International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com An Approach to Implement Secure User Authentication Scheme using Secret Values extracted from Private Information and Unique Biometric Images of User directed by Randomize Numeric and Image based OTP Ramkrishna Das1, Aditi Chakraborty2, Santosh Nandi 3 and Saurabh Dutta4 1 Department of Computer Applications, Haldia Institute of Technology, Haldia-721602, Purba Medinipur, West Bengal, India. 2,3 Department of Computer Science, Panskura Banamali College, Panskura-721152 Paschim Medinipur, West Bengal, India. 4 Department of Computer Applications, Dr Bidhan. Chandra. Roy. Engineering College, Durgapur-713206, Burdwan, West Bengal, India. ORCIDs: 10000-0003-2354-9904, 20000-0001-9654-4552, 30000-0001-6822-1158, 40000-0001-5892-0094 value of the OTP is used for authentication rather than using the direct OTP value. Secured value is extracted from user private information (user id, password and security questions) and unique biometric image directed by numeric value of the OTP. Abstract Proposed system introduces a numeric OTP (one time password) based authentication system where a secured value extracted from user private information(user id, password and security questions) and unique biometric image directed by the OTP is used for authentication rather than using the direct OTP value. Server randomly selects the position of character and number of block of pixels from randomly selected modified private information of user and user biometric images. Finally we combine those positions and block number of pixel and generate intermediate OTP. Final OTP will be generated from intermediate OTP using digit repositioning scheme which will be shared to user. User extracted and formulates secured values from private information and biometric image directed by the numeric value of intermediate OTP. That secured value is used for authentication. Random selection of characters and pixels from randomly selected user information and biometric image, distribution of OTPs in multiple communication mode, formation of separate OTPs for distribution (final OTP) and user authentication (intermediate OTP), extraction and use of secured values from user private information and biometric image for authentication directed by intermediate OTP impose a great security to the proposed system. Background Study Yun Huang, Zheng Huang, Haoran Zhao and Xuejia Lai proposed an OTP method that generates a unique passcode based on both time stamps and sequence numbers [1]. Neha Vishwakarma and Kopal Gangrade introduced an approach that system uses random image and text based OTP generation with SHA-512 algorithm and again encryption by using ECC to develop OTP [2]. Ananthi Sheshasaayee and D. Sumathy define a system where OTP is transformed using a lightweight cryptography and hide the cipher text using text steganography and send the stego text as SMS to user mobile. Personal Identification Number (PIN) supplied by the bank to user during registration is used for ciphering. PIN is needed to decrypt the OTP [3]. WenBin Hsieh and Jenq-Shiou Leu proposed a novel authentication scheme which exploits volatile One-Time Passwords (OTPs) based on the time and location information of the mobile device to securely authenticate users while accessing Internet services[4]. Safa Hamdare, Varsha Nagpurkar and Jayashri Mittal introduced a mechanism where OTP is combined with the secure key and is then passed through RSA algorithm to generate transaction password. The activities are carried out both in server and user side so distribution is not needed over public network [5]. Navpreet Kaur , Mandeep Devgan and Shashi Bhushan proposed a model which involves seed exchange, a softwarebased token via Transport Layer Security(TLS) tunnel which is used to generate online one time passwords. Authentication occurs through the verification of OTP generated at server and Keywords: Numeric OTP, OTP directed Value Extraction, Random Selection, Biometric Image, Character Repositioning Scheme. INTRODUCTION Traditional numeric One Time Password (OTP) is not so much secured as distribution of OTP is done through public communication channel[8, 9] . So we have proposed an OTP system where a secured value extracted as per the numeric 8595 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com OTP generated from the shared seed value on the android mobile phone of user [6]. Tamanna Saini introduced a method of generating OTP by using genetic algorithm with elliptic curve cryptography [7]. Overall Procedure User provides user-id, password, security questions and answers, unique biometric images and choice of character repositioning algorithms for modifying the user id/password to server as input. Objective of the Article Proposed system introduced a numeric OTP based authentication system where direct OTP value is not been used for authentication rather than secured value extracted from user private information(user id, password and security questions) and unique biometric image directed by the OTP is used for authentication Modified user id and password will be generated as per repositioning algorithms chosen the character by the user. Random selection of position of characters will be done from the user-id/ password and answer of security questions. The system also randomly selects the number of block of pixel from randomly chosen biometric image. All these positions and block number are combined together to generate the intermediate OTP. Multiple layers of securities are being imposed in the proposed system. User id and password based authentication, random selection of characters, pixels from randomly selected text and biometric image, distribution of OTPs in multiple communication mode, formation of separate OTPs for distribution (final OTP) and user authentication (intermediate OTP), extraction and use of secured values from user private information for authentication directed by intermediate OTP impose a great security to the proposed system. Final OTP will be generated from intermediate OTP by digit repositioning scheme. Final OTP will be distributed to user through multiple communication modes. Structure of the Article User combines the OTPs received in email and message and generates final OTP which will be converted to intermediate OTP In this paper, Section-II discusses preliminaries. Section-III describes the overall procedure. Section-IV, Section-V and Section-VI represents formation of OTP at server, distribution of OTP, extraction of OTP at user end and authentication respectively. Experimental results are described in sectionVII. Section-VIII shows the comparison with existing OTP system and section-IX draws conclusions. User extracted the characters from user id / password and answer of security questions and block of pixel from biometric image directed by the numeric value of intermediate OTP. Convert all values into bits and perform alternate merging between them. Thus generate the secret octal value which will be used for user authentication. Similar activities will be done in server end if the input value by the user is matched with sever then the user is authenticated otherwise not. PRELIMINARIES One Time Password A one-time password (OTP) is a numeric or alphanumeric string of characters which is generated by a server automatically. OTP authenticates the user for transaction or session. OTPs may be used as additional layer of security. OTPs are not vulnerable to reply attack and have a great advantage on static password. OTPs are valid for only one login session or transaction [8]. Formation of OTP at Server End Algorithm for taking user inputs to server User provides user-id, password, unique biometric images, security questions and answers and choice of character repositioning algorithms for modifying the user id/password to server as input. Algorithm for Character Repositioning Schemes for modifying User-Id/Password The positions of the characters of the user-id/ password are being re-positioned separately by using one of the character repositioning algorithms chosen by the user. The algorithms are defined below. 8596 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com PRONE (Positional Reverse Odd Normal Even) Store each digits in an array pro[]. Fetch and reverse the odd position digit’s value and store them in array pro_f[]. Even position’s digits are stored to array pro_f[] without any changes. Algorithm for Generating Numeric Final OTP Final OTP will be generated from intermediate OTP by using digit repositioning scheme. We fetch single digit position wise from each of the three blocks of intermediate OTP and store them into an array called FINAL_OTP[] in each iteration. All the digits present in three blocks of the intermediate OTP will be fetched in that manner and stored into the array FINAL_OTP[]. Thus generate the final OTP. PRENO (Positional Reverse Even Normal Odd) Store each digits value in an array pre[]. Fetch and reverse the even position digit’s value and store them in array pre_f[]. Odd position digits are stored to array pre_f[] without any changes. Algorithm for main() function Step I: Call algorithm for taking user input. CRENO (Continuous Reverse Even Normal Odd) Store each digits value in an array cre[]. Fetch and reverse the even position digit’s value and store them in array cre_f[] continuously. Odd position digit’s are stored to array cre_f[] continuously without any changes. Step II: Call algorithm for character repositioning schemes for modifying user-id/password. Step III: Call algorithm for generating numeric intermediate OTP. CRONE (Continuous Reverse Odd Normal Even) Store each digits value in an array cro[].Fetch and reverse the odd position digit’s values and store them in array cro_f[] continuously. Even position digit’s are stored to array cro_f[] continuously without any changes. Step IV: Call algorithm for generating numeric final OTP Distribution of Numeric OTP Final OTP is divided into two parts and server sends these OTPs to user by email and message. Intermediate OTP is not been shared between server and user that have to generated from final OTP by using digit repositioning algorithm. Extraction of secret value for authentication is governed by the numeric value of intermediate OTP. Algorithm for Generating Numeric Intermediate OTP Step I: System randomly selects the positions of characters from randomly selected user-id or password and answers of the security questions. System also randomly selects the block of pixel from randomly selected biometric image. All these positions and block number are combined together to generate the intermediate OTP. The structure of the intermediate OTP is represented in figure 1. Block-1 Position of character randomly selected from user-id /password Code to select userid / password (1/2) Value for randomly selected Nth character Extraction of Secret Value at User End and User Authentication Step I: User fetch two parts of OTPs from email and message and combine them to generate final OTP. Intermediate OTP is generated from final OTP using digit repositioning algorithm. Block-2 Position of character randomly selected from answers of security questions Code to Value for select randomly answer of selected security Nth questions character (1/2/3) Step II: Fetch the corresponding two characters from user id or password and security questions directed by the numeric value of first 4 digit of intermediate OTP. Fetch the bit value of pixel from biometric image governed by the numeric value from 5th to last digit of intermediate OTP. Step III: Converting the character values into binary and perform alternate merging among binary values of characters and pixel’s block. Thus generate the secret octal value used for authentication. Server also executes Step II, Step III and generates secret value. Both the generated secret value at user and server end is being matched to validate the authentication. Block-3 Position of block number of pixels randomly selected from biometric images of user. Code to select Code to select biometric Code to select block of pixel image Pixel randomly randomly randomly (1/2/3/4) (1/2/3) Figure 1: Structure of the intermediate OTP 8597 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com The Images are:- RESULT AND DISCUSSIONS Inputs at User Registration Time to Authentication System User provides user id, password, unique biometric images and choice of character repositioning algorithm to server. Server side OTP generation Repositioning the characters of user-id by using character repositioning algorithm chosen by user Biolog1.jpg Biolog2.jpg Biolog3.jpg Randomize selection of positions of characters / pixels for intermediate OTP generation. Repositioning the characters of user password by using character repositioning algorithm chosen by user Generation of Intermediate OTP Generation of final OTP after repositioning the digits of Intermediate OTP Distribution of OTP Final OTP will be divided into two parts and distributed through email and SMS. Normal user-id and password will be used for authentication and modified user-id or password will be accessed for generating the values for user authentication. Inputs of security questions and answers from user for OTP generation. Inputs of user’s biometric images for OTP generation. 8598 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com User authentication Formation of Final OTP at user end Generation of Intermediate OTP after repositioning the digits of Final OTP at user end Extraction of values from Intermediate OTP for authentication at server and user end Extraction of values determined by Intermediate OTP All the characters determined by the Intermediate OTP will be fetched from modified user-id or password not from normal user-id or password. Comparison between Existing OTP System and Security Analysis Table- I shows the comparison between existing OTP based authentication system. Table 1: Comparison with existing OTP based authentication system Name of proposer Core idea Y. Huang, Z. Huang, OTP based on time H. Zhao,X. Lai [1] sequence numbers. Conversion of fetched characters into bits and generation or secured values for authentication stamps and N.Vishwakarma, K. Random image and text based OTP Gangrade [2] with SHA-512 algorithm. Ananthi Sheshasaayee , D. Sumathy [3] OTP is encrypted and cipher text is encrypted by steganography and distributed. Personal Identification Number (PIN) needed to decrypt the OTP WenBin Hsieh, Jenq- Volatile OTP based on time and Shiou Leu[4] location of mobile device of user. Proposed system 8599 Randomize selection of bit values and pixel’s block from user personal information and biometric image based OTP. International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com Table 2 shows security analysis of the system Table 2: Security analysis of proposed system Size of security defined parameters for OTP formation Number of executions needed to generate all possible combinations of the security parameters to originate OTPs For Intermidiate OTP For Intermidiate OTP Size of both user id and passward are 8 chars. {Factorial(8)*[factorial(8) /(factorial (1) * factorial (8-1))]+1} * Number of security questions -3 {[factorial(5) /(factorial (1) * factorial (5-1))]+1} * Answer of all 1st , 2nd and 3rd questions has 5 characters {[factorial(108*98*32) / (factorial (8) * factorial (108*98*32-8))]+1} . Number of biometric image-3 Size of all 1st, 2nd, 3rd images is 108*98 pixels (108*98*32 bits). For Final OTP For Final OTP Size of intermidiate OTP is 11 characters. Factorial(11) For Extracting secured values for authentication Size of both user id and passward are 8 chars. Number of security questions -3 Answer of all 1st , 2nd and 3rd questions has 5 characters . Number of biometric image-3 Size of all 1st, 2nd, 3rd images is 108*98 pixels (108*98*32 bits). For Extracting secured values for authentication {Factorial(8)*[factorial(8) /(factorial (1) * factorial (8-1))]+1} * {[factorial(5) /(factorial (1) * factorial (5-1))]+1} * {[factorial(108*98*32) / (factorial (8) * factorial (108*98*32-8))]+1} Total numbers of executions needed to generate all possible combinations of the security parameters to originate OTPs are the OTP is hacked still the secured authentication value can’t b retrieved without user biometric unique image, user id, and password and security questions. Thus security is increased. Factorial(11) + 2 * [{Factorial(8)*[factorial(8) /(factorial (1) * factorial (8-1))]+1} * {[factorial(5) /(factorial (1) * factorial (5-1))]+1}* {[factorial (108*98*32) / (factorial (8) * factorial (108*98*32-8))]+1}]. These amounts of executions will take extreme amount of time still the system can’t be hacked as user private information and biometric images are secured from the unauthenticated user. So the system is extremely secured. Formation of separate OTPs for distribution (final OTP) and user authentication (intermediate OTP) impose a great security as separate digit repositioning algorithm is needed to convert final OTP into intermediate OTP. So if the final OTP is being hacked at the time of distribution still the system is secured. Distribution of OTPs into parts through different communicational channels (email and SMS) increase security level as multiple number of hacking is needed to access the entire OTP. CONCLUSIONS Six levels of securities are present in the proposed system. User id and password based authentication, random selection of characters or pixels from randomly selected security authentication text or biometric image objects, distribution of OTPs in multiple communication mode, formation of separate OTPs for distribution (final OTP) and user authentication (intermediate OTP), extraction of secured values from user private information for authentication defined by intermediate OTP and generation and use of derived secret value for authentication rather than using OTP values. Proposed system extracts and uses secured values for authentication from user private information (biometric image, user id, password and security questions) defined by intermediate OTP. So if the OTPs are being hacked still the system is secured due to the unavailability of user private information. Thus enhance the security in great extant. . Random selection of characters and pixels from randomly chosen user private information provides more security as if 8600 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 12, Number 19 (2017) pp. 8595-8601 © Research India Publications. http://www.ripublication.com REFERENCES [1] Yun Huang, Zheng Huang , Haoran Zhao, Xuejia Lai, “A new One-time Password Method” ScienceDirect, DOI: 10.1016/j.ieri.2013.11.006, [International Conference on Electronic Engineering and Computer Science, 2013] , IERI Procedia (4), pp 32-37,2013 [2] Neha Vishwakarma, Kopal Gangrade, “Secure Image Based One Time Password,” “International Journal of Science and Research (IJSR)”, vol. 5, issue. 11, pp 680683, November ,2016. [3] Ananthi Sheshasaayee, D. Sumathy, ”A Framework to Enhance Security for OTP SMS in E-Banking Environment Using Cryptography and Text Steganography” Springer, Singapore, DOI: https://doi.org/10.1007/978-981-10-1678-3_68, [Proceedings of the International Conference on Data Engineering and Communication Technology, ] , Advances in Intelligent Systems and Computing book series (AISC, volume 469), pp 709-717,2016. [4] WenBin Hsieh, Jenq-Shiou Leu,” Design of a time and location based One-Time Password authentication scheme”, DBLP, DOI: 10.1109/IWCMC.2011.5982418, [Proceedings of the 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011,] Istanbul, Turkey, July, 2011. [5] Safa Hamdare, Varsha Nagpurkar, Jayashri Mittal, “Securing SMS Based One Time Password Technique from Man in the Middle Attack,” “International Journal of Engineering Trends and Technology (IJETT)”, vol. 11, issue. 3, pp 154-158, May ,2014. [6] Navpreet Kaur , Mandeep Devgan , Shashi Bhushan, ” Robust login authentication using time-based OTP through secure tunnel” IEEE, [3rd International Conference on Computing for Sustainable Global Development ] ,New Delhi, India, March,2016. [7] Tamanna Saini, “One Time Password Generator System,” “International Journal of Advanced Research in Computer Science and Software Engineering”, vol. 4, issue. 3, pp 781-785, March ,2014. [8] Digital content for OTP , link https://en.wikipedia.org/wiki/One-time_password”. [9] Digital content for OTP procedure, link “https:// www.bobcards.com /otp-procedure.htm”. ” 8601