A Replay Attack Resilient System for PKI Based Authentication in Challenge-Response Mode for Online Application

Abstract

Passwords had been the common mechanism for authentication in the earlier day's client-server based systems as well as in the modern day online applications. However, it is the weakest form of authentication. In today's digital world, attacker easily bypasses this form of security. The efforts of strengthening passwords are rendered meaningless by the tools that attackers use. In order to design and codify a secure authentication mechanism, this paper presents an authentication mechanism integrated with Cryptographic USB token. Public Key Infrastructure (PKI) works on key pair and Digital Certificate for identifying the user identify. The Cryptographic USB token based on PKI enforces security of the authentication process by means of private key in the token. The authentication mechanism presented in the paper provides multi-layer security. The authentication Mechanism is based on a trusted user session. Unique Session Identifiers are created as well as deactivated automatically at run time in case there is no data transfer in the channel for a predefined time. Once a session has been created the user is authenticated and logged in to the session. Thereafter the session identifier is checked at the server to prevent session replay attack. Another significant level of security is added by secure handshaking between server and client so that authentication mechanism could work in challenge response mode. The software system presented in the paper has been exposed to vulnerability assessment with a special emphasis on penetration tests, session replay attacks, and use of revoked keys. The vulnerability assessment results indicated the secured framework provided by the developed mechanism.