can click the button forgot position. This would result in the same

Figure 8. Random arrangement of keyboard alphabets as against normal QWERTY keyboard arrangement makes it tougher for malware programs to capture password 290

International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India

4.3 Color coding helps remember the positions easily

Since we are using color coding, the task to remember the position of a character is very easy. Also each color is repeated only three times in a column fashion format, thereby making it easier for user. Also forgot position facility helps to recollect user the position of his / her character in case he forgets. For e.g., in Figure 8, “v” is in red color and is at top.

4.4 Implementation is possible with current technology.

No changes in existing protocol need to be made. All our implementation is possible with the current technology.

Figure 9. Graph indicating the time taken by using the current virtual keyboard implementation and dynamic virtual keyboard implantation

4.5 Protection of user credentials

The graph in figure 9 indicates that the time taken to type a password using our dynamic virtual keyboard is more than the time taken to type the same password using current implementation of virtual keyboard. But the user is guaranteed that his / her credentials are not being hijacked or compromised by any means. This is especially beneficial in case users are using pubic computers or computers they might not trust upon.

6. Conclusion

In this paper we have shown the possible ways in which the current implementation of virtual keyboard is vulnerable to attacks. We have proposed a dynamic virtual keyboard layout for the same. We have shown that our implementation does not suffer from the drawbacks suffered by current implementation of virtual keyboard. Though using this technique the time taken to type the password is slightly more than traditional virtual keyboard, but user is protected against all kinds of attacks on his / her credentials. Also all the implementation were done using existing technology

5. Basic Implementation & Testing

The entire virtual keyboard was implemented using jQuery. For testing purposes we took a batch of 20 people, 10 were asked to enter the password using our dynamic virtual keyboard technique. The remaining 10 were asked to stand behind them to spoof over the shoulder so that they may see the password entered by the user. We had also installed key logger software “Actual Spy 3.0” [6] that monitors keystrokes, file changes, clipboard, screenshots, file changes. The users were advised to type in a 6 character password. After the users entered their password, the following results were obtained.

7. ACKNOWLEDGMENTS

Our thanks to Shrushti Parikh and Mauli Shah who have contributed in formatting the template.

8. REFERENCES

The software Actual Spy 3.0 could record the screenshots but was rendered useless as it captured the images wherein the virtual keyboard keys are darkened. All users who were told to spoof the password could match only 33-67 per cent of the password characters.

[1] Sheng, Y., Lu Z.: An Online User Authentication Scheme for Web-Based services, Business and Information Management. Pages: 173 - 176 Year of Publication: (2008) [2] Herzberg, A., Jbara A.: Security and identification indicators for browsers against spoofing and phishing attacks, ACM Transactions on Internet Technology.Volume 8, Article No.: 16, Issue 4 (September 2008)

We have a usability trade-off here since the user needs to click the button hide keys before he can click the character of his / her password. We have also recorded the average time a user takes to type a password using traditional virtual keyboard technique and the time taken to type the same password using our virtual keyboard technique. The results are as follows.

[3] Doja, M.N., Kumar. N.: Image Authentication Schemes against Key-Logger Spyware. Proceedings of the 2008 Ninth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing. Pages: 574-579 Year of Publication: 2008 [4] Sagiroglu, S., Canbek, G.: Keyloggers, Technology and Society Magazine, IEEE, Pages: 10-17 Year of Publication: 2009 [5]

FBI: Online Fraud Costs Skyrocketed in 2009 http://krebsonsecurity.com/2010/03/fbi-online-fraud-costsskyrocketed-in-2009/

[6] Key logger software http://www.actualspy.com/

291

"Actual

Spy"

homepage