Security Schemes for Hack Resilient Applications Using “SNHA” (Securing Network, Host, and Application) Service

The very nature of web applications - their ability to collate, process and disseminate information over the Internet - exposes them in two ways. First and most obviously, they have total exposure by nature of being publicly accessible. Second, they process data elements from within HTTP requests - a protocol that can employ a myriad of encoding and encapsulation techniques. Any service available on the Internet requires authentication. Simple, one factor authentication schemes are vulnerable to hacking and require lot of discipline among authorized users - in the form of complying with strong password, One Time Password and password salt. The challenges start from making the authentication setup of the network services as secure and as simple as possible. In order to overcome this problem, we will develop a portal and authentication setup to address the problem of the directly making the authentication setup and the web services of the organization accessible from the internet. For our purposes we will concentrate on the combination of web servers and application servers interfacing to provide user authentication as multi-tenant applications. Keyword: - Network security, Web-Security, Multi tenant, Web-service, SAAS, SOP, WCF, multilevel authentication, one time password (OTP), Salt password

Outflanking and securely using the PIN/TAN-System

The PIN/TAN-system is an authentication and authorization scheme used in e-business. Like other similar schemes it is successfully attacked by criminals. After shortly classifying the various kinds of attacks we accomplish malicious code attacks on real World Wide Web transaction systems. In doing so we find that it is really easy to outflank these systems. This is even supported by the users' behavior. We give a few simple behavior rules to improve this situation. But their impact is limited. Also the providers support the attacks by having implementation flaws in their installations. Finally we show that the PIN/TAN-system is not suitable for usage in highly secure applications.Comment: 7 pages; 2 figures; IEEE style; final versio

TrusNet: Peer-to-Peer Cryptographic Authentication

Originally, the Internet was meant as a general purpose communication protocol, transferring primarily text documents between interested parties. Over time, documents expanded to include pictures, videos and even web pages. Increasingly, the Internet is being used to transfer a new kind of data which it was never designed for. In most ways, this new data type fits in naturally to the Internet, taking advantage of the near limit-less expanse of the protocol. Hardware protocols, unlike previous data types, provide a unique set security problem. Much like financial data, hardware protocols extended across the Internet must be protected with authentication. Currently, systems which do authenticate do so through a central server, utilizing a similar authentication model to the HTTPS protocol. This hierarchical model is often at odds with the needs of hardware protocols, particularly in ad-hoc networks where peer-to-peer communication is prioritized over a hierarchical model. Our project attempts to implement a peer-to-peer cryptographic authentication protocol to be used to protect hardware protocols extending over the Internet. The TrusNet project uses public-key cryptography to authenticate nodes on a distributed network, with each node locally managing a record of the public keys of nodes which it has encountered. These keys are used to secure data transmission between nodes and to authenticate the identities of nodes. TrusNet is designed to be used on multiple different types of network interfaces, but currently only has explicit hooks for Internet Protocol connections. As of June 2016, TrusNet has successfully achieved a basic authentication and communication protocol on Windows 7, OSX, Linux 14 and the Intel Edison. TrusNet uses RC-4 as its stream cipher and RSA as its public-key algorithm, although both of these are easily configurable. Along with the library, TrusNet also enables the building of a unit testing suite, a simple UI application designed to visualize the basics of the system and a build with hooks into the I/O pins of the Intel Edison allowing for a basic demonstration of the system

Securing Web Accounts Using Graphical Password Authentication through MD5 Algorithm

Today, most Internet applications still uses traditional text based passwords for the authentication. Two conflict cases of traditional password i.e. if user choose simple password it will easy to guess by attacker. The other hand, if a password is strong then it is often hard to remember for user. Instead of a text password user will be choose graphical password scheme that uses MD5. In MD5 images that converted into binary code. Here binary code will be the password for user. Thus, graphical password is secure than existing graphical password techniques because every time user needs to enter different set of code for authentication i.e. every time new password gets generated making Dictionary attacks, Brute Force attack, and other attacks infeasible. Because of these advantages, there is a growing interest in graphical password. In addition user can use ?document sharing? feature after authentication process and also graphical passwords can be applied to workstation, web log-in applications, ATM machines and mobile device

A Secure Mobile-based Authentication System

Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable.We propose a challengeresponse based one-time password (OTP) scheme that uses symmetric cryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks. Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their own trusted computers.La informació financera és extremadament sensible. Per tant, la banca electrònica ha de proporcionar un sistema robust per autenticar als seus clients i fer-los accedir a les dades de forma remota. D'altra banda, aquest sistema ha de ser usable, accessible, i portàtil. Es proposa una resposta al desafiament basat en una contrasenya única (OTP), esquema que utilitza la criptografia simètrica en combinació amb un mòdul de maquinari de seguretat. Amés, aquesta solució ofereix mobilitat convenient per als usuaris que volen bancària en línia en qualsevol moment i en qualsevol lloc, no només des dels seus propis equips de confiança.La información financiera es extremadamente sensible. Por lo tanto, la banca electrónica debe proporcionar un sistema robusto para autenticar a sus clientes y hacerles acceder a sus datos de forma remota. Por otra parte, dicho sistema debe ser usable, accesible, y portátil. Se propone una respuesta al desafío basado en una contraseña única (OTP), esquema que utiliza la criptografía simétrica en combinación con un módulo hardware de seguridad hardware. Además, esta solución ofrece una movilidad conveniente para los usuarios que quieren la entidad bancaria en línea en cualquier momento y en cualquier lugar, no sólo des de sus propios equipos de confianza