Defending Shoulder Surfing Attacks in Secure Transactions Using Session Key Method

When a PIN entered as a numeric password in mobile or stationary systems, the Shoulder Surfing Attack (SSA) becomes great unease. To establish a secure transaction, The Session key mechanism is proposed. The session key method has the 4 rounds. The first round is the session key decision round, and the remaining three rounds are PIN-entry rounds. In the session key decision round, ten randomly arranged objects are displayed to the user. The user can decide any of the symbols and assign it to the 1st digit of the PIN using the ―Up or ―Down buttons. If the user presses the ―Up button, then the symbols move immediately upper wards. If the user presses the ―Down button, then the symbols move immediately downwards. Using this Up and Down buttons, user moves the decided key to the PIN and then presses ―OK. While the user moves the symbols, then all the symbols will move Up and Down in which direction the user moving the symbols. So, if the shoulder surfer watches the user enters or even though if attacker records the process, can‘t find the PIN. In next round, the symbols were shuffled with new symbols too. So this is too tuff to guess or find the PIN by this Session key logon procedure. Now the Session key was decided by the user as well as the 1st digit of a PIN is validated. This same Session key (Symbol) must use for remaining 3 rounds which is the PIN entry method.The remaining 3 rounds are PIN-entry rounds, in which the ith digit of the PIN is entered in the ith round (Here i = 2, 3, 4). In each of these each rounds, the 10 symbols were shuffle. The user wants to assign the session key for each round using the ―Up and ―Down button. In each round user presses the ‗Ok button. When the user presses the OK button, then the PIN considered. This method makes harder for a criminal to obtain PINs even if the iteration are fully observes the entire input of a PIN entry procedure.For Secure transaction, HMAC (Hash Message Authentication Code) is used to compress the PIN by using secret key and is sent to Server on public channel so that an active attacker cannot extract the PIN by monitoring the channel. Once Server Authenticated the PIN, Quick Response for the Mobile App will be redirected the user to the Services and a secure transaction between the mobile App and Server is established by using The Session Key Method.

http://ijsetr.org/wp-content/uploads/2015/02/IJSETR-VOL-4-ISSUE-2-330-335.pdf