A SECURED GRAPHICAL AUTHENTICATION FOR WEB BASED APPLICATIONS

ABSTRACT

Authentication is unavoidable in any environment where sensitive information is utilized. In accessing resources via the Internet, the most common means of identification required for authentication is the user’s identity and a secret passphrase known as a password. Studies have shown that the birth of graphical password which uses images/pictures/objects was out of the trivial password generated by users because of the inability to remember complex passwords when using text-based password. Graphical password is stronger and increases memorability. However, graphical-based password is faced with several challenges including, a high storage capacity for all the images/pictures/objects, no assistance for users in browsing through an array of images/pictures/objects and vulnerability to shoulder surfing attacks.

This work develops a graphical authentication for web based application that tackles the aforementioned issues by using cued recall technique which utilizes a grid system populated with pair of values and set of colored rows and columns. A shoulder surfing resistant interface was designed to assist users in generating a robust password.To improve the security of the system, One Time Password (OTP) was used. The technologies and tools used were Apache web server, MySQL database management system, PHP Hypertext Pre-processor (PHP) all running on the WAMP platform, Hypertext Markup Language (HTML), cascading style sheet (CSS) and JavaScript.

The graphical authentication scheme was evaluated using Magic Triangle Evaluation model. The results showed that the password space and entropy were2.61*10⁴and 14.39 respectively. The scheme showed a level of resistance of about 85% towards shoulder surfing attacks.

The study concluded that the graphical authentication scheme has a high level of resistance against shoulder surfing attacks but a low password space and entropy making it vulnerable to brute force attacks. It is therefore recommended to be used in an environment where shoulder surfing is inevitable and additional security mechanism should be added to reduce its vulnerability to brute force attacks. It can also be used as a Completely Automated Turing Test to tell Computers and Humans Apart (CAPTCHA).

ABBREVIATIONS

CSS                                                     Cascading Style Sheet

DAS                                                    Draw A Secret

E                                                          East

HMAC                                                Key-hash Message Authentication Code

HMAC-MD 5                                     Hash Message Authentication Code – Message Digest 5

HMAC-SHA 1                                   Hash Message Authentication Code – Secure Hash

Algorithm 1

HTML                                                 Hyper Text Mark-up Language

ID                                                        Identity

MAC                                                   Message Authentication Code

MD5                                                    Message Digest 5

N                                                         North

NE                                                       North East

NW                                                     North West

OTP                                                     One Time Password

PHP                                                     PHP Hypertext Pre-processor

POI                                                     Point of Interest

QR                                                      Quick Response

ROA                                                   Region of Answer

S                                                          South

SE                                                       South East

SHA 1                                                 Secure Hash Algorithm 1

SHA 2                                                 Secure Hash Algorithm 2

SHA 256                                             Secure Hash Algorithm 256

SMS                                                    Short Message Service

SSL                                                     Secure Socket Layer

SW                                                      South West

TLS                                                     Transport Layer Security

URI                                                     Uniform Resource Identifier

WAMP                                                Windows Apache MySQL PHP

WWW                                                 World Wide Web

APPENDICES

Appendix

1. Login Page
2. Registration Page
3. Recovery Page
4. Informed Consent
5. Turnitin Report                                                                                    

CHAPTER ONE

INTRODUCTION

1.1 Background to the Study

Networking in computer science is simply the connection of multiple electronic devices known as nodes for the purpose of exchanging information and this concept was groomed out of the need for man to connect and share information (which may be in the form of voice, video or data). The largest network in the world is the Internet and is described as a collection of vast mixture of networks in terms of topologies, architecture and communication technologies which however, utilizes a common set of protocols to offer certain services. In short, it is termed the network of networks (Ciubotaru & Muntean, 2013; Forcht & Fore, 1995). The Internet has aided in many major advancement and development today in our society. There has been an alarming rate of internet users from 400 million in 2000 to more than 3 billion internet users in 2015 (International Telecommunication Union, 2015).

Many organizations utilize the World Wide Web (www), one of the major and widely used service of the Internet to share information. The World Wide Web (www) is an information space in which relevant items, known as resources (e.g. image, audio, video or any other file), are identified by global identifiers called Uniform Resource Identifiers (URI) (Berners-Lee, et al., 2004); in 2001 Google, a multinational technology company announced it provided customers direct access to 3 billion web documents on the Internet (Googlepress, 2001).

This technical wizardry of communication around the world has begotten the proliferation of computers and other ubiquitous devices since the 1960s and with it, a demand for organization to protect their digital information from unauthorized users and provide services to authorized users. The concern to protect information is a product of the Internet being a fully decentralized network and depends on voluntary cooperation between the thousands of network administrators throughout the world to provide individuals with access to this network of tremendously varied resources. Thus, the Internet is a public network owned by no one and sensitive information should be made exclusive to only the rightful recipient (Forcht & Fore, 1995; Menezes, Van Oorschot & Vanstone, 1997).