Secure Authentication Using Dynamic Virtual Keyboard Layout

7/27/2019 Secure Authentication Using Dynamic Virtual Keyboard Layout

1/4

International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) TCET, Mumbai, India

288

Secure Authentication using Dynamic Virtual Keyboard

Layout

M Agarwal

LecturerSardar Patel Institute of

Technology

Mumbai, India

[email protected]

M Mehra


Technology

Mumbai, India

[email protected]

R Pawar


Technology

Mumbai, India

[email protected]

D Shah

ProfessorSardar Patel Institute of

Technology

Mumbai, India

[email protected]

ABSTRACTVirtual Keyboard authentication has helped users to protect their

username and passwords from being captured by key loggers,spyware and malicious bots. However Virtual Keyboard still

suffers from numerous other fallacies that an attacker can take

advantage of. These include click based screenshot capturing,over the shoulder spoofing and co-ordinate position noting. To

overcome these drawbacks, we have designed a virtual keyboard

that is generated dynamically each time the user access the web

site. Also after each click event of the user the arrangement of the

keys of the virtual keyboard are shuffled. The position of the keys

is hidden so that a user standing behind may not be able to see thepressed key. Our proposed approach makes the usage of virtual

keyboard even more secure for users and makes it tougher for

malware programs to capture authentication details.

General TermsSecurity, Reliability.

KeywordsAuthentication, Virtual Keyboard, Security, Password, Spyware

1. INTRODUCTIONWith the increasing technology, more and more services are made

available to the users online. Right from buying goods, houses,movie tickets, and maintaining financial services user can take

advantage of Internet and complete all the transactions online.

Online user authentication [1] is required by most of the services

offered over the Internet to the users.

This is typically carried out by sending a sequence of usernameand password to the server for authentication. Some attacks just

rely on this fact, such as phishing [2] attacks. Key loggers [3] [4],

spyware, bots etc. generally run in background without the

knowledge of the user. These programs record the competesequence of the data entered by the user. They transmit this

information over Internet and use them to gain access to

confidential user information like their PIN, ATM numbers,

passwords etc. These tools have become more and more

sophisticated. As a result of this sometimes even the most secure

and updated version of anti-virus, anti-malware program is unableto detect them. Reported losses from online fraud more than

doubled last year, from $265 million in 2008 to nearly $560

million in 2009 [5]. In this paper we describe how a dynamically

generated virtual keyboard could solve most of the authentication

issues. In this paper we propose a dynamic virtual keyboard thatshuffles the arrangement of keys after every click. It also hides the

position of the key before the user presses the key. This approach

overcomes most of the drawbacks faced by todays virtual

keyboard. The proposed approach provides protection against keyloggers, over the shoulder spoofing, screen capturing after click

event.

Our paper is organized as follows. The paper begins with anexplanation of the concept of Virtual Keyboard. The next section

describes the issues associated with the current implementation of

virtual keyboard. Next we describe our proposed concept. This is

followed by the basic implementation and testing details. The last

part concludes our paper.

2. Virtual KeyboardA virtual keyboard is a software component that allows a user

to enter characters. The virtual keyboard is generally a visual

representation of the real keyboard on the standard output. Avirtual keyboard can usually be operated with multiple input

devices, which may include an actual keyboard, a computermouse, an eye mouse, and a head mouse. A typical virtual

keyboard is shown in Figure 1.Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies are

not made or distributed for profit or commercial advantage and that

copies bear this notice and the full citation on the first page. To copy

otherwise, or republish, to post on servers or to redistribute to lists,

requires prior specific permission and/or a fee.ICWET11, February 2526, 2011, Mumbai, Maharashtra, India.

Copyright 2011 ACM 978-1-4503-0449-8/11/02$10.00.


2/4


289

Figure 1. Virtual Keyboard.

Virtual keyboard were used to provide an alternative input

mechanism for users with disabilities or limited hand mobility or

who were unable to use a physical keyboard. Another major use

for an on-screen keyboard is for bi- or multi-lingual users, who

continually need to switch between different character sets oralphabets.

Recently virtual keyboard have made their way for authentication

of users. Most of financial websites now present users with avirtual keyboard for taking their authentication details. Keyloggers, spyware and other malicious programs that capture the

entire sequence of characters entered via the physical keyboard.

The use of virtual keyboard helps to bypass these malicious

programs since these programs record keystrokes generated by a

physical keyboard and not via virtual keyboard. The virtual

keyboard offers number of benefits as listed below.

Portability

Accuracy

Speed of text entry

Lack of need for flat or large typing surface

Ability to minimize the risk for repetitive strain injuries

FlexibilityAn easy way to comply with the conference paper formatting

requirements is to use this document as a template and simply

type your text into it.

3. Existing Technology and IssuesIn the current scenario a virtual keyboard is displayed on the

screen asking user to enter his / her username and password.Though this approach is safe and protects his / her credentials

from key loggers, this approach has following drawbacks:

3.1 Screen Capture TechniqueHere an attacker can write a program that captures the screen after

user clicks with a mouse. For e.g., a password abdg though

entered by a virtual keyboard is captured by the spyware programby capturing a screenshot after user clicks on virtual keyboard.

a Captured b Captured d Captured g Captured

Figure 2. Spy program that capture screenshots after every

click resulting in capturing of entire user password

3.2 Behind the shoulder spoofingHere a person standing behind the person entering his / her

password via virtual keyboard remembers or notes his / her

sequences of clicks thereby knowing his / her password. The user

unaware of this feels his / her password has been entered securely

but in reality his / her password has been compromised.

Figure 3. User standing behind observing the mouse

movements to track the password.

3.3 Unshuffled Keyboard ImplementationGenerally the arrangements of alphabets in a virtual keyboard aresame as in normal QWERTY keyboard. Though this helps user

enter his / her password a bit fast, but this compromises security

again. An attacker can note the coordinates of the mouse clicks

and predict the sequence of the password. For e.g., consider the

following


3/4


290

Figure 4. Noting co-ordinate position of mouse click and

guessing password

If the recording of sequence of co-ordinates is (3, 1) the key

pressed is v. Similarly the entire sequence of co-ordinates

summed up lets the attacker know the users password.

4. Proposed Dynamic Virtual KeyboardAs seen above, current implementation of virtual keyboard doesnot guarantee a fool proof mechanism against various attacks.

Here we are proposing a dynamic virtual keyboard with following

features:

Dynamic Keyboard Layout Generation

Hidden keys to prevent screenshot capturing

Shuffled keyboard after every click

A sample dynamic virtual keyboard of our proposed

concept is shown below.

Figure 5. Dynamic virtual keyboard, translucent shade so thatuser can note the position of letter

Let us assume that the password of the user is xyz. Here the user

is allowed to enter one character at a time. Initially the user shouldnote the position of character he wishes to enter. It is x in our case.

We have made colour coding so that it is easier to remember. In this

case we see that x is in yellow color and second from top. After

that the user has to click hide keys button. This button converts the

translucent colour into opaque colours of the same shade as shown

below in Figure. Now user can click the yellow button, second fromtop to type x. After the user clicks x, the layout of the keyboard

changes again and the procedure is repeated once more. In case the

user forgets the position of the character after clicking hide keys, he

can click the button forgot position. This would result in the same

keyboard layout generation as before.

Figure 6. Dynamic virtual keyboard after pressing Hide

Keys button

This proposed approach overcomes the drawbacks of the current

implementation of virtual keyboard. Benefits of the proposed

approach:

4.1 Screenshot mechanism would not workSince the keys are hidden after user presses the hide keys button,

even if the screen shot is recorded it would make no sense to theattacker. For example for the same password abdg the screen

capture would record the following things. This makes no sense to

attacker and user password is thus secure.

Figure 7. Spy program that capture screenshots after every

click, rendered useless since no information about the

password can be obtained

Though the screen is captured by the spy program but since the

key are darkened no trace of user password is left.

4.2 Shuffled Keyboard ImplementationAs against the current implementation of unshuffled

arrangements of alphabets, in our proposed approach we shufflethe keyboard after every click. As a result if a person is standing

behind to spoof the password over the shoulder, he cannot

remember the password since the layout and arrangements ofalphabet change after every click. Also noting the coordinates

would be of no help since even if the position is noted, the next

click would again reshuffle the keyboard. Thus if v wascurrently at position (3, 1), the next click would have some other

alphabet at the same position (3, 1).

Figure 8. Random arrangement of keyboard alphabets as

against normal QWERTY keyboard arrangement makes it

tougher for malware programs to capture password


4/4


291

4.3 Color coding helps remember the

positions easilySince we are using color coding, the task to remember the

position of a character is very easy. Also each color is repeated

only three times in a column fashion format, thereby making it

easier for user. Also forgot position facility helps to recollect userthe position of his / her character in case he forgets. For e.g., in

Figure 8, v is in red color and is at top.

4.4 Implementation is possible with current

technology.No changes in existing protocol need to be made. All our

implementation is possible with the current technology.

4.5 Protection of user credentialsThe graph in figure 9 indicates that the time taken to type a

password using our dynamic virtual keyboard is more than the

time taken to type the same password using current

implementation of virtual keyboard. But the user is guaranteed

that his / her credentials are not being hijacked or compromised

by any means. This is especially beneficial in case users are usingpubic computers or computers they might not trust upon.

5. Basic Implementation & TestingThe entire virtual keyboard was implemented using jQuery. For

testing purposes we took a batch of 20 people, 10 were asked to

enter the password using our dynamic virtual keyboard technique.

The remaining 10 were asked to stand behind them to spoof overthe shoulder so that they may see the password entered by the

user. We had also installed key logger software Actual Spy 3.0

[6] that monitors keystrokes, file changes, clipboard, screenshots,

file changes. The users were advised to type in a 6 character

password. After the users entered their password, the followingresults were obtained.

The software Actual Spy 3.0 could record the screenshots but was

rendered useless as it captured the images wherein the virtual

keyboard keys are darkened. All users who were told to spoof the

password could match only 33-67 per cent of the password

characters.

We have a usability trade-off here since the user needs to click the

button hide keys before he can click the character of his / herpassword. We have also recorded the average time a user takes to

type a password using traditional virtual keyboard technique and

the time taken to type the same password using our virtual

keyboard technique. The results are as follows.

Figure 9. Graph indicating the time taken by using the current

virtual keyboard implementation and dynamic virtual

keyboard implantation

6. ConclusionIn this paper we have shown the possible ways in which the

current implementation of virtual keyboard is vulnerable to

attacks. We have proposed a dynamic virtual keyboard layout forthe same. We have shown that our implementation does not suffer

from the drawbacks suffered by current implementation of virtualkeyboard. Though using this technique the time taken to type the

password is slightly more than traditional virtual keyboard, but

user is protected against all kinds of attacks on his / her

credentials. Also all the implementation were done using existing

technology

7. ACKNOWLEDGMENTSOur thanks to Shrushti Parikh and Mauli Shah who have

contributed in formatting the template.

8. REFERENCES

[1] Sheng, Y., Lu Z.:An Online User Authentication Scheme for

Web-Based services, Business and Information Management.Pages: 173 - 176 Year of Publication: (2008)

[2] Herzberg, A., Jbara A.: Security and identification indicators

for browsers against spoofing and phishing attacks, ACM

Transactions on Internet Technology.Volume 8, Article No.:

16, Issue 4 (September 2008)

[3] Doja, M.N., Kumar. N.: Image Authentication Schemes

against Key-Logger Spyware. Proceedings of the 2008 NinthACIS International Conference on Software Engineering,

Artificial Intelligence, Networking, and Parallel/Distributed

Computing. Pages: 574-579 Year of Publication: 2008

[4] Sagiroglu, S., Canbek, G.: Keyloggers, Technology andSociety Magazine, IEEE, Pages: 10-17 Year of Publication:

2009

[5] FBI: Online Fraud Costs Skyrocketed in 2009

http://krebsonsecurity.com/2010/03/fbi-online-fraud-costs-skyrocketed-in-2009/

[6] Key logger software "Actual Spy" homepage

http://www.actualspy.com/

Documents

Secure Authentication Using Dynamic Virtual Keyboard Layout