USING SMARTPHONE TO PREVENT KEYLOGGING AND SHOULDER SURFING

Abstract

Intruders have developed many methods to obtain sensitive information- some of the information is private and confidential such as username and password. Although strong cryptographic algorithms and authentication schemes have been developed by other researchers, the credentials can be easily cracked through attacks such as brute-force, dictionary, shoulder surfing, and keylogging. This thesis presents a new approach to prevent two attacks, namely, keylogging and shoulder surfing. We propose a technique to login users into a secure account without entering their usernames and passwords on a physical or virtual keyboard. The usernames and passwords are stored in the smartphone and can be transferred to the system using Wi-Fi, NFC (Near-field communication) or Bluetooth technologies. Furthermore, the usernames and passwords are encrypted using AES-128 encryption algorithm. Since AES-128 encryption algorithm requires a secure key to encrypt data, we have used Diffie-Hellman key exchange algorithm to generate the secure key. Moreover, the secure key is verified using the one-way hash function SHA-256 as Diffie-Hellman is susceptible to man-in-the-middle attacks. A proof of concept prototype has been implemented and tested using Wireshark and USBlyzer to analyze the network traffic and to ensure that the credentials are transferred to the desktop application in an encrypted form.