Nilesh Chakraborty

Tag Digit Based Honeypot to Detect Shoulder Surfing Attack

Traditional password based authentication scheme is vulnerable to shoulder surfing attack. So if an attacker sees a legitimate user to enter password then it is possible for the attacker to use that credentials later to illegally login into the system and may do some malicious activities. Many methodologies exist to prevent such attack. These methods are either partially observable or fully observable to the attacker. In this paper we have focused on detection of shoulder surfing attack rather than prevention. We have introduced the concept of tag digit to create a trap known as honeypot. Using the proposed methodology if the shoulder surfers try to login using others’ credentials then there is a high chance that they will be caught red handed. Comparative analysis shows that unlike the existing preventive schemes, the proposed methodology does not require much computation from users end. Thus from security and usability perspective the proposed scheme is quite robust and powerful.

Few notes towards making honeyword system more secure and usable

Traditionally the passwords are stored in hashed format. However, if the password file is compromised then by using the brute force attack there is a high chance that the original passwords can be leaked. False passwords -- also known as honeywords, are used to protect the original passwords from such leak. A good honeyword system is dependent on effective honeyword generation techniques. In this paper, the risk and limitations of some of the existing honeyword generation techniques have been identified as different notes. Three concepts -- modified tails, close number formation and caps key are introduced to address the existing issues. The experimental analysis shows that the proposed techniques with some preprocessing can protect high percentage of passwords. Finally a comparative analysis is presented to show how the proposed approaches stand with respect to the existing honeyword generation approaches.

SLASS: Secure Login against Shoulder Surfing

Classical password based schemes are widely used because it provides fair security and yet easy to use. However, when used in a public domain it is vulnerable to shoulder surfing attack in which an attacker can record the entire login session and may get the user’s original password. To avoid such attack, we have proposed a methodology known as Secure Login Against Shoulder Surfing or SLASS which is based on a partially observable attack model where an attacker can partially observe the login session. In the proposed scheme, the attacker cannot see or hear the challenges thrown by the system but can only see the responses provided by the user. User remembers a password of five characters long consisting of alphabets only and the responses are provided by some directional keys. Experimental analysis show that our scheme is less error prone, easy to use and provides high security compared to some existing approaches.

An Improved Methodology towards Providing Immunity against Weak Shoulder Surfing Attack

In a conventional password based authentication system, an adversary can obtain login credentials by performing shoulder surfing. When such attacks are performed by human users with limited cognitive skills and without any recording device then it is referred as weak shoulder surfing attack. Existing methodologies that avoid such weak shoulder surfing attack, comprise of many rounds which may be the cause of fatigue to the general users. In this paper we have proposed a methodology known as Multi Color (MC) method which reduces the number of rounds in a session to half of previously proposed methodologies. Then using the predictive human performance modeling tool we have shown that proposed MC method is immune against weak shoulder surfing attack and also it improves the existing security level.

On designing a modified-UI based honeyword generation approach for overcoming the existing limitations

Inverting hashed passwords by performing brute force computation is one of the latest security threats on password based authentication technique. New technologies are being developed for reducing complexity of brute force computation and these increase the success rate of inversion attack. Honeyword base authentication protocol can successfully mitigate this threat by making password cracking detectable. However, existing honeyword based methods have several limitations likeMultiple System Vulnerability, Weak DoS Resistivity, Storage Overhead, etc. In this paper, we have proposed a new modified-UI based honeyword generation approach, identified as Paired Distance Protocol (PDP), which overcomes most of the drawbacks of previously proposed honeyword generation approaches. The comprehensive analysis shows that PDP not only attains a high detection rate of 97.23%, but also reduces the storage overhead to a great extent.

On Designing Leakage-Resilient Vibration Based Authentication Techniques

To prevent shoulder surfing attack, a secured channel between the device and user must be established so that it cannot be eavesdropped by an adversary. In this paper we have explored vibration signals to design authentication services namely - (a) VDLS and (b) M-VDLS to resist shoulder surfing attack. The use of vibration provides a key strength to bypass the threat of shoulder surfing without using any auxiliary device. Thus, proposed schemes in this paper avail aforementioned advantage to address the attack. While VDLS attains very high security standard compared to existing approaches, M-VDLS ensures high usability standard to avoid the attack in mobile environment. Both these approaches are also capable of providing solution against classical shoulder surfing attack without any information leakage. Finally, we show that required overheads of proposed approaches are reasonable in practice and outperform the existing approaches in terms of security and usability.

HoneyString: an improved methodology over tag digit-based honeypot to detect shoulder surfing attack

Shoulder surfing attack is often a matter of concern if one is using a public computer system to submit her login credentials. Many methodologies have been proposed by the researchers to prevent such attack. Most of the schemes require high cognitive skills from user end and due to that these schemes are less implementable in real life scenario. So instead of prevention, we work on developing detection of shoulder surfing attack as the detection scheme requires less cognitive overhead than prevention schemes. In this paper, we have proposed a detection mechanism termed as HoneyString which overcomes the limitation of previously proposed tag digit-based scheme. HoneyString provides robust security against DoS attack which was a limitation in the previously proposed scheme. A comparative analysis shows that the proposed scheme has higher detection rate and requires less login time than the existing scheme.

I–SLASS: an improved login approach over SLASS

In a password–based authentication scheme, shoulder surfing attack is a common problem. To overcome this, challenge response scheme is a possible solution. However, to address this security aspect the authentication schemes should not compromise too much with the usability aspect. Thus, the main challenge in such schemes is to provide a balance between security and usability aspect. In this paper, some partially observable shoulder surfing resilient schemes such as SSSL, SLASS are analysed and their limitations have been overcome in the proposed I–SLASS scheme which is built on top of SLASS concept. Two variants of I–SLASS schemes are developed. I–SLASS–CPASS is used to address character–based password and I–SLASS–DPASS uses the digit–based PIN. Experimental analysis shows that both the variants are more secure and more flexible compared to their respective counterpart, i.e., SLASS and SSSL.