Upload
-
View
215
Download
0
Embed Size (px)
Citation preview
7/27/2019 Secure Authentication Using Dynamic Virtual Keyboard Layout
1/4
International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) TCET, Mumbai, India
288
Secure Authentication using Dynamic Virtual Keyboard
Layout
M Agarwal
LecturerSardar Patel Institute of
Technology
Mumbai, India
M Mehra
LecturerSardar Patel Institute of
Technology
Mumbai, India
R Pawar
LecturerSardar Patel Institute of
Technology
Mumbai, India
D Shah
ProfessorSardar Patel Institute of
Technology
Mumbai, India
ABSTRACTVirtual Keyboard authentication has helped users to protect their
username and passwords from being captured by key loggers,spyware and malicious bots. However Virtual Keyboard still
suffers from numerous other fallacies that an attacker can take
advantage of. These include click based screenshot capturing,over the shoulder spoofing and co-ordinate position noting. To
overcome these drawbacks, we have designed a virtual keyboard
that is generated dynamically each time the user access the web
site. Also after each click event of the user the arrangement of the
keys of the virtual keyboard are shuffled. The position of the keys
is hidden so that a user standing behind may not be able to see thepressed key. Our proposed approach makes the usage of virtual
keyboard even more secure for users and makes it tougher for
malware programs to capture authentication details.
General TermsSecurity, Reliability.
KeywordsAuthentication, Virtual Keyboard, Security, Password, Spyware
1. INTRODUCTIONWith the increasing technology, more and more services are made
available to the users online. Right from buying goods, houses,movie tickets, and maintaining financial services user can take
advantage of Internet and complete all the transactions online.
Online user authentication [1] is required by most of the services
offered over the Internet to the users.
This is typically carried out by sending a sequence of usernameand password to the server for authentication. Some attacks just
rely on this fact, such as phishing [2] attacks. Key loggers [3] [4],
spyware, bots etc. generally run in background without the
knowledge of the user. These programs record the competesequence of the data entered by the user. They transmit this
information over Internet and use them to gain access to
confidential user information like their PIN, ATM numbers,
passwords etc. These tools have become more and more
sophisticated. As a result of this sometimes even the most secure
and updated version of anti-virus, anti-malware program is unableto detect them. Reported losses from online fraud more than
doubled last year, from $265 million in 2008 to nearly $560
million in 2009 [5]. In this paper we describe how a dynamically
generated virtual keyboard could solve most of the authentication
issues. In this paper we propose a dynamic virtual keyboard thatshuffles the arrangement of keys after every click. It also hides the
position of the key before the user presses the key. This approach
overcomes most of the drawbacks faced by todays virtual
keyboard. The proposed approach provides protection against keyloggers, over the shoulder spoofing, screen capturing after click
event.
Our paper is organized as follows. The paper begins with anexplanation of the concept of Virtual Keyboard. The next section
describes the issues associated with the current implementation of
virtual keyboard. Next we describe our proposed concept. This is
followed by the basic implementation and testing details. The last
part concludes our paper.
2. Virtual KeyboardA virtual keyboard is a software component that allows a user
to enter characters. The virtual keyboard is generally a visual
representation of the real keyboard on the standard output. Avirtual keyboard can usually be operated with multiple input
devices, which may include an actual keyboard, a computermouse, an eye mouse, and a head mouse. A typical virtual
keyboard is shown in Figure 1.Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.ICWET11, February 2526, 2011, Mumbai, Maharashtra, India.
Copyright 2011 ACM 978-1-4503-0449-8/11/02$10.00.
7/27/2019 Secure Authentication Using Dynamic Virtual Keyboard Layout
2/4
International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) TCET, Mumbai, India
289
Figure 1. Virtual Keyboard.
Virtual keyboard were used to provide an alternative input
mechanism for users with disabilities or limited hand mobility or
who were unable to use a physical keyboard. Another major use
for an on-screen keyboard is for bi- or multi-lingual users, who
continually need to switch between different character sets oralphabets.
Recently virtual keyboard have made their way for authentication
of users. Most of financial websites now present users with avirtual keyboard for taking their authentication details. Keyloggers, spyware and other malicious programs that capture the
entire sequence of characters entered via the physical keyboard.
The use of virtual keyboard helps to bypass these malicious
programs since these programs record keystrokes generated by a
physical keyboard and not via virtual keyboard. The virtual
keyboard offers number of benefits as listed below.
Portability
Accuracy
Speed of text entry
Lack of need for flat or large typing surface
Ability to minimize the risk for repetitive strain injuries
FlexibilityAn easy way to comply with the conference paper formatting
requirements is to use this document as a template and simply
type your text into it.
3. Existing Technology and IssuesIn the current scenario a virtual keyboard is displayed on the
screen asking user to enter his / her username and password.Though this approach is safe and protects his / her credentials
from key loggers, this approach has following drawbacks:
3.1 Screen Capture TechniqueHere an attacker can write a program that captures the screen after
user clicks with a mouse. For e.g., a password abdg though
entered by a virtual keyboard is captured by the spyware programby capturing a screenshot after user clicks on virtual keyboard.
a Captured b Captured d Captured g Captured
Figure 2. Spy program that capture screenshots after every
click resulting in capturing of entire user password
3.2 Behind the shoulder spoofingHere a person standing behind the person entering his / her
password via virtual keyboard remembers or notes his / her
sequences of clicks thereby knowing his / her password. The user
unaware of this feels his / her password has been entered securely
but in reality his / her password has been compromised.
Figure 3. User standing behind observing the mouse
movements to track the password.
3.3 Unshuffled Keyboard ImplementationGenerally the arrangements of alphabets in a virtual keyboard aresame as in normal QWERTY keyboard. Though this helps user
enter his / her password a bit fast, but this compromises security
again. An attacker can note the coordinates of the mouse clicks
and predict the sequence of the password. For e.g., consider the
following
7/27/2019 Secure Authentication Using Dynamic Virtual Keyboard Layout
3/4
International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) TCET, Mumbai, India
290
Figure 4. Noting co-ordinate position of mouse click and
guessing password
If the recording of sequence of co-ordinates is (3, 1) the key
pressed is v. Similarly the entire sequence of co-ordinates
summed up lets the attacker know the users password.
4. Proposed Dynamic Virtual KeyboardAs seen above, current implementation of virtual keyboard doesnot guarantee a fool proof mechanism against various attacks.
Here we are proposing a dynamic virtual keyboard with following
features:
Dynamic Keyboard Layout Generation
Hidden keys to prevent screenshot capturing
Shuffled keyboard after every click
A sample dynamic virtual keyboard of our proposed
concept is shown below.
Figure 5. Dynamic virtual keyboard, translucent shade so thatuser can note the position of letter
Let us assume that the password of the user is xyz. Here the user
is allowed to enter one character at a time. Initially the user shouldnote the position of character he wishes to enter. It is x in our case.
We have made colour coding so that it is easier to remember. In this
case we see that x is in yellow color and second from top. After
that the user has to click hide keys button. This button converts the
translucent colour into opaque colours of the same shade as shown
below in Figure. Now user can click the yellow button, second fromtop to type x. After the user clicks x, the layout of the keyboard
changes again and the procedure is repeated once more. In case the
user forgets the position of the character after clicking hide keys, he
can click the button forgot position. This would result in the same
keyboard layout generation as before.
Figure 6. Dynamic virtual keyboard after pressing Hide
Keys button
This proposed approach overcomes the drawbacks of the current
implementation of virtual keyboard. Benefits of the proposed
approach:
4.1 Screenshot mechanism would not workSince the keys are hidden after user presses the hide keys button,
even if the screen shot is recorded it would make no sense to theattacker. For example for the same password abdg the screen
capture would record the following things. This makes no sense to
attacker and user password is thus secure.
Figure 7. Spy program that capture screenshots after every
click, rendered useless since no information about the
password can be obtained
Though the screen is captured by the spy program but since the
key are darkened no trace of user password is left.
4.2 Shuffled Keyboard ImplementationAs against the current implementation of unshuffled
arrangements of alphabets, in our proposed approach we shufflethe keyboard after every click. As a result if a person is standing
behind to spoof the password over the shoulder, he cannot
remember the password since the layout and arrangements ofalphabet change after every click. Also noting the coordinates
would be of no help since even if the position is noted, the next
click would again reshuffle the keyboard. Thus if v wascurrently at position (3, 1), the next click would have some other
alphabet at the same position (3, 1).
Figure 8. Random arrangement of keyboard alphabets as
against normal QWERTY keyboard arrangement makes it
tougher for malware programs to capture password
7/27/2019 Secure Authentication Using Dynamic Virtual Keyboard Layout
4/4
International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) TCET, Mumbai, India
291
4.3 Color coding helps remember the
positions easilySince we are using color coding, the task to remember the
position of a character is very easy. Also each color is repeated
only three times in a column fashion format, thereby making it
easier for user. Also forgot position facility helps to recollect userthe position of his / her character in case he forgets. For e.g., in
Figure 8, v is in red color and is at top.
4.4 Implementation is possible with current
technology.No changes in existing protocol need to be made. All our
implementation is possible with the current technology.
4.5 Protection of user credentialsThe graph in figure 9 indicates that the time taken to type a
password using our dynamic virtual keyboard is more than the
time taken to type the same password using current
implementation of virtual keyboard. But the user is guaranteed
that his / her credentials are not being hijacked or compromised
by any means. This is especially beneficial in case users are usingpubic computers or computers they might not trust upon.
5. Basic Implementation & TestingThe entire virtual keyboard was implemented using jQuery. For
testing purposes we took a batch of 20 people, 10 were asked to
enter the password using our dynamic virtual keyboard technique.
The remaining 10 were asked to stand behind them to spoof overthe shoulder so that they may see the password entered by the
user. We had also installed key logger software Actual Spy 3.0
[6] that monitors keystrokes, file changes, clipboard, screenshots,
file changes. The users were advised to type in a 6 character
password. After the users entered their password, the followingresults were obtained.
The software Actual Spy 3.0 could record the screenshots but was
rendered useless as it captured the images wherein the virtual
keyboard keys are darkened. All users who were told to spoof the
password could match only 33-67 per cent of the password
characters.
We have a usability trade-off here since the user needs to click the
button hide keys before he can click the character of his / herpassword. We have also recorded the average time a user takes to
type a password using traditional virtual keyboard technique and
the time taken to type the same password using our virtual
keyboard technique. The results are as follows.
Figure 9. Graph indicating the time taken by using the current
virtual keyboard implementation and dynamic virtual
keyboard implantation
6. ConclusionIn this paper we have shown the possible ways in which the
current implementation of virtual keyboard is vulnerable to
attacks. We have proposed a dynamic virtual keyboard layout forthe same. We have shown that our implementation does not suffer
from the drawbacks suffered by current implementation of virtualkeyboard. Though using this technique the time taken to type the
password is slightly more than traditional virtual keyboard, but
user is protected against all kinds of attacks on his / her
credentials. Also all the implementation were done using existing
technology
7. ACKNOWLEDGMENTSOur thanks to Shrushti Parikh and Mauli Shah who have
contributed in formatting the template.
8. REFERENCES
[1] Sheng, Y., Lu Z.:An Online User Authentication Scheme for
Web-Based services, Business and Information Management.Pages: 173 - 176 Year of Publication: (2008)
[2] Herzberg, A., Jbara A.: Security and identification indicators
for browsers against spoofing and phishing attacks, ACM
Transactions on Internet Technology.Volume 8, Article No.:
16, Issue 4 (September 2008)
[3] Doja, M.N., Kumar. N.: Image Authentication Schemes
against Key-Logger Spyware. Proceedings of the 2008 NinthACIS International Conference on Software Engineering,
Artificial Intelligence, Networking, and Parallel/Distributed
Computing. Pages: 574-579 Year of Publication: 2008
[4] Sagiroglu, S., Canbek, G.: Keyloggers, Technology andSociety Magazine, IEEE, Pages: 10-17 Year of Publication:
2009
[5] FBI: Online Fraud Costs Skyrocketed in 2009
http://krebsonsecurity.com/2010/03/fbi-online-fraud-costs-skyrocketed-in-2009/
[6] Key logger software "Actual Spy" homepage
http://www.actualspy.com/