An identity based secure pattern authentication system

Abstract

Mobile security is critical today as the usage of mobile devices has been increasing and consequently mobile security becomes more crucial. People are frequently using mobile devices for secure storage of their sensitive data like social security numbers, credit card numbers etc. If these devices are not handled securely, anyone can access the devices by hacking authentication passwords. Pattern locking systems are commonly exercised for validating a user for mobile access. But these systems are not safe, and are subjected to pre-computation attacks like dictionaries, rainbow tables and brute-force attacks. Android Kit Kat and Lollipop pattern authentication systems are vulnerable to pre-computations since they use SHA-1 unsalted hashes. The latest versions of Android like Marshmallow utilize SCRYPT hashes and salts for authenticating the users; they need additional hardware support like Trusted Execution Environment (TEE) and Gatekeeper functionality. Therefore this research presents an alternative representation for mobile patterns using elliptic curves, and proposes three algorithms based on this ideology to make the pattern passwords strong against these attacks without using additional hardware. Security analysis regarding SAC (Strict Avalanche Criterion) and brute-force search space is also presented in this paper. Executions times are analyzed after the implementation of the three proposed methods.