Fractal Space Full Crack [Password]
Magali Swinderman
Passwords have been present in information technology since the earliest days before the age of the PC. Using consumer password recovery software, the eight character password can be cracked in under an hour. More experienced hackers can crack 14 character password including alpha-numeric with special characters by using rainbow table and some free tools in less than three minutes. So adding numeric and other characters does not mean adding some level of protection but may increase the time needed [1].
In this paper we propose a new password authentication scheme based on fractal image coding scheme. Its properties are addressed and its security is analyzed and compared to some of the aforementioned methods by Lamport [2], Hwang and Li [4], and Lee et al. [8].
The outline of the paper is organized as follows: the theoretical concepts of fractal image coding are explained in Section 2, while a brief explanation of the methodology is provided in Section 3. The core of this paper is Section 4, which discusses the algorithm. In Section 5, the experimental results are described. Section 6, analyzes the security and evaluates the efficiency of the proposed scheme, while a security comparison between the proposed scheme and other password authentication scheme are presented in Section 7, followed by a brief conclusion in Section 8.
Definition 2.2. For any two metric spaces () and (), a transformation is said to be a contraction if and only if there exists a real number , , such that , for any , where is the contractivity factor for .
Theorem 2.3 (Fundamental Theorem of Iterated Function Systems). For any IFS there exists a unique nonempty compact set the invariant attractor of the IFS, such that .
Another important property (Theorem 2.4) of contractive transformations of a complete metric space within itself is known as the contraction mapping theorem.
Definition 2.5. Any affine transformation of the plane has the following form:By considering a metric space and a finite set of contractive transformation , with respective contractivity factors , we proceed to define a transformation , where is the collection of nonempty, compact subsets of , by
The goal of FIC is to be able to store an image as a set of IFS transformation instead of storing individual pixel data. We use a type of transformation called Partition Iterated Function System (PIFS), because we work on a section of the image instead of the whole image. The process of encoding the image requires us to find a collection of contractive maps with and as the fixed point (or attractor) of the map . The fixed-point equation suggests that we partition into pieces to which we apply the transforms to get back the original image [21]. Let the metric space of a digital image be set by the pair (, rms), where rms is the root mean square metric instead of the Hausdorff metric discussed above to compress the image . It is necessary to find , such that rms. This metric space is determined by partitioning the original image into a set of nonoverlapping range blocks that cover and a set of overlapping domain block that has twice the side of the range blocks and must intersect . The aim of FIC is to enable the collage theorem find the set of IFS transformation for the image whose attractor looks like . This theorem allows also for the scaling factor in addition to rotations and reflections.
Let us assume that the server generates a shared secure key between the client and the server using DH protocol. If the client wants to register with the server, the user name and the password should be first submitted to the server database through a secure channel.
(1)In Client(a)Enter the user name and the password (ID, PW).(b)C sends to S the current request (login, registration, and change password).(c)C calculates the PW hashing value HS(PW).(d)The hash function HS is encrypted using nonlinear function to give (HS, ).(e)The ID and Y are captured in IM using a text to image converter.(f)Calculate , the matrix of the IFS transformation constructed from IM using fractal image coding scheme.(g) is sent to S.(2)In Server(a)Decode to find the attractor IM1 using fractal image decoding.(b)Use OCR program to read the data in IM1 and determine ID, and the encrypted .(c)Use inverse function to decrypt and find (d)For each request status (registration, login, and change password), S is authenticated as follows.
(1)Registration(i)S searching the database for ID.(ii)If ID not found then return (User Name existed).Else store ID and in database and return (Successful Registration).(1)Log in(i)S searching the database for ID.(ii)If ID not found then return (Wrong user name or password).Else compare the received with stored one as follows. (1)Change Password.(i)S searching the database for ID.(ii)If ID not found return (User Name is not available).Else update the value in database and return (change password succeeds).
As indicated in Table 1 and Figure 4, the performance evaluation of the proposed scheme in terms of performance time and captured image size against the key size is shown. It is to conclude that the registration and login time changes is directly proportional with the key size, while the authentication time is depending on the number of users which were registered in the server. The proposed password authentication is a novel fractal based scheme which provides secure transmission of credential message over insecure communication channel. The registration and login phase in client side performs four steps: the password is hashed, encrypted, captured as an IM image, and then transformed to IFS codes using FIC scheme. Whereas, it performs three steps in server side, which are generating IM1 attractor using FID, reading data using OCR, and finally decrypting these data to find the hash function, to be used with the ID, either for authentication, or registration, depending on the request case.
If we assume that an attacker A has a total control over the communication channel between C and S, this would mean that he can insert, delete, or change any message in the channel. The first step in the proposed system is the registration process. If the attacker masquerades as C and tries to change the ID or the PW and registers in the database using the wrong ID and PW, this does not give any advantage due to the lack of information in the stolen page at this stage. Therefore, the attacking process in this part is not feasible and the authorized user will have to reregister again. We conclude that the main goal of the attacker is to get the PW. Any attempt to change the ID will do nothing. If the attacker is skilled enough to recover the original image, using fractal image decoding, he will get an encrypted hash with a nonlinear function for two variables , where is DH key exchange and is one way hash function of the user password, which is infeasible to be solved with exact values. The use of secured shared key DH that is based on the difficulty of discrete logarithm problems and it is computationally infeasible (unsolvable in polynomial time) for large prime number has a significant impact. This is in regard to increasing the security of the proposed scheme to resist many types of attacks over unsecure network.
Replay Attack
It is an attack in which an adversary impersonates another legal user through the reuse of information obtained in a protocol. In password authentication scheme, it is concerned with the case of attempts of an unauthorized user to impersonate an authorized one, by replaying the invalid message that is previously intercepted to the server. In our proposed method let us see Figure 5 for more details.
Denial of Service Attacks
In this attack, false verification information can be updated (applied) by the attacker for more than ten times, and as a result, the legal user will be blocked, and will not be able to login successfully anymore. The most vulnerable procedure is the password changing phase. In our scheme this phase is performed on the client side. While, the server should authenticate the user with the security question using the proposed secure scheme before starting the change password process; that is, it will help to enhance the security of password changing. The attacker is not able to modify data on storage, because only the authorized user is able to change the password. This is due to the security question that is preagreed before between the legal user and the server, as well as the difficulty of knowing the encrypted key.
Stolen Verifier Attack
One of the common features of password authentication schemes is the secure storage of the verification table in the server. If this table is stolen by the adversary, the system will be partially or totally broken. In the proposed scheme, the password is stored in the verification table as hashed value. Any attempt from the attacker to steel these data will do nothing, because these data is not stored explicitly. The strategy in the server is designed to receive an encrypted hash not an explicit hash, as result it will end with decrypting this information to unknown value, and this will cause failure in authentication process. So our scheme is secured against this attack.
Password authentication schemes are the simplest and convenient schemes that provide the legal user a secure use of the server resources. The first scheme is suggested by Lamport [2]. It is a hash-based password authentication scheme. The researchers proved later that this scheme is vulnerable to some attacks, in addition, it uses high hash computation, and has password resetting problem. To overcome these drawbacks, Peyravian and Zunic [26] proposed a scheme that employs only hash function, which is simple and straight forward for applications. Later on, some researchers showed that this scheme is vulnerable to guessing attack, denial of service attack (DoS), stolen verifier attack, and many others. They tried to make some improvement to eliminate the weaknesses in this scheme, but to no vail. One of the common features of these schemes is the use of the verification table, which should be securely stored in the server. To overcome the drawbacks in these types of methods, password authentication mechanism is directed toward schemes based on smart cards strategy. It is to provide mutual authentication over insecure network, where the authentication is performed easily using a memorable password and without using verification table.
aa06259810