on the security of trustee based social authentications

ON THE SECURITY OF TRUSTEE-BASED SOCIAL AUTHENTICATIONS

ABSTRACT:

Recently, authenticating users with the help of their friends (i.e., trustee-based social

authentication) has been show into be a promising backup authentication mechanism. A user in

this system is associated with a few trustees that were selected from the user’s friends. When the

user wants to regain access to the account, the service provider sends different verification codes

to the user’s trustees. The user must obtain at least k(i.e., recovery threshold) verification codes

from the trustees before being directed to reset his or her password. In this paper, we provide the

first systematic study about the security of trustee based social authentications. In particular, we

first introduce a novel framework of attacks, which we call forest fire attacks. In these attacks, an

attacker initially obtains a small number of compromised users, and then the attacker iteratively

attacks the rest of users by exploiting trustee-based social authentications. Then, we construct a

probabilistic model to formalize the threats of forest fire attacks and their costs for attackers.

Moreover, we introduce various defense strategies. Finally, we apply our frame work to

extensively evaluate various concrete attack and defense strategies using three real-world social

network datasets. Our results have strong implications for the design of more secure trustee-

based social authentications

#13/ 19, 1st Floor, Municipal Colony, Kangayanellore Road, Gandhi Nagar, vellore – 6.Off: 0416-2247353 / 6066663 Mo: +91 9500218218 /8870603602,

Project Titles: http://shakastech.weebly.com/2015-2016-titlesWebsite: www.shakastech.com, Email - id: [email protected], [email protected]

http://shakastech.weebly.com/2015-2016-titles

EXISTING SYSTEM:

Existing backup systems may use ‘secret’ personal questions and alternate email

addresses for backup authentication in the event users forget or loses his access credentials.

However, these methods are frequently unreliable. For personal questions, users often forget

their answers, especially when answers are case and punctuation sensitive. It is also common for

acquaintances of the respective users to be able to guess the answers, even acquaintances not

closely associated with the respective account holders or users. In existing methods, many times

the questions are not applicable to the general public, not memorable, ambiguous, easily

guessable with no knowledge of the account holder, or easily guessable with minimal knowledge

of the account holder.

PROBLEMS ON EXISTING SYSTEM:

1. An account holder who tries to authenticate an account using an alternate email address

many times finds that the configured address expired upon a change of job, school or

Internet service provider. Since other websites rely on email addresses to authenticate

their account holders when passwords fail, it is especially important for webmail

providers to have a secure and reliable authentication mechanism of last resort.

2. The ubiquity of mobile phones has made them an attractive option for backup

authentication. Some entities already send SMS messages containing authorization codes

to supplement primary authentication for high-risk transactions. However, authenticating

users by their mobile phones alone is risky as phones are frequently shared or lost .




PROPOSED SYSTEM:

A social authentication system for backup account recovery is described. The backup account

recovery system provides for an account holder to obtain his or her password in the event the

account holder is unable to gain access to an account using the primary authentication method.

The social authentication system allows the account holder to contact several trustees that were

previously selected and identified. Upon being unable to gain access to an account, the account

holder contacts one or more trustees to inform them that the account holder needs to regain

access to the account and therefore needs to obtain an account recovery code from each trustee.

Each trustee may then contact the account recovery system which resides in servers accessible on

the Internet. The account recovery system then verifies that the trustee's contact information

matches that of a previously identified trustee for the specified account holder. Once the trustee's

contact information has been verified to match that of a previously identified trustee for the

specified account holder, the account recovery system begins a back and forth dialog with the

trustee, whereby the trustees provide information, transmit a link and code provided by the

account recovery system, vouch for their contact with the account holder and pledge that the

statements they have provided are accurate and that the trustees agree on the course of action.

Once this dialog is successfully completed, each trustee is provided with a unique account

recovery code, which is then provided to the account holder. Once the required account recovery

codes has been received, the account holder is able to use them to obtain access to the account.

ADVANTAGES:




The social authentication system is a system in which account holders initially appoint and later

rely on account trustees to help them authenticate.

Architecture:-

.




Implementation:

Implementation is the stage of the project when the theoretical design is turned out

into a working system. Thus it can be considered to be the most critical stage in achieving a

successful new system and in giving the user, confidence that the new system will work and

be effective.

The implementation stage involves careful planning, investigation of the existing

system and it’s constraints on implementation, designing of methods to achieve changeover

and evaluation of changeover methods.

Main Modules:-

1. Trustee-Based Social Authentication Module:

A trustee-based social authentication includes two phases:.

Registration Phase:

The system prepares trustees for a user Alice in this phase. Specifically, Alice is

first authenticated with her main authenticator (i.e., password),and then a

few(e.g., 5) friends, who also have accounts in the system, are selected by either

Alice herself or the service provider from Alice’s friend list and are appointed as

Alice’s trustees.

Recovery Phase:

When Alice forgets her password or her password was compromised and changed

by an attacker, she recovers her account with the help of her trustees in this phase.

Specifically, Alice first sends an account recovery request with her user name to

the service provider which then shows Alice an URL. Alice is required to share

this URL with her trustees. Then, her trustees authenticate themselves into the

system and retrieve verification codes using the given URL. Alice then obtains

the verification codes from her trustees via emailing them, calling them, or




meeting them in person. If Alice obtains a sufficient number (e.g., 3)of

verification codes and presents them to the service provider, then Alice is

authenticated and is directed to reset her password. We call the number of

verification codes required to be authenticated the recovery threshold.

2. Security Module:

Authentication is essential for securing your account and preventing spoofed messages from

damaging your online reputation. Imagine a phishing email being sent from your mail

because someone had forged your information. Angry recipients and spam complaints

resulting from it become your mess to clean up, in order to repair your reputation. trustee-

based social authentication systems ask users to select their own trustees without any

constraint. In our experiments (i.e., Section VII), we show that the service provider can

constrain trustee selections via imposing that no users are selected as trustees by too many

other users, which can achieve better security guarantees.

3. Backup Authentication Module :

A user in this system is associated with a few trustees that were selected from the user’s

friends. When the user wants to regain access to the account, the service provider sends

different verification codes to the user’s trustees. The user must obtain at least k(i.e.,

recovery threshold) verification codes from the trustees before being directed to reset his or

her password. Backup authentication feature allows you to select three to five friends as your

trustees. In cases when you forget your password or your account is hacked, each of these

trustees will be able to get a security code for you. With three security codes, you can recover

your account.

4. Forest Fire Attacks Module:




In a forest fire attack, the attacker first uses traditional methods such as phishing and

guessing to compromise some users (these are called seed users), and then the attacker

propagates the attacks to other users by exploiting the “trusted contacts”.

Our forest fire attacks consist of Ignition Phase and Propagation Phase:

1. Ignition Phase:

An attacker obtains a small number of compromised users which we call seed users. They

would be obtained from phishing attacks, statistical guessing, and password database

leaks, or they could be a coalition of users who collude each other. Indeed, a large

number of social network accounts were reported to be compromised. showing the

feasibility of obtaining compromised seed users.

2. Propagation Phase:

Given the seed users, the attacker iteratively attacks other users. In each attack iteration,

the attacker performs one attack trial to each of the uncompromised users according to

some attack ordering of them. In an attack trial to a user u, the attacker sends an account

recovery request with username to the service provider, which issues different

verification codes to trustees. The

goal of the attacker is to obtain verification codes from atleast one trustees. If at least one

trustees of User are already compromised, the attacker can easily compromised user

otherwise, the attacker can impersonate and send a spoofing message to each

uncompromised trustee of user to request the verification code.

System Configuration:

H/W System Configuration:




Processor - Pentium –III

Speed - 1.1 Ghz

RAM - 256 MB(min)

Hard Disk - 20 GB

Floppy Drive - 1.44 MB

Key Board - Standard Windows Keyboard

Mouse - Two or Three Button Mouse

Monitor - SVGA

S/W System Configuration:

Operating System : Windows95/98/2000/XP

Front End : Core Java

Database : Mysql 5.0

Database Connectivity : JDBC.




on the security of trustee based social authentications

Technology