Comparison of ZKP based Authentication Mechanisms for securing the web server

— Traditional authentication mechanisms aim at validating the authorized users to access the Information Systems such as web servers or services considering the various factors such as text based passwords, image based passwords, multi factors including password, biometric proofs. All these mechanisms store the authenticating factors in some form in a database or in a file system. There comes the thought that what will happen to the stored factors when they are exposed to the adversaries. This particular aspect insists the necessity to safeguard the Information Systems as well as the storage places. ZKP mechanisms eliminate the stored credentials to be validated. Instead, it allows one who wishes to prove his identity to the web server that he knows the authentication secret. The eligible user may be the group of administrators those who are maintaining the web server. We compared the variants of algorithms such as Feige-Fiat-Shamir identification scheme and The Guillou-Quisquater protocol in terms of their time efficiency to support authentication to secure the Web Server.


I. INTRODUCTION
Authentication is a mechanism to check the credibility of the user of a system. Authentication decides whether the user can access the system or not. Traditional authentication mechanisms like user id and password based authentication suffers the most common dictionary attack or attacks through key logging mechanisms, Shoulder surfing etc., In this paper , we have discussed the various types of authentication systems along with their shortcomings. Zero Knowledge Proof is a proof of the user's credibility without revealing his/her secret to the verifier. The memory requirements will greatly be reduced because of the advent of Zero Knowledge Proof. This type of authentication mechanism is best suitable for applications which pay more attention towards password secrecy. Zero Knowledge Proof finds its applications in Key Exchanges, Network Authentications

II. EXISTING SYSTEM
In the existing authentication mechanisms, the passwords are the authenticating entities passed in clear text form or they might be stored in the server in unencrypted form. Hence the authentication mechanisms needed to be revised. In the following section, we will be discussing the various types of authentication mechanisms

A. Derived Passwords
Storing the password in plain text format is a serious risk. Storing encrypted passwords may also be decrypted. Storing message digests of passwords is another improvement that can be done to safeguard the passwords. Server asking the client for partial passwords may also be helpful to avoid shoulder surfing and keyboard logging.

B. Token based authentication
Token authentication is nothing but generating one time passwords to the registered email or device generated randomly by an authentication token with a pre programmed seed value. The tokens are of two types: Challenge/Response tokens or time based tokens C. Certificate based authentication Digital certificate based authentication is stronger compared to password based authentication. Because of the fact that, digital certificate is possessed by the prover.

D. Biometric based authentication
Biometric authentication is based on something the user has in his body which is unique. The features considered are iris lines of an eye ball of a person, fingerprint, voice etc., It requires biometric authenticating device also to authenticate the users.
The following screenshot shows the security flaw in the traditional password based authentication systems. Wire shark tool which captured the username and password.

III. PROPOSED SYSTEM
The Proposed System focuses more on eliminating the necessity to store passwords in the database. Zero Knowledge Proof can definitely bring an evolution towards this traditional password based authentication mechanism. Let us revisit some of the algorithms to identify the prover.
The comparison of Fiat -Shamir algorithm and Guillou Quisquater shows the time efficiency of those algorithm s to verify the proof of statement provided by the prover.
The proposed system will be suitable for Entity Identification especially to safeguard the web server. The web server is one which is a hardware/software with trusted users issued with appropriate credentials. Web server is responsible for showcasing the Information about the particular organization/Industry. Web server is assigned with a public IP Address. Using the credentials, the user can access the web server to update or create or delete a new or existing web page. In traditional web server environment, the content update will be performed by the credible user for appropriate tasks through File Transfer Protocol server and client software.[FileZilla Client and FileZilla server software]

Fig. 2. Traditional FileZilla FTP Client Software
In Fig 2, the server side of the web server can be updated with the help of FTP Client software. There is a provision to investigate the login history when there is an attack.
A. Fiat Shamir ZKP Algorithm • It is the algorithm used by the potential prover to reveal his/her identity to the verifier.
• Some trusted third party will provide the multiplicative value of n which is the product of two large primes p and q. It is a one time setup. n=p*q (1) • Each prover will select his/her own secret value S which must be relatively prime to n.
ie., gcd(S,n)=1 (2) • Each prover will compute their own public key value by the following formula: v=s 2 mod n (3) • The prover publishes the result of equation (3) which is nothing but v to the verifier without revealing the secret S.
• Also, the prover chooses a random number r and computes r 2 mod n (4) where r may be any random positive integer.
• Verifier randomly selects a single bit value of 0 or 1 called e which is called the challenge and send e to the prover • The prover computes the response by using the following formula: y = r * S e mod n (5) • The computed value by the equation(5) will be sent to the verifier.
• The verifier will check the value of y. If the value is 0, the verifier will reject its proof. • Else, the verifier will compute another value y 2 congruent to r 2 * v e mod n (6) B. Test Bed Environment : • Fiat -Shamir Cryptographic Identification scheme is implemented in Java with NetBeans IDE • The Client Server model was applied • Time Efficiency for both prover and verifier model was calculated in terms of milliseconds • The results are shown in the following figures.

V. CONCLUSION
This work suggests replacing the traditional Password based authentication with Zero Knowledge Proof authentication schemes in applications which require at most security from attacks such as shoulder surfing, Password sniffing, Hacking/Stealing passwords etc.,