2, December 2016
ABSTRACT
Today, a large number of people access internet through their smart phones to login to their bank
accounts, social networking accounts and various other blogs. In such a scenario, user authentication has
emerged as a major security issue in mobile internet. To date, password based authentication schemes have
been extensively used to provide authentication and security. The password based authentication has
always been cumbersome for the users because human memory is transient and remembering a large
number of long and complicated passwords is impossible. Also, it is vulnerable to various kinds of attacks
like brute force, rainbow table, dictionary, sniffing, shoulder surfing and so on. As the main contribution of
this paper, a new passwordless authentication scheme for smart phones is presented which not only
resolves all the weaknesses of password based schemes but also provide robust security. The proposed
scheme relieves users from memorizing and storing long and complicated passwords. The proposed scheme
uses ECDSA which is based on Elliptic Curve Cryptography (ECC). ECC has remarkable strength and
efficiency advantages in terms of bandwidth, key sizes and computational overheads over other public key
cryptosystems. It is therefore suitable for resource constraint devices like smart phone. Furthermore, the
proposed scheme incorporate CAPTCHA which play a very important role in protecting the web resources
from spamming and other malicious activities. To the best of our knowledge, until now no passwordless
user authentication protocol based on ECC has been proposed for smart phones. Finally, the security and
functionality analysis shows that compared with existing password based authentication schemes, the
proposed scheme is more secure and efficient.
KEYWORDS
User Authentication, CAPTCHA, Smart Phone, Elliptic curve cryptography, Elliptic Curve Digital
Signature Algorithm
1. INTRODUCTION
We are living in the era of mobile computing where the recent years have witnessed an explosive
growth of mobile devices like smart phones, laptops, tablets and so on. The introduction of new
capabilities and functionalities for mobile devices has opened new avenues in this era. Of these,
smart phones have become an essential part of human life today. According to eMarketer (a
market research company), the number of smart phone users worldwide will surpass 2 billion in
2016 [29]. With time, smart phones have tremendously improved in terms of their processing
power, memory and other resources, making them capable to efficiently handle large processing
computations anytime, anywhere. Today, a large number of people access internet through their
11
smart phones to login to their bank accounts, social networking accounts and various other blogs.
In such a scenario, user authentication has emerged as a major security issue in mobile internet.
The goal of authentication is to ascertain the user identity by proving to the system that the user is
who they claim to be. To date, the popular trend among service providers is to register the user
who wants to avail their services. After successful registration, the user is issued a
username/userID which is unique for each user. Most of the service providers give freedom to
users to choose their own password. In such a scenario, to avail the service, the user is required to
login to his/her account and enter username/userID and password. Login using userID and
password [1][2] is still one of the most popular and convenient method of user authentication
over insecure networks. Various other authentication alternatives like biometrics, smartcards and
tokens are also available but they have their own disadvantages. Smartcard based schemes [3-5]
need PINs and passwords, and are also vulnerable to smartcard lost problem. Biometric based
scheme [6][7] require extra hardware for implementation and also raises privacy concerns.
Passwords also have various drawbacks. The foremost problem is to memorize long and random
passwords. Forgetting the passwords is very common among the users which arise due to
fundamental limitation of human long-term memory. As a result, users tend to choose weak
passwords like name of pets, date of birth and dictionary words [8][9]. This exposes the system to
various types of security attacks. The most prominent of them are as follows:
1. Brute force attack: It is also known as exhaustive search. In this, the attacker generates
every possible combination of user password and tries to authenticate itself as the actual
user. If given enough time and provided the user does not change his/her password, the
attacker can successfully launch this attack.
2. Dictionary attack: It is based on the fact that users tend to select memorable words for the
password such as names of towns, pets, date of birth etc, thus reducing the number of
possible combinations to only meaningful words. The attacker can compile the list of
such meaningful words into a dictionary and then launch a search against the system by
trying the same user account and words from dictionary file as the password.
3. Rainbow table attack: In this, the attacker makes use of rainbow table which contains
precomputed values. Thus the attacker does not have to calculate all the combinations of
possible passwords, which saves time and system resources.
4. Sniffing attack: In this, the attackers try to obtain the user credentials like userID and
password over insecure networks. They can later use these credentials and impersonate as
legal clients.
5. Imposter servers: In this, the attacker impersonates as real server and can persuade the
user in sharing its confidential data including its userID and password
6. Man in middle attack: In this, the attacker sits somewhere between the user and the server
on the network and intercepts the messages exchanged between the user and server. The
attacker may even alter the messages and then send it to them.
7. Shoulder surfing: In this, the attacker can look over the users shoulder while he is typing
his password to authenticate to the server.
8. Offline attack: In this, the attacker tries to obtain offline access to the database where the
user credentials (password file) are stored. This is possible if the attacker has
administrative permissions to access the database or has physical access to the
authentication server.
9. Keyboard loggers, Trojans and viruses: In order to access the user password, the attacker
may install a key-logging resident program that can collect all the key strokes that the
12
user has made. A Trojan and virus can also be used by attacker to obtain confidential user
information.
Apart from these attacks, remembering long and complicated passwords strain human memory.
Thus human beings tend to choose short and easily memorable passwords which they re-use [11]
on every website they come across. Such weak passwords can be easily compromised by
adversaries leading to serious security breach. Various strong password generators (like
1Password) can be used to generate secure, long and complicated passwords; yet, memorizing
such complicated passwords become a major issue. Even storing these passwords in the system is
not safe as they can be easily intercepted by an insider or compromised through impersonation
attack.
What if the user can login to any website without the need of password? Such passwordless
systems will resolve all the above mentioned problems which are due to passwords. Passwordless
systems are user-friendly because they relieve users from remembering and storing complex and
lengthy passwords. However, while designing such systems, an utmost care should be taken to
ensure the security and privacy of the system and user.
Human Interaction Proof (HIP) [12][13] system can successfully ensure the security and privacy
of online web resources by distinguishing between human users and computers. One form of HIP
is CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart).
CAPTCHAs [14] make use of hard AI problem to defend the system against malicious internet
bot programs. Various commercial websites like Microsoft, Google and Yahoo have employed
CAPTCHAs to prevent spams and other automated malicious activities. CAPTCHAs can either
be OCR (Optical Character Recognition) based or non-OCR based. OCR based CAPTCHAs
include textual CAPTCHAs while non- OCR based include audio, logical, animated and video
CAPTCHAs. Logical CAPTCHAs include questions [15], puzzles [16] which are easily solvable
by human beings but are a big challenge for computers. To date, a number of improved
CAPTCHA based schemes [17-22] have been proposed which can be conveniently implemented
on systems with constrained resources.
In this paper, we introduce a new and secure passwordless authentication scheme for smart
phones. The password based authentication has always been cumbersome for the users because
human memory is transient and remembering a large number of long and complicated passwords
is impossible. To overcome this shortcoming, the proposed scheme uses passwordless
authentication which is based on CAPTCHA and ECDSA.
The remainder of this paper is organized as follows: Section 2 gives the overview of
mathematical background of Elliptic curve, its related mathematical problems and an outline of
Elliptic Curve Digital Signature Algorithm. Section 3 reviews the scheme in [10] and its security
weaknesses are analyzed in Section 4. Section 5 presents our advance smart phone based
passwordless authentication scheme on ECC. Section 6 analyses the security of the proposed
scheme and presents the functionality features of our scheme in Section 7. Section 8 concludes
the paper.
13
2. MATHEMATICAL BACKGROUND
The robustness of any cryptographic security protocol depends on the hardness in solving the
underlying mathematical problem. The security of ECC based protocols depend on the difficulty
of solving Elliptic Curve Discrete Logarithm Problem (ECDLP), Elliptic Curve Computational
DiffieHellman Problem (ECCDHP) and Elliptic Curve Decisional DiffieHellman Problem
(ECDDHP).
=(
) mod p
14
15
16
4. SECURITY WEAKNESSES
The authors of [10] proposed a passwordless user authentication method for mobile phones based
on IMEI code and CAPTCHA. Though the scheme is simple, it suffers from various security
flaws as explained below:
17
5. PROPOSED SCHEME
In this section, we propose a new passwordless authentication scheme for smart phones which not
only resolve all the weaknesses of password based schemes but also provide robust security. The
proposed scheme relieves users from memorizing and storing long and complicated passwords.
The proposed scheme uses ECDSA which is based on Elliptic Curve Cryptography (ECC). ECC
is one of the strongest public-key cryptographic systems known today. Compared with RSA,
Rabin and Elgamal cryptographic systems, ECC has remarkable strength and efficiency
advantages in terms of bandwidth, key sizes and computational overheads. ECC can therefore be
efficiently implemented in resource constraint devices like smart phone. Furthermore, the
proposed scheme incorporate CAPTCHA which play an important role in protecting the web
resources from spamming and other malicious activities. Table 1 denotes the parameters used in
the proposed scheme and Fig.2 gives an overview of the proposed passwordless authentication
scheme.
Table 1
Notations
Notations used
IMEI
CAPTCHA
Q
a, b
G
N
D
Q
H( )
Description
International Mobile Equipment Identity
Completely Automated Public Turing test to tell Computers and Human Apart
A prime number
Integers that specify the elliptic curve equation y2=x3 + ax + b defined over Zq
A base point on the elliptic curve equation represented by G = (xg, yg) of order n
such that n .G = O, where n is a large prime number
Order of point G, i.e. n is the smallest positive integer such that n .G = O. This is
also the number of points on the curve.
Private key of user; d [1, n-1]
Public key of user; Q =dG Eq(a, b)
A collision resistant one-way secure hash function
Public channel
Secure channel
The proposed scheme consists of the following four phases: Registration phase, Precomputation
phase, Login and Authentication phase and User eviction phase.
18
Public Key
QA
QB
QC
Status-bit
0/1
0/1
0/1
Step 3. After the user receives the global variables, he/she activates the smart phone.
19
20
The user then transmits the digest value of IMEI number, entered CAPTCHA code m and the
signature to the remote server.
Step 4. The remote server extracts the IMEI number, the entered CAPTCHA code m and the
signature from the hash function. The server first verifies the validity of IMEI code and then
verifies the signature using the following steps:
1.
2.
3.
4.
5.
6.
7.
The server can further verify the entered CAPTCHA code with the sent CAPTCHA. If all the
above steps are satisfied, the server grants the users login request otherwise the request is
rejected.
21
22
Our scheme
No
No
No
No
No
No
No
No
The scheme
in [10]
No
No
Yes
Yes
Yes
Yes
No
Yes
The scheme in
[3]
Yes
Yes
Yes
No
Yes
No
Yes
No
The proposed scheme can thus successfully withstand all the security attacks. The robustness of
the system depends on the hardness in solving ECDLP, ECCDHP, ECDDHP problems.
23
Furthermore, every smart phone possesses a unique IMEI number. The system works only after it
verifies the devices IMEI number and that the requesting user using that smart phone is
authenticated. Thus the proposed scheme provides security from any type of system intrusion.
7.5. USER-FRIENDLY
The proposed scheme is based on the concept of passwordless authentication. The users thus
dont have to worry about password selection and memorizing. The password based
authentication has always been cumbersome for the users because human memory is transient and
remembering a large number of long and complicated passwords is impossible. To overcome this
shortcoming, the proposed scheme uses passwordless authentication which is based on
CAPTCHA and ECDSA. The proposed scheme can be easily used by users of all ages, even
children.
24
7.7. ANTI-SPAM
Providing secure communication over network systems is a challenging task. The attacker
launches these attacks through various automated trials, via internet bot programs which do not
require any user interaction. Often spam is used by attackers to obtain credit card information,
passwords and other security sensitive data. The proposed scheme incorporate CAPTCHA which
play an important role in protecting the web resources from spamming and other malicious
activities.
Table 4
Functionality comparison of our scheme with related schemes
Functionality comparison
Our scheme
The scheme
in [10]
No
The scheme
in [3]
Yes
Password requirement
No
Mutual authentication
Yes
No
Yes
Yes
Yes
Yes
No
No
Yes
User friendly
Yes
Yes
No
User anonymity
Yes
No
Yes
Anti spam
Yes
Yes
No
8. CONCLUSIONS
In this paper, we have proposed a new passwordless authentication scheme for smart phones that
exploits the advantages of CAPTCHA and ECDSA. ECDSA provide entity authentication, data
integrity and non-repudiation services. CAPTCHAs defend the system against harmful internet
bot programs and other malicious activities. In contrast to traditional password based
authentication schemes, the users dont have to worry about password selection and memorizing.
The users can easily login from their smart phones and access the web resources. The security
and functionality analysis of the proposed scheme is given for the validation of our claim. The
proposed scheme thus provides robust security and efficiency from any type of system intrusion.
25
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
26
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
27