CHAPTER 3 HASH BASED PSEUDO RANDOM PASSWORD AUTHENTICATION

3.1

INTRODUCTION Almost all password-based user substantiation systems leave its

total trust only on the authentication server where passwords can effortlessly be derived from data stored in a central database. These systems can easily be conferred by offline dictionary attacks initiated at the server side. There is a possibility for substantiation server by either outsiders or insiders focuses all user passwords to get exposed and have serious problems. To get over from these problems obtained in a single server system, pseudo random number generator is introduced to initialize the generation of hash password. The work proceeded in this Chapter first generate pseudo random number for the password registered by the user. Then that generated random number has been inputted into the hash generation function. Based on the inputted random value, hash function generate hash key and map it to the pseudo random value. These mapped hash key values were stored in the hash table. On verification of user password, the hash based pseudo random authentication scheme is invoked for trust worthiness of user application access. 3.2

PSEUDO RANDOM GENERATOR In theoretical computer science, a Pseudo-Random Generator

(PRG) is a deterministic procedure that generates a random number from a small uniform method called a random seed. A Pseudo-Random Number

51

Generator (PRNG) with increased seed value increases the randomness. An iterative hash-based PRNG outcome is a numerical sequencer obtained in each hash stage. It has been paused for unpredictable time periods to enhance the unpredictability of the numerical sequencer output. When the timing of the output of the numerical sequencer is unpredictable, elapsed time cannot be used to identify what the outcome of the numerical sequencer will be with relation to the hash operation. The unpredictable time period is related, when a request for a pseudo-random number is received. Let Fn = {f: {0, 1} n

T} be a class of functions for generating

pseudo-random number. A function G : {0, 1} s

{0, 1} n, where s < n, is a

pseudo-random generator against Fn with bias

( refers to pseudo random

generator and range of

is 1,2,3,…n. is the single value for pseudo random

generator where (n) refers to n pseudo random generator) if for every f in Fn, the statistical distance between the distributions f(G (X), f(Y)), is at most . where X is sampled from the uniform distribution on {0, 1} s

and

Y is sampled from the uniform distribution on {0, 1}n. The quantity s is called the seed length and the quantity n - s is

called the stretch of the pseudo-random generator. Functions from the class Fn are sometimes called adversaries. A pseudo-random generator against a family of adversaries F = {Fn} with bias (n) is a collection of pseudo random generators {G n: {0, 1}s(n)

{0, 1}n},

where G n is a pseudo random generator against Fn with bias (n).

52

In most applications, the family F represents some model of computation, and one is interested in designing a pseudo-random generator, that is computable in the same or some closely related model. Pseudo random generators are used for efficient deterministic simulations of randomized algorithms. In such applications, the class F describes the computations that one wants to perform, and design an "efficiently computable" pseudo-random generator against F whose seed length is as short as possible. The deterministic simulation proceeds by replacing the random input to the randomized algorithm by the output of the pseudo-random generator and averaging the outputs produced by the pseudo random algorithm. The

fundamental

interrogation

occurred

in

computational

complexity is that all polynomial time for randomized algorithms create decision problems that could be deterministically simulated in polynomial time. An algorithm can be solved by using polynomial time if the steps required to finish the algorithm is O n k for the integer value which is a nonnegative value K, where n denotes the input value. Polynomial-time algorithms are quick and do operations such as addition, subtraction, multiplication, division, square roots, powers, and logarithms. The existence of simulation implied that bounded-error polynomial is equated to its probabilistic quotient. To perform such a simulation, it is sufficient to construct pseudo-random generators against the family of all size s(n) whose inputs have length n and output a single bit, where s(n) is an arbitrary polynomial, the seed length of the pseudo-random generator is O(log n) and its bias.

53

With the properties as discussed Nisan and Wigderson (1991) provided a candidate Pseudo Random Generator algorithm. Impagilazzo and Wigderson (1997) proved that the construction of Nisan and Wigderson is a Pseudo-Random Generator assuming that there exists a decision problem that can be computed in time 2O(n) on inputs of length n. PRGs have been applied in cryptographic based applications. For instance, PRGs provide an efficient analog of one time pads. It is well known that in order to encrypt a message m in a way that the cipher text does not enhance any information on the plaintext, the key k used must be random over strings of length m. Encryption made in a secure manner is very costly in terms of key length. Then the Key length can be significantly decreased by using a pseudo-random generator if perfect security is replaced by semantic security. The streams ciphers can be constructed commonly are based on pseudo random generators. PRG is used to build symmetric key cryptosystems, whereas a large message could be encrypted by using the similar key. Such a construction can be based on a generalization of PRG called pseudo-random functions. 3.2.1

Randomized Password Generation The outcome of the Random Password Generators would be a

string of symbols in a specified length. The symbols might be separate characters from the precise character set. To structure a pass phrase or password, syllables are premeditated to form pronounceable passwords, or words from word list. The random password function is modified to make sure the resulting password that fulfills with the local password policy, by producing a mix of letters, numbers and special characters. The potency of a random password has been calculated by computing the information entropy of the random process that produced it. If each symbol in the password is produced independently, the entropy is presented as equation (3.1)

54

H

log 2 N L

L log 2 N

L

log N log 2

(3.1)

where N is the number of possible symbols and L is the number of symbols in the password. The function log2 is the base 2 logarithm. H is measured in bits. An eight character password of single case letters and digits would have bits of entropy. Thus, a password generated using a 32-bit generator has maximum entropy of 32 bits, regardless of the number of characters in a password. The same length password selected at random from all computer keyboard characters would have bit entropy; however such a password would be harder to memorize and might be difficult to enter on non-computer keyboards. A ten character password of single case letters and digits would have essentially the same strength. 3.2.2

Pseudo Effect in the Random Passwords A password generator limits the state space of the pseudo-random

number generator. So a password could be created by using a 32-bit generator has maximum entropy of 32 bits, regardless of the number of characters the password contains. Since the password has been used ubiquitously to entrée the things in net security is a significant issue, password cracking may become a problem. The passwords generated are not totally arbitrary. There are a couple of rules that are used: i)

All passwords are 8 characters.

ii)

All passwords are lowercase.

iii) All passwords have a non-alpha character in the middle. iv)

The passwords must be easy to remember.

55

Most of the passwords which could be produced can easily be prominent and easily memorized. These passwords are also close to uncrackable. There is no assurance to protect passwords from brute force cracking nevertheless the passwords generated here would take a substantial amount of time to crack. The Pseudo Random Password generator is also depended on the following equation which has been considered keeping in mind with minimizing the amount of time taken to crack the password n

ym

1

(bQm d ) mod n

(3.2)

m 0

where

ym+ 1 is the sequence of pseudo random values n is the modulus value b is the multiplier Q m is the start value d is the value of user password

(mod n) produces the maximum numbers 3.3

HASH BASED PASSWORD WITH PSEUDO RANDOM KEY To change the password around pages often demands users to enter

both the old and the new passwords. New password hash users must visit these pages to modify their old passwords to the new, hashed versions. The simpler the password for the owner to remember normally means it will also be simpler one for the attacker. The security of the system will get reduced only if the passwords are difficult to remember because users are in need to write down or electronically protect the password, users are in need about frequent password resets and users are always willing to re-use the same password. The structure of anticipated hash based password with pseudo random key is depicted in the Figure 3.1.

56

Figure 3.1 Pseudo Random Hash Key Generator The figure shows a Pseudo Random Hash Key Generator. In the first step, the user password is applied to the pseudo random generator. The pseudo random generator produces the hash key values to the user. The produced hash key values are associated with the different websites. Table 3.1, below and Figure 3.2 show the effect of execution time in generating pseudo random hash password compared to that of simple random generator model. From the graph, it is clear that as the pseudo random hash key password authentication need minimum execution time compared to that of traditional random generator.

57

Table 3.1

Performance of Pseudo Random Hash Password Authentication

Execution Time of Execution Time of Random Iteration of Pseudo Random Hash Generator for Password password Key Password Authentication Usage Verification (Numbers) (in milliseconds) Authentication (in milliseconds) 1 22 32 2

21

31

3

20

33

4

19

35

5

18

37

Figure 3.2

Result of Execution Time of Pseudo Random Hash Password Authentication

Figure 3.2 shows the result of execution time of pseudo random hash Password Authentication. Based on the number of iterations the effect of execution time is calculated. In each and every iterations, both the pseudo random hash key password authentication and the simple random generator

58

having a slight difference. The above Figure shows the pseudo random hash key password authentication is efficient one compared to the simple random generator. The password security system depends upon on several factors i.e., man-in-the-middle attacks, safety measures against computer viruses, and the like. It is a general for computer systems to save the passwords as they are typed. The scope of this system is to protect the system from outside onlookers reading the password. In addition, users might have chances to display or hide passwords as they typed and saved in system itself. Extraction of hash values in binary form is a precise control over the probability distribution of the hash bits. The hash key is used to produce pseudo-random key whose actual values supply to the randomness of the aspect vector with a considerably increased uncertainty of the adversary, considered by mutual information, in contrast with linear correlation by Khelifi and Jiang (2010). The proposed hash based pseudo random technique has been shown to outperform related state-of-the art techniques recently proposed in the literature in terms of robustness with replay and reactive attacks. To provide the system security, the key factor is that the rate at which an attacker can submit the guessed passwords. After enter into a less number of failed password attempts, some systems get a time-out of several seconds. In the avoidance of other vulnerabilities, such systems can be effectively secure with relatively simple passwords, if they have been well chosen and are not easily guessed. To make use of hash value which should be accessible for an outside onlookers, many systems store or transmit a cryptographic hash of the password. Generally, it is known that when this process is done, an outside onlooker could able to work off-line, by checking the candidate passwords against the true password's hash value. Passwords

59

which are used to create cryptographic keys can also be subjected to high rate guessing. Some of the efficient commonly used passwords are extensively available which in turn can make password attacks very successful. The Security of this type of situations will depend only on by using passwords or pass phrases in an adequate complexity, to make the attack computationally infeasible for the attacker. To slow down such an attack, Pretty Good Privacy (PGP) system can apply a computation-intensive hash to the password. Rather than comparing the users’ log, the computer systems store user passwords as clear text. If an attacker has a chance to get an access of an internal password store, all passwords and all user accounts maintained in that will be compromised. If the users use the similar password for accounts on different systems, it will also be compromised as like. Most of the security based systems will protect the password in a cryptographically protected form, so that it is a tedious process for an attacker to access to the actual password who gains internal access to the system, while verification of user access attempts remains possible. A common method captures the hashed form of the plaintext password. When a user validates the password for such system the admin who performs the password handling mechanism runs a cryptographic hash algorithm. If the hash value computed by the user's entry matches with the hash stored in the password database, then the user will be permitted to access the web site / application. The hash value has been created by processing with the help of hash function which consits of the user defined password referred to as salt that avoids the problem of constructing a group of hash values for generic passwords. As the hash function presented in this work is well designed, it will be computationally infeasible to reverse it to directly find a plaintext password.

60

3.3.1

Hashing the Password The anticipated methodology of the safe and sound hash password

system contains one-way hash functions that can practice a message to fabricate a condensed demonstration called a message digest. The hash algorithm facilitates the purpose of a message’s integrity with a very high probability. The integrity possessions will be used in the production and authentication of digital signatures message substantiation codes and generation of random numbers. The algorithm could be depicted in two stages, preprocessing and hash computation. Preprocessing engrosses padding a message and setting initialization values to be used in the hash calculation. The hash calculation produces a message agenda from the padded message and uses that agenda, along with functions, constants, and word operations to iteratively produce a series of hash values. The final hash value produced by the hash computation is used to establish the message digest. The devise attitude of this hash functions is that iterating a compression function, which obtains as an input bits and returns output bits. The consequential function is then progressed to operate on strings of arbitrary length. The legitimacy of such a devise has been recognized and its security is proven better than the security of the compression function. 3.3.2

Integrating Hashing and Pseudo Random Keys To detect unsafe user behavior, integrating hashing is a web

password hashing execution has been used. This defense would consist of a recording component and a monitor component. The recording constituent account all passwords that the user types while the conservatory is in password mode and stores a one-way hash of these passwords on disk. The observe component monitors about the complete keyboard key rivulet for a consecutive progression of keystrokes that contests one of the user’s passwords. When the conservatory is not in password mode in such a

61

sequence is to be keyed, and then the user is alerted. The hash table produced from the pseudo random creator for the multiple sites is raised as data structure. The hash table construction uses the hash function to plot the identified values to their related values. The hash table in turn implements an associative array, which alter the key into the index of an array element where the corresponding value is extracted. 3.3.2.1

Hash Function The hash function is used to calculate an index within the array

from the data given value key as shown in Figure 3.3. Array Length is referred as the size of the array. The basic requirements for the hash function are: the input can be of any length, the output should have only fixed length and the function should be collision-free. Index key is generated with the following equation Index = f (key, arrayLength) n

fi k , aL

(3.3)

i 1

where

k is the data which contains the key value aL is specifies the array length fi is the function to be computed

Hash functions are principally used in hash tables, and it proficiently locates the data given by its search key value. The hash functions are used to evaluate the key to the hash value. The principle of index is used to amass the corresponding record. The equation (3.3) calculates the index value. There even arises a situation when different keys correlate to the same index value. Hence each and every slot of hash table is mapped with a set of

62

records instead of a single record. Hence, each slot of a hash table is also called as a bucket as it is represented in Figure 3.3.

HASH FUNCTION

KEYS

BUCKETS

Gmail Pwd 1622963 95342 Rediffmail Pwd 16943 Hotmail Pwd

Figure 3.3 Password Generators as a Hash Table Figure 3.3 describes the process of password generators process acts as a hash table. The passwords from different accounts like gmail, rediffmail, hotmail are termed as keys and the hash functions are applied with those keys to evaluate the key to its corresponding hash value. If different key values correlate with the same index value, then the hash table should be mapped with different set of records than a single set of record. The slot of hash table which has been mapped with the key values is maintained under bucket. There are several approaches for dealing with collisions, but the approaches all build the hash tables slower than if no collisions occurred. If the authentic keys to be used are identified before the hash function is chosen, it is probable to choose a hash function that sources no collisions. If the genuine keys being hashed were consistently dispersed, then by selecting the first bits of the input to be the hash value would make a better hash function. It is fast and it hashes an identical number of probable keys to each hash value. Unfortunately, the genuine keys abounding by humans and computers

63

are seldom consistently distributed. Hash is the integer result of an algorithm (known as a hash function) applied to a given string. Table 3.2

Performance of Key Length Usage in Pseudo Random Hash Key Password Authentication

password Usage Key Length in Pseudo Random Hash key Verification Instances Password Authentication ( in bits) 1 2 3 4 5

Key Length in Random Generator For Password Authentication( in bits)

15 13 14 11 12

11 12 10 09 11

The comparative analysis of key length using random hash key password authentication and random generator for password authentication in Table 3.2 proving the efficiency of proposed work. Table 3.2 shows the Performance of Key Length Usage in Pseudo Random Hash Key Password Authentication. In Pseudo Random Hash Key Password Authentication, the key length is high. So the authentication and security is more when compared to the Random Generator for Password Authentication which is having the lesser key length. Figure 3.4 shows the graphical representation of the key length for pseudo random hash key password authentication and the random generator for password authentication. Using Password Hash, a user can modify the password at a given site without changing the password at other sites. The method for using password hash is to choose a small number of effective distinct password one password for all high security sites and one password

64

for all news sites. The password hash extension ensures that a break-in at one high security site will not expose the user’s password at all other sites.

Figure 3.4

Graphical Representation of Key Length usage in Pseudo Random Hash Password Authentication

3.3.3

Evaluation of Pseudo Hashed Keys The hash based pseudo random password model concerned with

attacks on the extension that originate on malicious phishing sites. Password hashing is computed using a Pseudo Random Function (PRF) as suggested by Blake Ross et al (2005). The PRF is derived as follows: Hash (pwd, domain) = PRFpwd (domain) where the user’s password (pwd) is used as the PRF key and the remote site’s domain name or some variant is used as the input to the PRF. Upon satisfaction of site’s encoding rules the hash value is then encoded as a string. The purpose is to protect against web scripting attacks. For this influence, the browser conservatory is coded as a defensive but largely translucent and acts as a mediator between the user and the web application. All input are first observed and protected by the browser conservatory before the web

65

application is aware that the user is interacting with it. This entails a mechanism in which the users have to advise password hash browser conservatory that they are about to enter a password. Password hash then take steps to defend the password as it is being entered. A distributed hash table is introduced to hold the browser efficacy models of the multiple users across hash substantiation mode. 3.3.4 Algorithm for Hash Based Pseudo Random Password Authentication The algorithm for hash based pseudo random password authentication process is described in the following steps: Input

:

User Name, Alpha Numeric Password, Website Names.

Output

:

Hash key Value for Corresponding User Password, Authentication Status for the User to Access the Web site.

STEP 1: For I = 1 to n [n represents the number of users] Input the alpha numeric characters. [Variable represents the password] Initialize the password for the user Initialization of the password for all the login users. STEP 2: While (I < = n) [I represents the corresponding user] Start the pseudo random generator. Pseudo random key is generated for its corresponding users. Listing of pseudo random key for all users.

66

STEP 3: For I = 1 to n [n represents n hash values] Generate Hash Value with Pseudo Random Key for each User Store Hash value for all the users. STEP 4: For I = 1 to m [m represents the web sites] Generate hash subset key for each web site of the user accessibility Generation of hash subset keys for all user accessible websites. STEP 5: To verify the user password Check authenticity of hash key to its corresponding users Check authenticity of hash subset key to its respective website Validity of user to access the website. Figure 3.5 shows the process diagram of Hash Based Pseudo Random Password Authentication. In this process, inputs are taken as User Name, Alpha Numeric Password, and Website Names. In first step the password for all the login users should be initialized. If corresponding user is less than are equal to hash values, PRG will start and Pseudo Random Key is generated for its corresponding users. Then, Pseudo Random Key for all users are Listed. For each and every user, Hash Value with Pseudo Random Key will be Generated and Stored Hash value for all the users. Hash subset key is generated for each web site of the user accessibility. For all user accessible websites, hash subset keys are generated. To verify the user password, Check Authenticity of Hash Key to its corresponding users, Hash subset key to its respective website and validity of User to access the website. Table 3.3 shows the pseudo random hash password verifier table and its performance parameters.

67

Users (1 to n)

Initialize password for all login users No

While (I < = n) [I corresponding user]

Invalid user

Yes Start the pseudo random generator. Generation of Pseudo random key for its corresponding users Listing of Pseudo Random Key for all users

No

For I = 1 to n [n represents n hash values]

Invalid pseudo random key

Yes Generate Hash Value with Pseudo Random Key for each User

For I = 1 to m [m indicates web sites]

No

Invalid website

Yes Generation of hash subset keys for all user accessible websites. To verify the user password Check Authenticity of Hash key to its corresponding users Validity of User to access website

Figure 3.5 Flow Diagram for Hash Based Pseudo Random Password Authentication

68

Table 3.3

Pseudo Random Hash Password Verifier Table

Performance Pseudo random Hash Key parameters password authentication Attack Resistance 92 % capacity

Random Generator for Password authentication 84%

Iterations for Key generation

6 to 8

10 to 12

Key Length Execution time

11 to 15(bits) 20 ms

9 to 12 (bits) 35 ms

Table 3.4 shows the analysis of resistance attack capacity of pseudo random hash key password authentication and random generator for password authentication in terms of percentage. The resultant value shows that the resistance capacity is higher in case of pseudo random hash key password when compared to random generator for password authentication as the attack intensity grows higher. Table 3.4 Analysis of Resistance Attack Capacity

Attack Intensity

Resistance Capacity of Pseudo Random Hash key Password Authentication (% )

1

85

Resistance capacity of Random Generator for Password Authentication (%) 80

2 3 4 5

89 88 92 90

88 82 86 84

Figure 3.6 shows the graphical representation of the attack resistance for the given tabulation column in Table 3.4. X axis refers to the attack intensity and Y axis represents the resistance attack expressed in terms

69

of (%). Higher the attack intensity the resistance capacity for pseudo random hash key password authentication outperforms when compared to random generator for password authentication.

Figure 3.6 Graphical Representation of Attack Resistance 3.4

IMPLEMENTATION OF PSEUDO HASH PASSWORD The core function of pseudo hash password system is evaluated as

binary matrix [H] of size r*n. The parameters for the hash function are r the number of rows of H, n the number of columns of H and s is the size in bits of the function output and w the number of columns of H added at each round. Input: s bits of data a.

Split the s input bits in w parts s1,…sn of log 2 ( n / w ) bits

b.

Convert each si to an integer between 1 and n / 2

c.

Choose the corresponding column in each Hij(ith row and jth column on corresponding iteration)

d.

Add the w chosen columns to obtain a binary string of length r

70

Output: r bits of hash The Hash function creates a fixed length small fingerprint (or message digest) from an unlimited input string. Hash(X)

Y

X is an infinite set and Y is a finite set. The properties of proposed hash function are Prekey resistant: From the function output, it is impossible to compute the input x i.e., hash(x) =y Second key resistant: from an input x1 it should be impossible to compute another input x2 (different of x1) i.e., hash(x1) =hash(x2) Collision resistant: It should be difficult to find two inputs x1 and x2 (where x1 cohesive to x2) i.e., hash(x1) =hash(x2) If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks to choose only storing the password’s hash The attacker find a password very quickly especially if the number of passwords the database is large An attacker uses a list of precomputed hash to break passwords in few seconds In order to solve these problems, the proposed pseudo random number is concatenated to the password before the digest operation. The pseudo random number is different for each stored entry. It is stored as clear numeral next to the hashed password. In this configuration, an attacker must handle a brute force attack on each individual password.

71

3.4.1

Single Server Pseudo Hash Password Authentication and Verification The pseudo random hash password is a browser extension

protective with largely transparent intermediary between the user and the web application server. All input can be first monitored and in which the users’ have to notify password hash browser conservatory that they are about to enter a password. Password hash browser has taken steps to protect the password as it is being entered. To handle the browser utility replicas of the multiple users across hash authentication mode, the pseudo random hash model contains distributed hash table to handle it. The verification of pseudo hash password on authentication is performed by checking the hash functions produced on mapping the pseudo random number initialized for the respective user password registration. The produced hash key value on generation is compared with that of the accessing time taken by hash key value to evaluate the user’s identity. This verification process facilitates the determination of a user’s private data integrity is such that change occurs to the password will be identified at a very high probability. This facilitates the two servers to verify the user’s authenticity by evaluating the password originality even for the multiple websites. Initially, a preprocess verification is done by checking the pseudo random number which is generated during the registration of the user and password. Then the hash value which has been generated and mapped to the pseudo random number stored in hash table is verified to the user accessibility. The hash computation generates a password schedule from the appended values to the hash key and uses the schedule along with functions, constants, and word operations to iteratively generate a series of hash values. The final hash value generated by the hash computation is used to determine the user password originality.

72

3.5

SUMMARY The proposed hash based pseudo random password scheme for

multiple web sites presented in this Chapter, is suitable for resource constrained users due to its efficiency in terms of both computation and communication. The hash function designed in this work iterates a pseudo random function to evaluate the derivative of hash password keys to its corresponding user. The strengthening of the hash key is done with the effective generation of pseudo random number for the required appropriated users.