Brute-Force Attack Prevention in Cloud Computing Using One-Time Password and Cryptographic Hash Function

International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 2, February 2019
Brute-Force Attack Prevention in Cloud

Computing Using One-Time Password and
Cryptographic Hash Function
Folasade Ayankoya Blaise Ohwo
Department of Computer Science, Babcock Department of Computer Science, Babcock
University, Illishan-Remo, Nigeria. University, Illishan-Remo, Nigeria.
[email protected] [email protected]
Abstract -Brute-force attack is unavoidable in any

1. INTRODUCTION
environment where weak passwords are used to secure
sensitive information. In accessing resources via the
Throughout the years, information technology has
Internet, the most common means of security is the
developed conveying new innovations to our
user’s identity and a secret passphrase known as a fingertips. Furthermore, with these new
password. Various means have been researched and developments, comes new security threats. Since the
developed to mitigate or limit brute-force attack. This reception of cloud computing, information security
research was carried out to develop a brute-force has been on the top list of cloud computing clients.
prevention system for cloud computing, that protects Cloud computing is a model for enabling ubiquitous,
the Symmetric key encryption algorithm that is convenient, on-demand network access to a common
implemented as a security measure from brute-force pool of configurable computing resources that can be
attack by generating new encryption key which is quickly provisioned and discharged with minimal
generated by salting the user’s password with a random management effort or service provider interaction. A
salt value using cryptographic hashing function. A significant number of fundamental qualities were
password policy was designed to assist users in discussed, that sets cloud computing apart from just
generating a robust password. To improve the security visualizing alone which is ordinarily mixed up to be
of the system, One Time password was used. This brute- cloud computing (Mell & Grance, 2011). These
force prevention system was designed to assist users in characteristics are:
generating a strong password. After testing the brute- Broad networking access: cloud computing
force prevention system, the results showed that provides resources over the network, supporting a
unsuccessful brute-force attack was at 100% and large number of heterogeneous platforms for clients.
successful brute-force attack was at 0%. And also, a Resources pooling: by securely separating the
strong password can help prevent brute-force attacks. resources on a logical level, physical resources can be
However, if a successful brute-force attacks occurred it shared to service multiple clients.
is as a result of users disclosing or not properly securing On-demand self-service: using a web-based self-
their login credentials. The study concluded that the service portal, clients are able to use cloud computing
brute-force prevention system has a high level of resources without the necessary human interaction.
resistance against brute-force attacks due to the Services: usage of cloud computing resources are
password policies enforced. It is therefore monitored, measured and reported based on client’s
recommended to service providers were the use of Data utilization.
Encryption Standard is predominant and also were the Since cloud computing is about the usage of
processing and rounds of communication of data is low.
technology as a service; clients require almost no
This can integrate more security features while working
knowledge in the how the services are actualized or
with the current encryption standard.
on which equipment the services are executed on and
Keywords: cloud computing, data encryption
so on. What is of significance to the client is a decent
standard, one-time password, password policy, comprehension of the services offered and not
cryptographic hashing function, brute-force offered and also the activity of the self-service portal.
attack. Cloud computing is on the up-rise as it takes over
more key capacities in management, development
7 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
and engineering in most organizations, keeping Brute-force attack, Biclique attack, Man-in-the-
executive and management functions in-house middle attack and Side-channel attack (Joni, 2015).
(Marston, Li, & Bandyopadhyay, 2011). The On account of a brute-force attack, it is a trial and
beginning of cloud computing achieved some error method used by application programs to decode
essential issues that has restricted its utilization. encrypted data, for example, secret key or encryption
Issues like data security and privacy strategies are a keys, through exhaustive effort instead of utilizing
standout amongst the most unmistakable issues intellectual strategies. The security of information
looked by organization who actualized cloud stored in the cloud is subsequently a critical task that
computing services as it is operated by third parties can't be ignored as cloud clients' need sufficient
(Buyya & Yeo, 2008). Endeavors have been made to confirmation that the security measures adopted are
guarantee that cloud computing is secure with the satisfactory (Reinhard, 2001). Data Encryption
advancement of different cryptography techniques Standard was embraced as an industry standard and
and adoption of privacy policies that protect the has been broadly utilized in government, private and
information of cloud computing clients. The origin of public sectors of different industries to secure
cloud computing realized another period of IT information but over the years, it has been found to
outsourcing. Organisations that made a stride toward be vulnerable to brute-force attacks in view of its key
that path still have some things to say in regards to length (Joni, 2015). Hence, this research develops a
the security and privacy of their information put system to prevent brute-force attack on Data
away in the cloud. The appropriation of different Encryption Standard in cloud computing utilizing
cryptography techniques achieved a much-needed One-Time Password and Cryptographic Hash
refresher, as they were pointed towards reestablishing Function.
the confidence in cloud computing. Indeed, even at
that point, the inquiry in the matter of how secure 2. REVIEW OF LITERATURE
these cryptography strategies are still floating. Cloud Computing
Cryptography is a technique for storing and Cloud computing as described by the United States
transmitting information in a precise structure so Government's National Institute of Standards and
those for whom it is intended can read and process it. Technology (NIST), is a computing model for
Present day cryptography is regularly connected with enabling ubiquitous, convenient, on-demand network
scrambling plaintext into ciphertext (a procedure access to a shared pool of configurable computing
called encryption) then back into plaintext (a resources (e.g., networks, servers, storage,
procedure called decryption) (Margaret, 2014). In applications, and services) that can be quickly
spite of the utilization of cryptography in information provisioned and released with minimal management
security, it is still faced with new threats, for effort or service provider interaction or service
example, brute-force attack, side-channel attack, provider interaction (Mell & Grance, 2011). Cloud
biclique attack, and so on. This research investigates computing was likewise characterized as a digital
ways to limit as well as mitigate brute-force attack framework, that is an accumulation of computing
utilizing One-Time Password and Cryptographic resources that increases productivity, quality and
Hash function. dependability by capturing shared characteristic
among application needs and encourages the
Statement of the Problem proficient sharing of hardware and services (Vouk,
Cloud computing, a system that permits resource 2004). The definition of cloud computing is also
sharing by clients from remote location. This requires "cloudy" and has been characterized diversely by
clients surrender part or entire information security of specialists and analysts alike in the business. The
their personal and corporate information to the author of Oracle, Larry Ellison says "cloud
provider. This requires the cloud provider sets up computing has been defined to include everything
sufficient security measure, however the ampleness that is done already... without the understanding of
of the security measure is still under inquiry as what would be done differently in the light of cloud
security issues still exist. From that point forward, computing other than change the wording of some of
further measures have been taken to secure the cloud our ads" (Farber, 2008). The founder of the Free
with the reception of data encryption. This includes Software Foundation and creator of the operating
the storage of information in the cloud in encrypted system GNU, Richard Stallman says " it’s stupidity.
form (ciphertext). Through research it has been found It’s worse than stupidity: it’s a marketing hype
that even with the high appropriation of data campaign " (Johnson, 2008).
encryption, the cloud is currently faced with new
security issues including the compromising of the
encryption algorithm put in place which includes
ISSN 1947-5500
Brief History of Cloud Computing scrambled messages fell in their hand. Cryptography
The term cloud computing is genuinely new since its can be defined as the art and science of concealing
development in the computing world (Luis et al., the messages to introduce secrecy in information
2008). Despite the fact that the term is new, its security (Tutorialspoint, 2017). On the other hand,
concepts are not new. Cloud computing terms and cryptography is the art and science of study of
concepts are not new, as it is obtained from other designing or generating the secret message i.e. code
computing paradigm, for example, utility computing, or ciphers of the original message for the secure
grid computing, service-oriented architecture among communication between sender and the receiver
others (Wang & Laszewski, 2008), (Geelan, 2009), (Akanksha, 2012).
(Buyya & Yeo, 2008). One might say that cloud
computing has been in existence in different forms Brief History of Cryptography
since the beginning of computing, and can be As indicated by (Tutorialspoint, 2017), the art of
followed back to rise of timesharing and utility cryptography is thought to be conceived alongside
computing in the early sixties. The seventies saw the the art of writing. As developments advanced,
mainframe era. The Eighties saw the arrival of PCs, humans got sorted out in clans, groups, and
while the nineties saw the dot.com bubble and the kingdoms. This prompted the rise of ideas, for
approach of grid computing. Furthermore, this example, power, battles, supremacy, and politics.
prompted the virtualization innovation, and along These ideas additionally energized the normal need
these lines the introduction of cutting-edge cloud of people to communicate secretly with specific
computing (Bhattacharjee, 2009). The first attempt at individuals which thusly guaranteed the consistent
cloud computing were in 1999 when Marc Andreesen development of cryptography.
established the LoudCloud organization (Sheff, The foundations of cryptography are found in Roman
2003). It was the first company to offer services and Egyptian civilization. In the fifteenth century,
which are presently called Software as a Service enhanced coding systems, for example, Vigenere
(SaaS) utilizing an Infrastructure as a Service display Coding appeared, which offered moving letters in the
(IaaS) (Sheff, 2003). In 2000 Microsoft propelled message with various variable places as opposed to
web services as SaaS offering, followed in 2001 by moving them a similar number of places. Not long
IBM with their Autonomic Computing Manifesto after the nineteenth century, cryptography developed
(Kephart & Chess, 2003) and in 2007 coordinated from the specially appointed ways to deal with
effort amongst IBM and Google propelled research in encryption to the more sophisticated art and science
cloud computing (Lohr, 2007). of information security. In the early twentieth
century, the development of mechanical and
electromechanical machines, for example, the
Enigma rotor machine, provided a more developed
and proficient methods for coding the information.
What's more, cryptography turned out to be too
mathematical, amid World War II. With the advances
occurring in this field, government organisations,
military units, and some corporate houses began
adopting the utilizations of cryptography. They
utilized cryptography to guard their secrets from
others. Presently, the arrival of PCs and the Internet
has brought powerful cryptography inside the
compass of ordinary citizens.
Figure 2.1: Descriptive diagram of cloud Security Services of Cryptography
computing (Tutorialspoint, 2017) The primary objective of using cryptography is to
provide the following fundamental information
Cryptography security services. According to (Willian S. , 2005),
Human being from ages had two inherent needs: (a) these services are:
to communicate and share information and (b) to 1. Confidentiality: is the fundamental security
communicate specifically. These two needs offered service provided by cryptography. It is a security
ascend to the specialty of coding the messages such service that keeps the information from an
that only the proposed individuals could access the unauthorized person.
information. Unauthorized individuals couldn't 2. Data Integrity: is security service that deals
extract any information, regardless of whether the with identifying any alteration to the data. The
ISSN 1947-5500
data may get modified by an unauthorized entity last bit in each byte acts as a parity check for the
intentionally or accidently. previous 7 bits. This is utilized for blunder
3. Authentication: provides the identification of identification. The three primary activities of the
the originator. It confirms to the receiver that the DES are: the XOR, permutation and substitution. The
data received has been sent only by an identified encryption of symmetric ciphers involves confusion
and verified sender. and diffusion. The point of confusion is to make the
4. Non-repudiation: is a security service that connection between the plain text and cipher text
ensures that an entity cannot refuse the complex while diffusion is aimed at spreading the
ownership of a previous commitment or an adjustment in the cipher text to shroud any statistical
action. It is an assurance that the original creator feature. In the DES, substitution is utilized to
of the data cannot deny the creation or accomplish confusion and permutation diffusion.
transmission of the said data to a recipient or Data encryption is otherwise called "Forward Cipher
third party. Operation" and data decryption "Reverse Cipher
Operation". In the forward cipher operation, each 64-
Cryptography: How it Works bit data (Plain content) are changed utilizing a several
The most antiquated and fundamental issue of mathematical steps for 16 rounds. The inverse cipher
cryptography is secure communication over an transformation utilizes an indistinguishable
insecure channel. Party A needs to send to party B a mathematical step from the encryption algorithm yet
secret message over a communication line which we should ensure the same block of key bits utilized
might be tapped by an adversary. The customary amid each round of encryption is utilized amid
response for this issue is called private key decryption (FIPS, 1999).
encryption. In private key encryption A and B hold a
meeting before the remote transmission happens and
concede to a couple of encryption and decryption
algorithms E and D, and an extra piece of
information S to be kept secret. We would refer to S
as the common secret key. The adversary may know
the encryption and decryption algorithms E and D
which are being utilized, however does not know S.
After the initial meeting when A needs to send B the
plaintext message m over the unsecure
communication line, A encrypts m by computing the
ciphertext c = E(S; m) and sends c to B. Upon
receipt, B decrypts c by computing m = D(S; c). The
line-tapper (or adversary), who does not know S,
ought not have the capacity to compute m from c
(Shafi & Mihir, 2008).
Figure 2.3: A diagram of Data Encryption

Standard (DES) Algorithm (Tutorialspoint, 2017)
Cryptographic Hash Function

A hash function is an effective function mapping
binary strings of arbitrary length to binary strings of
fixed length (e.g. 128 bits), called the hash-value or
digest. A hash function is many-to-one; many of the
inputs to a hash function map to the same digest. So,
Figure 2.2: A diagram of how Encryption works Salt is a random string of data used to alter a
(Tutorialspoint, 2017) password hash and can be added to the hash to
prevent a collision by uniquely distinguishing a user's
Data Encryption Standard (DES) password, regardless of whether another user in the
The Data Encryption Standard (DES) is a symmetric- system has chosen a similar password (Search
key block cipher distributed by the National Institute Security, 2017). Salt can likewise be added to make it
of Standards and Technology (NIST), that encrypts more difficult for an attacker to break into a system
information in 64-bit blocks. It has a key length of by utilizing password hash-matching strategies
56-bits which is expressed as a 64-bit number; the because adding salt to a password hash keeps an
ISSN 1947-5500
attacker from testing known dictionary words over attack depends for the most part on the size of the key
the whole system (Search Security, 2017). When all space. This implies brute-force attack can just work if
is said and done, salt is a random block of data or cipher utilizes short keys since with longer keys the
string or bytes. Computer language give diverse measure of the key space is exponentially larger. A
random number generation classes or functions are cipher with a key length of N bits has a key space of
utilized to create random numbers and bytes, 2N. Because of the large key space and high
however these classes and functions are not able to computational complexity, the brute-force attacks are
produce cryptographically secure random numbers. not undermining to the security of AES. This
They are pseudo random number generators (PRNG) cryptanalytic attack method features the significance
algorithms which are utilized by classes and of adequate key length and the motivation behind
functions in any language because the random value why DES isn't adequately secure any longer. DES has
is totally reliant on data used to initiate the algorithm just 256 = 7.2 * 1016 alternative keys and on the off
(Pritesh & Jigisha, 2013). So cryptographically chance that we utilize a capable computer that can
secure pseudo random number generator (CSPRNG) calculate 106 decryptions/μs then in worst outcome
algorithm is to be required which must create imaginable it will take just 10.01 hours to locate the
statically random number and they should hold up right key. AES has a base key length of 128-bits so
against attack. In some exceptionally secure this implies it has no less than 2128 = 3.4 * 1038
application special equipment is utilized to create alternative keys. It will take 5.4 * 1018 years to locate
genuine random number from a physical process, for the right key (Willian S. , 2014).
example, noise produced by microphone or nuclear
decay of a radioactive source (Dorrans, 2017). After Review of Related/Existing Works
generating genuine random number called as salt The focal point of related work is to examine the
value, it must be joined with the plaintext to deliver conceivable manners by which brute-force attacks
salted hash. To create salted hash – utilize salt value was prevented and the existing tools and techniques
as prefix to the plaintext or attaching to the plaintext utilized in preventing these attacks.
before calculating hash. A system utilizing combination of Genetic Algorithm
Steps to generate Salt Hash password (Pritesh & and Feed Forward Back Propagation Neural system
Jigisha, 2013): in counteracting Distributed Denial of Service
1. Get password (DDoS) and Brute-force attack was proposed
2. Generate Salt using trusted random (Jaspreet & Rupinder, 2015). It is fundamentally a
functions/method secure platform for file sharing. This system
3. Append salt to original password essentially focuses on the log entries which manages
4. Generate Salt Hash password using appropriate denial of service and brute-force attacks utilizing
hash function Genetic Algorithm. The procedure of detection and
5. Store salt and salt hash in the database prevention of brute-force and DDoS attack was done
utilizing Matlab which contains GUI's for both the
Attacks Against Encryption Systems procedures. Log file data both for Brute Force and
The primary goal of the attack against encryption DDoS was chosen in the GUI's and initialize. After
system is to recover the key that was used to encrypt which, both the attacks can be distinguished. If there
the data; giving the attacker access to the encrypted should arise an occurrence of Brute-force attack, the
data. The attacker can either use brute-force attack or interloper will attempt all the conceivable
various cryptanalysis techniques to calculate the combinations of the password. This system creates a
encryption key (Willian S. , 2014). fitness function to recognize the conceivable
malicious records. In distinguishing malicious users
Brute-force Attack and non-malicious users if there should arise an
Brute-force attacks are exceptionally basic attacks occurrence of Brute-Force attack detection, if the
and they can be utilized against each and every evaluation value coordinates the value created by the
cipher. With these attacks the objective is to try each server matches with the value entered by the user,
conceivable key permutation until it finds the key then only access is guaranteed otherwise access is
that can translate the information into plaintext denied. After the detection and prevention of both the
(Christof & Jan, 2009). In most dire outcome attacks, the procedure ought to be halted and the
imaginable the brute-force algorithm must attempt estimations of the three parameters i.e. Accuracy,
each and every key permutation before right one is Recall and Precision are represented in a tabular form
found. In normal case the algorithm must attempt at by repeating a similar procedure for least 10 times.
any rate half of all conceivable key permutations. This system gives a secure platform to file sharing for
(Willian S. , 2014) The possibility of the brute-force individual users yet restricted by the fact that
ISSN 1947-5500
whatever data is transmitted from the client side to could have been distinguished utilizing a detector
the server side or the other way around, it is done as with a site-wide view, yet occasions of stealthy
such in a plain format. attacks that would have demonstrated extremely hard
to identify other than in total were likewise found.
(Carlisle & Guy-Vincent, 2010) introduced a system Attacks found in different site were connected and
utilizing Lightweight protection against brute-force huge numbers of them show up at numerous sites all
login attacks on web applications in light of the the while, indicating indiscriminant global probing.
possibility of a sliding window. The standard is as Various assaults which unmistakably focused on just
follows: for every direction, define a size of a the local site were likewise found. Some attacks in
window (in time units) and a number of satisfactory addition have extensive persistence, lasting multiple
"hits" in that window, that is, a maximum number of months. At long last, it was discovered that such
times a particular value can show up (a "hit") inside detection can have significant positive advantages:
the window. Every one of the values of the data items users undoubtedly at times pick feeble passwords,
being tracked along this direction will be observed empowering brute-forcers to infrequently succeed.
for the length of the window, and if a value reaches
the maximum number of hits permitted toward this (Bahaa, 2012) gave a minimized model with real-
direction, at that point a guarded measure will be time detection to prevent SSH brute force attacks.
taken against that value. The "defensive measures" This model blocks IP addresses of unsuccessful
that are taken when the maximum number of hits is logins for a timeframe that is decided by
reached is in fact a refusal to process requests for this administrator, the model gives remote monitoring to
value for a given timeframe. This system can be administrator about who attempt to hack the server
utilized to slow down brute-force attacks and can through sending e-mails about the blocking IP
likewise prevent attacks on knowledge questions. By address to the administrator utilizing SSMTP or
giving a few "directions", enabling users to alter the secure simple mail transfer protocol, a send-only
level of permitted requests per time unit for different send mail emulator for machines which ordinarily
types of information. Likewise, by decoupling the pick their mail up from a centralized mail hub (via
protection subsystem from the validation subsystem, pop or imap). The possibility of the model was
a solution that is non-intrusive and can be effortlessly conceived from checking log file for SSH server
consolidated into existing applications without huge through analyzing SSH log file searching for any
time punishment and with no code modification and login attempt failed, the checking procedure
no database changes at all was provided. produced hundreds of failed attempts by attackers to
server starting by using root access and ending using
(Mobin & Vern, 2013) proposed a general approach dictionary of well-known username/password
for detecting distributed, potentially stealthy activity combinations. After installing the model for over
on a site. The establishment of the technique lies in three months, it's notes that a few attackers
distinguishing change in a site-wide parameter that exceedingly talented and simply utilized trusted IP
abridges aggregate on the site. This approach was address as a username then the software will hinder
investigated in detecting stealthy distributed SSH the IP address of attacker and in addition the victim
brute-forcing activity, demonstrating that the IP address that is utilized by attacker, this is an issue
procedure of legitimate users neglecting to validate is of denyhosts and sshit. This issue was noticed by the
very much portrayed utilizing a beta-binomial remote monitoring and notice that there are a
distribution. This model enables the detector to be significant number of trusted IP addresses blocked,
tuned to trade off an expected level of false positives so a versatile system was worked in to recognize an
versus time-to-detection. The detection approach attacker IP address and a victim IP address which
utilized is a successive use of two components. Right might be utilized by an attacker, and after that the
off the bat, the Aggregate Site Analyzer: first program will block just attacker IP address.
monitors the site's activity to recognize when an
attack or something to that affect happens. Also, (Satomi & Yuki, 2014) extracted a novel-type brute
upon detection, the Attack Participants Classifier force attack, which has been named Ephemeral BFs,
analyzes: the activity to recognize who participated in by watching multi servers and visualizing focused on
the attack (which remote system). Utilizing the dst-IPs and detection time. As a result of statistics
detector, the prevalence of distributed brute-forcing about Ephemeral BFs, it is insufficient to recognize
was studied, which was found to have happened Ephemeral BFs by gathering IDS logs from just a
regularly; in which the participating attack hosts single server and applying existing detection
would have evaded detection by a pointwise host methods. To counter Ephemeral BFs, another system
detector. Attacks on an extensive variety of machines DEMITASSE for detecting and mitigating the harm
ISSN 1947-5500
caused by Ephemeral BFs was proposed. interacting with the user and server. WAMP
DEMITASSE comprises of two stages, the primary (Windows Apache MySQL PHP) was utilised in
stage is detecting dst-IPs from IDS logs sooner than generating one-time password and DES key,
gathering a lot of IDS logs by utilizing attributes enforcing password policy and storing user’s
among src-IPs, detection time and the number of credentials and performing authentication. The
times for login trials. The second stage is alleviating research design is the process of structuring the
the harm by closing down the traffic from IPs system understudy following specifications of
corresponding to Ephemeral BFs. DEMITASSE processing requirements. The objectives are to enable
recognizes dst-IPs utilizing the connection among the adequate security of user’s information stored in
src-IPs, detection time and the number of times for the cloud computing environment which utilizes Data
login trials from a certain amount of IDS logs. From Encryption Standard. The concept of creating another
that point forward, it mitigates the harm by closing level of security is by authenticating every user into
down the traffic from src-IPs that are suspected to the cloud environment using One-Time Password
next Ephemeral BF attacks. It has been demonstrated mechanism, enforcing password policies and
that DEMITASSE can viably alleviate the harm and generating the Data Encryption Standard key by
ensure dst-IPs by feasibility studies with our IDS hashing the user’s password with a random generated
logs. salt. All these are channelled towards improving
security performance.
Limitation of Related/Existing Works
From the research works reviewed, many of the Password Policy
brute-force prevention models developed are Password policies were enforced to every user of the
susceptible to weak passwords chosen by users and system in other to provide additional level of security
weak password policy employed by service to the Brute force prevention system. These policies
providers; giving rise to other security issues such as must be followed in order to utilize the system else in
Distributed Denial of Service (DDoS). The few some situations, the user will be denied access to the
which have high susceptibility requires the use of system. These policies include:
encryption algorithms in the storage or the 1. Every password must contain at least one lowercase,
transmission of information. Therefore, there is a UPPERCASE, digit, and symbols (@#\-
need for a brute-force prevention system for cloud- _$%^&+=§!.) Minimum length of 8 characters.
based application which implements various 2. A login attempt of more than five trials, will result in
encryption algorithms for its storing and transmitting access denial of the account from the user.
information. 3. A change of password without correctly getting the
previous password will result in access denial of the
3. METHODOLOGY account from the user.
For this research, a cloud computing network that 4. Changing of user’s password periodically else the
employs symmetric key algorithm for its data account will be blocked.
encryption was considered. The symmetric key
algorithm adopted is the Data Encryption Standard. Data Encryption Standard Key
Data Encryption Standard was chosen because of its The DES key is required for encrypting data in any
susceptibility to brute-force attacks owing to its short encryption system that utilizes Data Encryption
encryption key. Data Encryption Standard was Standard. In this research, the key is generated by
adopted an industry standard and has been widely hashing the user’s password (which implements the
used in government, private and public sectors of password policies) with a random generated salt
various industries to secure information. This value. Following the password policies, the users is
encryption algorithm prides in its strong internal required to change the password periodically which
structure and design techniques. The brute-force in turn generates a new key. This scheme will help in
prevention framework will act as a new layer of providing the level of security.
security which uses One-time password to give users
secure access and Hash function to generate the DES Password Hashing and One Time Password
Key by salting the user’s password. For the proposed research, the user's password and
The initial stage of development involves preliminary DES key will be hashed utilizing Secure Hash
research to identify the initial requirements which are Algorithm 256 (SHA-256) and put away while the
then implemented and tested. To achieve the set of Key-Hash Message Authentication Code – Message
objectives, HTML (Hyper Text Mark-up Language), Digest 5 (HMAC-MD5) will be used to perform a
CSS (Cascading Style Sheet) and JavaScript (front One-Time Password Challenge-Response
and back end) was used in designing the interface and
ISSN 1947-5500
authentication mechanism utilizing the user's

password as key and the unique One Time Password
as message for each authentication.
Procedure/Algorithm in achieving the Research

Goals
This procedure is divided into three stages which
includes registration, authentication and password
recovery. The procedure concludes that no malicious
action was conducted given a straight forward path.
1. Registration
INPUT: Sign Up
Begin
a. Input a valid username, phone number and password
(password that follows the password policies given)
b. Compare username, phone number and password
inputted.
c. Compute DES key by hashing the user’s password
with a random salt.
d. Set timer for next change of password, thus change of
DES key.
e. Return login user and redirects to dashboard.
End.
OUTPUT: Login user and redirect to dashboard
2. Authentication
INPUT: User login
Begin
a. Input a valid username and password.
b. Compare username sent first to server
c. Compute row with username and a random one-time
passphrase and stores in table on Server
d. Return passphrase back to client
e. Compute passphrase with password
f. Return passphrase with newly hashed password to
server
g. Compare newly hashed password by hashing
password in the table on the Server with passphrase
h. If login attempt is more than 5,
i. If username and password is invalid, lock account for
a period of time.
j. Else If username and password are valid
k. Return user is logged in. Figure 3.1: Registration
End. Figure 3.2: Authentication using OTP
OUTPUT: User is logged in Source: Researcher (2017)
Source: Researcher (2017)
3. Password Recovery
INPUT: valid username
Begin
a. Input valid username
b. Notification is sent to user email,
c. Account is unlocked.
End.
OUTPUT: account is unlocked
ISSN 1947-5500
5. Edit user details.
Register Credentials
This interface enables users to create an account into
the system by providing the necessary information
which includes: a valid username which is an email
address that is not already used by another user, a
valid phone number for sending users SMS, a
password that strictly follows the password policy
implemented by the system. In this interface, there is
a link that can direct users to the login page.
Figure 3.3: Password Recovery

4. RESULTS AND DISCUSSION

Implementation of the System
The prototype brute-force prevention system was
hosted on a laptop with a 15.6-inch screen display set
at a resolution of 1366×768 pixels and running
Windows 10. The tools and technology used for
implementing this system are ―PHP‖ Hypertext Pre-
processor, HTML (Hypertext Mark-up Language),
CSS (Cascading Style Sheet), JavaScript, MySQL
and APACHE. The brute-force prevention system
was implemented using One-time password, giving
the user a secure login. The user inputs a valid
username, phone number and password (password
that follows the password policies given); which
gives them access to the cloud computing network.
The user password is then hashed with a random salt
using a cryptographic hash function to derive the
Data Encryption Standard key; which is valid for a
given time duration. In this stage, the newly
developed system undergoes testing from the
beginning step of the system to the final step as this is
an important phase in software development life
cycle.
Figure 4.1: Registration page
Operations that make up the System Figure 4.2: Displaying invalid values
The operations of the system are designed and Source: Researcher (2017)
utilized by all users. The system has only one module Source: Researcher (2017)
which is the user. These operations include:
1. Register credentials Log into the System
2. Log into the system. This interface provides a form for users to input their
3. Log out from the system. information to be authenticated into the system.
4. View user details. Following the password policy implemented, after 5
ISSN 1947-5500
failed attempts the user accounts will be temporarily

blocked. There is a link in this page to redirect users
to the register page.
Figure 4.5: Dashboard of the System

Edit User’s Credential

This interface provides a means for the user to edit
the basic details. The details that can be edited
includes: username, phone and password. Changing
the password will change the DES key of that user
and will always change the password updated and
next update fields. When updated the password,
inputting a wrong password for the current password
5 times will result in blocking that user’s account.
Figure 4.3: Login page

Figure 4.4: Blocked account
View User’s Credential

This interface displays the user’s credentials. The
information displayed includes: the username, phone,
date password was updated, latest date to change
password, count down timer to when to change date
and the user’s unique Data Encryption Standard Key.
ISSN 1947-5500
Figure 4.6: Edit Page salt. Changing the user’s password directly affects
Figure: 4.7: Invalid information for editing the user’s DES key, thus, generating an entirely new
Source: Researcher (2017) key.
This research has shown a high resistance to brute-
Experimentation and Testing force attacks due to the password policies enforced.
This study was conducted with 20 participants; For example, words found in the dictionary cannot be
between the ages 18-30, comprising of both males used, as attempts to use it will be denied by the
and females. This experiment was conducted on a system. The manipulation of the DES key to acquire
single computer system and this took a long period of a key of larger length is impossible, so in other to
time to complete the experiment. Null Hypothesis increase the security, several other security
(H0) was given that the scheme is resistant to brute- mechanisms must be put in place. However, the DES
force attack while alternative hypothesis (H1) was key length is not affected by the utilization of these
given that the scheme is not resistant to brute-force several security measures but the key is periodically
attack. In the first stage, all the users were trained on change due to one of the password policies enforced.
creating accounts and thus each user had their This has seamlessly, by the combination of these
individual accounts. This gave every participant an security features provided a level of security which
underlying understanding of the concept of the can be used to tackle several security threats already
scheme. In the second stage, attempts were made to in the cyber network.
log into each user’s accounts by all other participants
exhaustively. This research is recommended to service providers
were the use of DES is predominant and also were
Table 4.1: Summary of Experiment result little amount of time is needed for encryption and
Number Total Successf Unsuccess decryption of data. This can integrate more security
of Numb ul ful Brute- features while working with the current encryption
Participa er of Brute- force standard.
nts Logins force attacks
attacks (%) References
(%) Akanksha, M. (2012). A Research paper: An ASCII
20 1900 0% 100% value based data encryption algorithm and
its comparison with other symmetric data
From Table 4.1 and observation, each account was encryption algorithms. Computer Science. &
blocked for a duration of an hour after 5 failed login Engineering. JIET Group of Institutions,
attempts by an unauthorized person and a notification 4(9).
about the status of the account is sent to the account
owner. Null Hypothesis is accepted and this states Bahaa, Q. M. (2012). Preventing brute force attack
that the system is resistant to brute-force attacks due through the analyzing log. Iraqi Journal of
to the strong password enforced by the password Science, 55(3), 663-667.
policy. However, if a successful brute-force attacks
occurred it is as a result of users disclosing or not Bhattacharjee, R. (2009). An Analysis of the Cloud
properly securing their login credentials. Computing Platform. System Design and
Management.
5. SUMMARY, CONCLUSION AND
RECOMMENDATIONS Buyya, R., & Yeo, C. S. (2008). Market-oriented
This research work is focused on brute-force Cloud Computing: Vision, Hype, and
prevention in cloud based encrypted network and cuts Reality for Delivering IT Services as
across all electronic device with a web browser that Computing Utilities. 10th IEEE Conference
has internet access. The utilization of one-time on High Performance Computing and
password, password policy and cryptographic hash Communications. IEEE.
function plays a major part in the application as it
provides another level of security which compensate Carlisle, A., & Guy-Vincent, J. (2010). Lightweight
for the short length of the DES key. The One-time protection against brute force login attacks
password ensures the use of a password only once, on web applications. School of Information
the password policy enforces rules that must be
Technology and Engineering.
adhere in the system and DES key is generating by
salting the user’s password with a random generated
ISSN 1947-5500
Christof, P., & Jan, P. (2009). Understanding the National Institute of Standards and
Cryptography, A Textbook for Students and Technology. Retrieved from
Practitioners. Springer. http://csrc.nist.gov/publications/nistpubs/800
-145/SP800-145.pdf
Farber, D. (2008). Oracle's Ellison nails cloud
computing. Retrieved from cnet news: Mobin, J., & Vern, P. (2013). Detecting Stealthy,
http://news.cnet.com/8301- Distributed SSH Brute-Forcing. Association
13953_10052188-80.html of Computing Machinery.
doi:10.1145/2508859.2516719
FIPS, F. I. (1999). Data Encryption Standard (DES).
Retrieved from (FIPS PUB) 46-3: Pritesh, N. P., & Jigisha, K. P. (2013, June). A
http://csrc.nist.gov/publications/fips/fips46- Cryptography Application using Salt Hash.
3/fips46-3.pdf International Journal of Application or
Innovation in Engineering & Management
Geelan, J. (2009). Twenty-One Experts Define Cloud (IJAIEM), 2(6).
Computing. Cloud Computing Journal.
Retrieved from Cloudcomputing.sys- Reinhard, W. (2001). The Advanced Encryption
con.com Standard (AES): The Successor of DES.
Information Security Bulletin.
Jaspreet, K., & Rupinder, S. (2015). Prevention of
DDoS and Brute Force Attacks on Web Log Satomi, H., & Yuki, U. (2014, December). Detection
Files using Combination of Genetic of Novel-Type Brute Force Attacks Used
Algorithm and Feed Forward Back Ephemeral Springboard IPs as Camouflage.
Propagation Neural Network. International Journal of Advances in Computer Networks,
Journal of Computer Applications, 120(23), 2(4).
0975-8887.
Search Security. (2017). Retrieved from
Johnson, B. (2008, September 29). Cloud Computing http://searchsecurity.techtarget.com/definitio
is a trap, Warns GNU Founder Richard n/salt
Stallman. Retrieved from the guardian:
www.guardian.co.uk/technology/2008/sep/2 Shafi, G., & Mihir, B. (2008). Lecture notes on
9/cloud.computing.richard.stallman Cryptography. MIT Computer Science and
Artificial Intelligence Laboratory.
Joni, M. (2015). Security of Advanced Encryption
Standard. Faculty of Science and Foresty. Sheff, D. (2003). Crank it up. Retrieved from
UNIVERSITY OF EASTERN FINLAND. wired.com:
www.wired.com/wired/archive/8.08/loudclo
Kephart, J. O., & Chess, D. M. (2003). The Vision of ud_pr.html
Autonomic Computing. Computer
Magazine. Tutorialspoint. (2017). Cloud Computing Tutorials.
Retrieved from www.tutorialspoint.com
Lohr, S. (2007). Google and I.B.M Join in 'Cloud
Computing' Research. The New York Times. Tutorialspoint. (2017). Cryptography just for
beginners. Retrieved from
Margaret, R. (2014, August). Definition: www.tutorialspoint.com
Cryptography. Retrieved from
www.searchsoftwarequality.techtarget.com/ Vouk, M. A. (2004). Cloud computing-issues,
definition/cryptography research and implementations. Journal of
Computing and Information Technology.
Marston, S., Li, Z., & Bandyopadhyay, S. (2011).
Cloud computing — The business Wang, L., & Laszewski, G. V. (2008). Scientific
perspective. Decision Support Systems, Cloud Computing: Early Definition and
51(1), 176-189. Experience. 10th IEEE Conference on High
Performance Computing and
Mell, P., & Grance, T. (2011). The NIST Definition Communications. Dalian: IEEE.
of Cloud Computing: Recommendations of
ISSN 1947-5500
Willian, S. (2005). Cryptography and Network

Security: Principles and Practice (4th ed.).
Prentice.
Willian, S. (2014). Cryptography and Network

Security: Principles and Practice (6th ed.).
Pearson.
ISSN 1947-5500

Brute-Force Attack Prevention in Cloud Computing Using One-Time Password and Cryptographic Hash Function

Uploaded by

Copyright:

Available Formats

Brute-Force Attack Prevention in Cloud Computing Using One-Time Password and Cryptographic Hash Function

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brute-Force Attack Prevention in Cloud Computing Using One-Time Password and Cryptographic Hash Function

Uploaded by

Copyright:

Available Formats

International Journal of Computer Science and Information Security (IJCSIS),

Vol. 17, No. 2, February 2019

Brute-Force Attack Prevention in Cloud

Abstract -Brute-force attack is unavoidable in any

Figure 2.3: A diagram of Data Encryption

Cryptographic Hash Function

authentication mechanism utilizing the user's

Procedure/Algorithm in achieving the Research

5. Edit user details.

Figure 3.3: Password Recovery

4. RESULTS AND DISCUSSION

failed attempts the user accounts will be temporarily

Figure 4.5: Dashboard of the System

Edit User’s Credential

Figure 4.3: Login page

View User’s Credential

Willian, S. (2005). Cryptography and Network

Willian, S. (2014). Cryptography and Network

You might also like