Need to write a research paper on the "Detection of Password Vault leakage". I have a related paper attached to this. Generally companies have database which saves the passwords. If this has been hack

Authentication Database Leak age Detection I-Hsien Liu a, Chuan -Gang Liu b, Chia -Hsiu Chen a and Jung -Shian Li a* aDepartment of Electrical Engineering / Institute of Computer and Communication Engineering, National Cheng Kung University, Taiwan bDepartment of applied informatics and multimedia, Chia -Nan University of Pharmacy and Science, Taiwan R92929, No.1 , Univ . Rd. , Tainan City, Taiwan, 701 -01 . *[email protected] ABSTRACT Authentication is the first step for any important applications. Password verification is widely employed on the Internet . Some advanced mechanisms including bio features , such as fingerprints or retina. However, digital password authentication credential is commonly used in the public. In other words, traditional password verifi cation is still an important authentication credential mechanism for today's online services . Password database may be compromised. Once if the database is stolen, it is dangerous and critical for any services. Consequently, password database leakage becom es an important issue. Detection and countermeasure are essential for such a disaster. Our research proposing a scheme based on an authentication database storage mapping method to detect possible leakage of the authentication database . By multiple mapping mechanism s, if the authentication database is stolen, an attacker could not know any user's correct password. This method can reduce additional space of storing passwords with the ability to detect security event for stolen authentication database s. KEYW ORDS Application Security; System Security ; Leakage Detection; Authentication database , Password 1 INTRODUCTION Over the past decades, with the popularity of personal computers and mobile devices, the convenience of the Internet, and the development of social networks, more and more people rely on the Internet to deal with or share things on life, such as online payment, online shopping, etc. The school also provides a variety of online services, such as course enrollment system, online courses, etc., to provide teachers and students a convenient campus life. All of the above are need ed to use the user authentication to achieve identity confirmation to use the appropriate application. The comprehensive IoT certification mechanism has the following items: Password [1], digital signature [2] [3] , the biometric authentication mechanism [4]. (fingerprint et al. [ 5]) Password is still the most important credential for today's account certification. Therefore, it plays a very important role in human life. The evo lution of the password so far has developed a variety of forms to achieve certification [6] . For example, fingerprints, sound waves, retina and so on. However, the traditional digital password authentication credential is still widely accepted by the publi c, but in the past few decades, the content of this certification mechanism hasn’t been much change. In recent years, information security issues have gradually been taken seriously, system security has become one of the considerations in the use of servic es by users. In particular, the password is the first line of defense, but the file leaks are endless. These common password leak events, causing the user's personal information to be stolen. Not only the occurrence of identity theft but also cause serious property damage. Accor ding to Gemalto's 2016 report [7], the most serious is the account access, followed by identity theft. 2 RELATED WORK ISBN: 978-1-941968-50-5 ©2018 SDIWC 18 The concept of Honeyword was first introduced by Juels and Rivest [8]. Their main concept was to design a defense mechanism to detect whether a password file was leaked. In the paper, the author assumes that the attacker can obtain the password file and the ability to convert the password into plaintext. The principle of Honeyword store s the user's real password with the (k -1) fake password generated by the Honeyword generator, so the password file is stored in a format with a user with multiple possible passwords. As a result, even if the password file leaked, the attacker cannot know which one is the user's real pas sword. If he wants to log in as a fake identity, there is a great possibility of entering a fake password, so the system will find the password file may be compromised. At this point, the system can trigger the alarm based on the safety policy set by the administrator, and notifying the administrator to make the corresponding deal. The password file structure is shown in Figure 1. Fig.1 The password file structure The principle of Honeyword is as follows: when a new user registers, he will submit a set of accou nt ui and password pi to the system, then the Honeyword generator Gen (k) will produce a set of fake passwords W i = ( wi,1, wi,2, ..., wi,k), which contains the correct password for the new user wi, ci = pi. And further for security reasons, the index tabl e c will be stored on a third -party server, independent of the login server. The encrypted password list will be stored as Hi = (v i,1, vi,2, ... , vi,k), where j-th will be the real user's password wi,j. In the Honeyword system, a very important part is Ho neyword generator. In [9] this paper, the author describes the three ways to generate the password, respectively, as follows: 2.1 Chaffing by tweaking A way to replace a selected character position, which must be replaced by the same type of character, su ch as letter -to-letter, symbol -to-symbol, digit -to-digit, and so on. One of the common practices is "chaffing -by - tail -tweaking", which is a way to change the last few digits to generate Honeywords. For example: password123, if you choose to change the last two digits and generate three Honeywords, the Honeyword generator may generate a password list of W = {password135, password148, password123, password107}. 2.2 Chaffing -with -a-password -model This method is using the same syntax module to do the replaceme nt, that is, the group as a unit, such as: letter group, digital group. To the above example: password123, will be divided into W8 | D3, that is, 8 letters 3 digital form. Assuming that you want to generate two Honeywords, it is possible to generate a pass word list of W = {chaffing345, keyboard987, password123}. This will be more effective than "Chaffing by tweaking" because it makes Honeyword more realistic and closer to the real password, so that the attacker cannot tell the difference between the real pa ssword and Honeywords, increase the possibility of entering the fake password. 2.3 Chaffing with “tough nuts” This kind of Honeyword is a way to confuse the attacker, this password will increase the length of the characters or the complexity of characters composition, it can improve the difficulty of password cracking, thereby increasing the attacker's attack time. There is also a way that Honeyword is produced in a mixed way, such as "chaffing - by - tweaking -digits" with "chaffing -with -a- password -model". In this way, you can first ISBN: 978-1-941968-50-5 ©2018 SDIWC 19 generate a group of models, and then generate b passwords by replacing digits, so that will form k = a * b passwords. The strength of this approach will be stronger than using only one way to generate Honeywords, improving the sec urity of the system. 3 RESEARCH METHODS With the importance of identity authentication to modern networks, the security and reliability of cryptographic authentication is becoming increasingly important. However, the user and the password they use are sti ll the weakest part of the security mechanism since the appearance of password authentication [9]. Therefore, to enhance the security of certification, we propose a password -mapping system in accordance with the concept of Honeyword system [9]. We put the user's password in the system in random order, so that the user password of the mapping account is not the original user set on the surface. This not only retains the detection mechanism of the password file leakage, but also reduces the system storage cos t. When a real user wants to use the system service, they will establish their own account, provide their own user name and password to the system. The system will be based on this name and password to verify the login, and then respond the privilege to the login. As described in Introduction, it is possible to know that an attacker can steal a user's password in different ways, such as sniffing, sending malware, and so on at different layers in the network architecture, and then they can crack the passwor d by brute force, dictionary attack and different password crack tool. So in this case, we assume that the attacker: • Has the ability to obtain the real user - related account password file in the system, and • Has the ability to get the password in plain text and wants to log in the system. Our system architecture is mainly composed of three parts, including the user, administrator and database, the system architecture is shown in Figure 2. The manager section mainly manages the registration of the user an d the login authentication, and makes appropriate processing when the login abnormal. To make the password authentication system more secure, the administrator needs to limit the password setting according to the management policy, for example, the minimum characters of the password length, the minimum types of the password characters and so on. The last is the database, which mainly contains two tables. A data table to store the user's account, the hash function after the password, another data table is the password checklist, store the user ID and user’s true password index. Fig.2 System Architecture 4 IMPACT EVALUATION We compare the differences between the traditional system, the Honeyword system, and the system we proposed. As you can see in Table 1, our passwords are stored in the same way as traditional systems, and the Honeyword system stores multiple passwords for a single user. While our system requires additional ID and index values compared to traditional system storage costs, but we reduce the cos t of storing additional t passwords for each user compared to the Honeyword system, greatly reducing the system's storage cost. In the probability of attack success part, assuming that the attacker has obtained the password file, and successfully cracked into a plaintext password, then the probability of attack success is 100% in the traditional ISBN: 978-1-941968-50-5 ©2018 SDIWC 20 system. That is because in the traditional way of password storage, the username maps the real user password. Honeyword system is based on the number of fake passwo rds and the flatness of fake passwords to determine the probability of attack success. Table 1. System Comparison. The more the fake password, the smaller the probability that each user will be successfully attacked, but it needs extra storage. As for our syste m, as the number of users rise, the probability of attack success become s smaller, and the scheme do es not need additional storage . 5 CONCLUSION Based on the Honeyw ord system [9], we propose a password -mapping system to detect leakage of authentication database . Since uses may use repeatedly the same password in different applications. Through experimental results, our proposed scheme shows sim ilar performance to the original one. The scheme can detect the leakage at an acceptable level of overheads. Due to low complexity, our proposed system can effectively improve the security scheme of password authentication, and detect any account leak age event s. Furthermore, our proposed scheme can achieve the scalability for its simplicity . Acknowledgements This wo rk was supported by the MOST (Ministry of Science and Technology) , Taiwan under contracts numbers MOST 107 - 2218 -E-006 -036 - and MOST 107 -2221 -E- 344 -002 -. REFERENCES [1] Sudar, C., Arjun, S. K., & Deepthi, L. R. (2017, September). Time -based one -time password for Wi -Fi authentication and security. In Advances in Computing, Communications and Informatics (ICACCI), 2017 International Conference on (pp. 1212 -1216). IEEE. [2] Abdullah, G. M., Mehmood, Q., & Khan, C. B. A. (2018, March). Adoption of Lamport signature scheme to implement digital signatures in IoT. In Computing, Mathematics and Engineering Technologies (iCoMET), 2018 International Conference on (pp. 1-4). IEEE. [3] Yassin, A. A., Jin, H., Ibrahim, A., & Zou, D. (2012, November). Anonymous password authenticati on scheme by using digital signature and fingerprint in cloud computing. In Cloud and Green Computing (CGC), 2012 Second International Conference on(pp. 282 -289). IEEE. [4] Mathew, S., & Saranya, G. (2017, March). Advanced biometric web security system using digital signature. In Innovations in Green Energy and Healthcare Technologies (IGEHT), 2017 International Conference on (pp. 1-4). IEEE. [5] Vijaysanthi, R., Radha, N., Shree, M. J., & Sindhujaa, V. (2017, February). Fingerprint authentication using Raspberry Pi based on IoT. In Algorithms, Methodology, Models and Applications in Emerging Technologies (ICAMMAET), 2017 International Conference on (pp. 1-3). IEEE. [6] Ferrag, M. A., Maglaras, L. A., Janicke, H., Jiang, J., & Shu, L. (2017). Authentication protocols for Internet of Things: a comprehensive survey. Security and Communication Networks, Vol . 2017, pp. 1-41 . [7] Gemalto , (2016) , 2016 Mining for Database Gold - Findings from the 2016 Breach Level Index,. [8] A. Juels and R. L. Rivest, Honeywords: Making password -crac king detectable, in Proc. 2013 ACM SIGSAC (Berlin, Germany, 2013), pp. 145 –160. [9] L. Tam, M. Glassman and M. Vandenwauver, (2010), The psychology of password management: a tradeoff between security and convenience, Behaviour & Information Technology, Vol. 29 , Iss. 3, pp. 233 -244. ISBN: 978-1-941968-50-5 ©2018 SDIWC 21