ISSN: 2250-3005 - ijcer

More documents

Recommendations

Info

International Journal Of Computational Engineering Research (ijceronline.com) Vol. 2 Issue. 8Fig. 2. Operation flows for user in each phase of oPass system respectively. Black rectangles indicate extra stepscontrasted with the generic authentication system: a) registration, (b) login and (c) recovery.IV. OPassIn this section, we present oPass from the user perspective to show operation flows. oPass consists ofregistration, login, and recovery phases. Fig. 2 describes the operation flows of users during each phase of oPass. Inthe registration phase, a user starts the oPass program to register her new account on the website she wishes to visitin the future. Unlike conventional registration, the server requests for the user’s account id and phone number,instead of password. After filling out the registration form, the program asks the user to setup a long-term password.This long-term password is used to generate a chain of one-time passwords for further logins on the target server.Then, the program automatically sends a registration SMS message to the server for completing the registrationprocedure. The context of the registration SMS is encrypted to provide data confidentiality. oPass also designed arecovery phase to fix problems in some conditions, such as losing one’s cellphone. Contrasting with general cases,login procedure in oPass does not require users to type passwords into an untrusted web browser. The user name isthe only information input to the browser. Next, the user opens the oPass program on her phone and enters the longtermpassword; the program will generate a one-time password and send a login SMS securely to the server. Thelogin SMS is encrypted by the one-time password. Finally, the cellphone receives a response message from theserver and shows a success message on her screen if the server is able to verify her identity. The message is used toensure that the website is a legal website, and not a phishing one. Protocol details of each phase are provided asfollows. Table I shows the notations used in the oPass system.A. Registration PhaseFig. 3 depicts the registration phase. The aim of this phase is to allow a user and a server to negotiate ashared secret to authenticate succeeding logins for this user. The user begins by opening the oPass program installedon her cellphone. She enters ID (account id she prefers) and ID (usually the website url or domain name) to theprogram. The mobile program sends ID and ID to the telecommunication service provider (TSP) through a 3Gconnection to make a request of registration. Once the TSP received the user ID and the server ID, it can trace theuser’s phone number based on user’s SIM card. The TSP also plays the role of third-party to distribute a shared keybetween the user and the server. The shared key is used to encrypt the registration SMS with AES-CBC. The TSPand the server will establish an SSL tunnel to protect the communication. Then the TSP forwards ID to the assignedserver. Server will generate the corresponding information.For this account and reply a response, including server’s identity ID, a random seed, and server’s phonenumber. The TSP then forwards ID and a shared key to the user’s cellphone. Once reception of the response isfinished, the user continues to setup a long-term password with her cellphone. The cellphone computes a secretcredential by the following operation:To prepare a secure registration SMS, the cellphone encrypts the computed credential with the key and generates thecorresponding MAC, i.e., HMAC. HMAC-SHA1 takes input user’s identity, cipher text, and IV to output the MAC[10]. Then, the cellphone sends an encrypted registration SMS to the server by phone number as follows:Issn 2250-3005(online) December| 2012 Page 109
International Journal Of Computational Engineering Research (ijceronline.com) Vol. 2 Issue. 8Server can decrypt and verify the authenticity of the registration SMS and then obtain with the shared key Serveralso compares the source of received SMS with to prevent SMS spoofing attacks. At the end of registration, thecellphone stores all information ID, except for the long term password and the secret. Variable indicates the currentindex of the one-time password and is initially set to 0. With, the server can authenticate the user device during eachlogin.B. Login PhaseThe login phase begins when the user sends a request to the server through an untrusted browser (on aiosk).The user uses her cellphone to produce a one-time password and deliver necessary information encrypted withto server via an SMS message. Based on preshared secret credential, server can verify and authenticate user basedon Fig. 4 shows the detail flows of the login phase. The protocol starts when user wishes to log into her favorite webserver (already registered). However, begins the login procedure by accessing the desired website via a browser onan untrusted kiosk. The browser sends a request to with user’s account ID. Next, server supplies the ID and a freshnonce to the browser. Meanwhile, this message is forwarded to the cellphone through Bluetooth or wirelessinterfaces. After reception of the message, the cellphone inquires related information from its database via ID, whichincludes server’s phone number and other parameters. The next step is promoting a dialog for her long-termpassword. Secret shared credential can regenerate by inputting the correct on the cellphone. The one-time passwordfor current login is recomputed using the following operations:Fig. 3. Registration phaseFig. 4. Login phaseAfter receiving the login SMS, the server recomputed (i.e., ) to decrypt and verify the authenticity of thelogin SMS. If the received equals the previously generated, the user is legitimate; otherwise, the server will rejectthis login request. Upon successful verification, the server sends back a success message through the Internet, to theuser device. The cellphone will verify the received message to ensure the completion of the login procedure.D. Recovery PhaseRecovery phase is designated for some specific conditions; for example, a user may lose her cellphone. Theprotocol is able to recover oPass setting on her new cellphone assuming she still uses the same phone number (applya new SIM card with old phone number). Once user installs the oPass program on her new cellphone, she can launchthe program to send a recovery request with her account ID and requested server ID to predefined TSP through a 3Gconnection. As we mentioned before, ID can be the domain name or URL link of server. Similar to registration, TSPcan trace her phone number based on her SIM card and forward her account ID and the server ID to server throughan SSL tunnel. Once server receives the request probes the account information in its database to confirm if accountis registered or not. If account ID exists, the information used to compute the secret credential will be fetched and besent back to the user. The server generates a fresh nonce and replies a message which consists of ID s. This messageincludes all necessary elements for generating the next one-time passwords to the user. When the mobile programreceives the message, like registration, it forces the user to enter her long-term password to reproduce the correctone-time password (assuming the last successful login before lost her cellphone is ). During the last step, the user’scellphone encrypts the secret credential and server nonce to a cipher text. The recovery SMS message is deliveredIssn 2250-3005(online) December| 2012 Page 110
Page 1 and 2:
ISSN: 2250-3005VOLUME 2 December 20
Page 3 and 4:
Meisam MahdaviQualification: Phd El
Page 5 and 6:
16. Implementation Of Serial Commun
Page 7 and 8:
45 Performance Evaluation Of Energy
Page 9 and 10:
International Journal Of Computatio
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
01 .048International Journal Of Com
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42:
Page 43 and 44:
Page 45 and 46:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59:
Page 60 and 61:
Page 62 and 63:
Page 64 and 65:
Page 66 and 67: International Journal Of Computatio
Page 108 and 109: INTERNATIONAL JOURNAL OF COMPUTATIO
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Body Acceleration (m/Sec2)Dynamic T
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
EigenvalueEigenvalueInternational J
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 254 and 255:
Page 256 and 257:
Page 258 and 259:
Page 260 and 261:
Page 262 and 263:
Page 264 and 265:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 274 and 275:
Page 276 and 277:
Page 278 and 279:
Page 280 and 281:
Page 282 and 283:
Page 284 and 285:
Page 286 and 287:
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Page 296 and 297:
Page 298 and 299:
Page 300 and 301:
Page 302 and 303:
Page 304 and 305:
Page 306 and 307:
Page 308 and 309:
Page 310 and 311:
Page 312 and 313:
Page 314 and 315:
Page 316 and 317:
Page 318 and 319:
Page 320 and 321:
Page 322 and 323:
Page 324 and 325:
Page 326 and 327:
Page 328 and 329:
Page 330 and 331:
Page 332 and 333:
Page 334 and 335:
Average JitterThroughputInternation
Page 336 and 337:
Energy Consumed in Received ModeEne
Page 338 and 339:
Page 340 and 341:
Page 342 and 343:
Page 344 and 345:
show all

ISSN: 2250-3005 - ijcer

Create successful ePaper yourself

Delete template?

Save as template?