IEEE APRIL-2012

A SEMINAR PRESENTATIONON :

OPASS: A USER AUTHENTICATION PROTOCOL RESISTANT TOPASSWORD STEALING AND

PASSWORD REUSE ATTACKS

Submitted ByAKANKSH S

Under the Guidance ofMr. SHIVANANDA C S

DEPARTMENT OF COMPUTER SCIENCE ENGINEERINGVIVEKANANDA INSTITUTE OF TECHNOLOGY ,BANGALORE.

2011-2012

IEEE APRIL-2012OUTLINE

1 •INTRODUCTION

2 •AUTHENTICATION TYPES

3 •WHAT IS OPASS

4 •MAIN COMPONENTS

5 •ARCHITECTURE OF OPASS AND ITS ASSUMPTIONS

6 •WORKING

7 •ADVANTAGE

8 •ADVANTAGE VIDEO

9 •REAL TIME VIDEO

10 •CONCLUSION

IEEE APRIL-2012INTRODUCTION

People nowadays rely heavily on the Internet since conventional activities can be achieved with network services

User authentication is only handled by text passwords for most websites.

Password-based user authentication has a major problem that humans are not experts in memorizing text strings.

Most users would choose easy-to-remember passwordsand they will reuse them, even though they know the passwords might be unsafe.

Phishing attacks and Malware are threats against password protection.

IEEE APRIL-2012AUTHENTICATION TYPES

Researchers have investigated a variety of technology for providing user authentication procedure. They are,

Graphical Password Schemes

Password Management Tools

IEEE APRIL-2012AUTHENTICATION TYPES CONT,

Three-Factor Authentication

Two-Factor Authentication

IEEE APRIL-2012WHAT IS OPASS?

oPass is a Two-Factor Authentication.

Main concept of oPass is free users from having to remember or type any passwords into conventional computers for authentication.

oPass uses user’s cell and short message service (SMS) to prevent password stealing and password reuse attacks.

IEEE APRIL-2012MAIN COMPONENTS

ONE-TIME PASSWORD SMS CHANNEL 3G

CONNECTION

IEEE APRIL-2012ARCHITECTURE OF OPASS AND ITS ASSUMPTIONS

ARCHITECTURE

For users to perform secure login on an untrusted computer (kiosk), oPass consists of a trusted cell phone, a browser on the kiosk, and a web server that users wish to access.

The user operates her cell phone and the untrusted computer directly to accomplish secure logins to the web server.

IEEE APRIL-2012CONT.

IEEE APRIL-2012 ASSUMPTIONS

Each web server possesses a unique phone number.

The users’ cell phones are malware-free. The telecommunication service provider

(TSP) will participate in the registration and recovery phases.

Subscribers (i.e., users) connect to the TSP via 3G connections to protect the transmission.

The TSP and the web server establish a secure sockets layer (SSL) tunnel to prevent phishing attacks.

If a user loses her cell phone, she can notify her TSP and apply for a new card with the same phone number and user can perform the recovery phase using a new cell phone.

IEEE APRIL-2012WORKING

oPass consists of Registration phase Login phase , and Recovery phases.

We introduce the details of these three phases respectively. Next slide will describe the operation flows of users during each phase of oPass.

IEEE APRIL-2012

Open Registration Service on Phone

Fill Out Form & Submit by Phone

Input a Long-term Password into

Phone & Submit by Phone

Registration Success

Enter Account ID and Submit

by Browser

Launch Software on

phone

Enter Long-term Password and Submit by

Phone

Open Login Page

Receive a

Success message

Login Success

No

Open Recovery Service on Phone

Fill Out Form & Submit by Browser

Enter a Long-term Password and Submit On

Phone

Recovery Success

Yes

Registration Phase Login Phase Recovery PhaseOperation flow for user in each phase of oPass system

IEEE APRIL-2012 Registration phase

IEEE APRIL-2012 Login phase

IEEE APRIL-2012 Recovery phases

IEEE APRIL-2012ADVANTAGE

Anti-Malware

Phishing Protection

Secure Registration and Recovery

Password Reuse Prevention and Weak Password Avoidance

Cell-Phone Protection

IEEE APRIL-2012ADVANTAGE VIDEO

IEEE APRIL-2012REAL TIME APPLICATION

IEEE APRIL-2012CONCLUSION

we proposed a user authentication protocol named oPass which leverages cell phones and SMS to thwart password stealing and password reuse attacks.

Through oPass, each user only needs to remember a long-term password which has been used to protect her cell phone.

Users are free from typing any passwords into untrusted computers for login on all websites. Therefore , oPass is acceptable and reliable for users.

IEEE APRIL-2012

REFERENCES Hung-Min Sun, Yao-Hsin Chen, and Yue-Hsun

Lin . “oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks” in Proc. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012.

http://www.youtube.com/watch?v=E6NkWYzKcvw

http://www.youtube.com/watch?v=N40_4xeK49s

IEEE APRIL-2012

IEEE APRIL-2012