=Paper=
{{Paper
|id=Vol-3826/short3
|storemode=property
|title=The system of secured user’s credentials transfer (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3826/short3.pdf
|volume=Vol-3826
|authors=Oleksandr Korchenko,Yevheniia Ivanchenko,Ihor Ivanchenko,Yevhenii Pedchenko,Mari Petrovska
|dblpUrl=https://dblp.org/rec/conf/cpits/KorchenkoIIPP24
}}
==The system of secured user’s credentials transfer (short paper)==
https://ceur-ws.org/Vol-3826/short3.pdf
The system of secured user’s credentials transfer ⋆
Oleksandr Korchenko1,*,†, Yevheniia Ivanchenko2,†, Ihor Ivanchenko2,†,
Yevhenii Pedchenko2,† and Mari Petrovska2,†
1
State University of Information and Communication Technologies, 7 Solomianska str, 03110 Kyiv, Ukraine
2
National Aviation University, 1 Liubomyra Huzara ave., 03058 Kyiv, Ukraine
Abstract
This paper describes a developed system of secured user credentials transfer from a user’s web browser to
a web application server. This paper will describe in detail the operation of an advanced 10-level encryption
algorithm for user credentials and demonstrate a High-Level Design system that represents the algorithm’s
step-by-step execution. The basis of this algorithm is the verification of user data to detect illegal (malicious)
activity when entering a user’s login and password. Based on the presented encryption algorithm, an
experimental study of the developed user authorization web page and the processing of the entered
credentials, before sending and after receiving the data processed by the web server.
Keywords
cybersecurity, MITM, brute-force, frontend, backend, authorization, authentication, user protection,
database protection, data privacy, credentials 1
1. Introduction of Internet users and unique devices is growing every day,
the problem of ensuring secure users’ credentials transfer to
Nowadays, where most companies work with clients and the web-application server remains.
web applications, creating and using a personalized user Most modern web applications have a field for entering
account requires unique credentials, which are one of the a login and password to gain access to the internal closed
key targets of attackers. For giant companies with a certain resources of the web application and the stored personal
market share, developing a secure web application is a data of the credential holder. However, some of these web
common task, as these companies can maintain a full applications contain partial or do not contain security
department of developers who will develop and improve the checks of the entered user’s login and password, such as:
web application, but for new companies or SMBs, this task
is very critical, as they are unable to maintain a sufficient Lack of security checks on a large number of
number of developers to cover all the necessary tasks for password entries, which leads to a Bruteforce attack.
developing a web application, including security. Therefore, Lack of security checks of the content of entered
these companies either do not use security for their web credentials by the user, which leads to a SQL-
applications at all and remain vulnerable to cyber-attacks or Injection attack etc.
spend a significant portion of the company’s budget on
implementing 3rd party technologies to ensure the secure In most cases, companies, in order not to modify the
operation of web applications, secure user authentication, client-server part, which may affect the performance of the
and transfer personal data. developed web application, use various commercial
Based on the analysis, Table 1 shows a list of the Top 5 solutions to close and prevent potential cyber threats or
commercial technologies used by companies and a list of cyberattacks, that have targeted the performance of the web
threats that are prevented by these technologies. application, leakage of commercial information and
personal data of employees/customers of the company [1].
2. Problems of transferring user’s Therefore, the task of securely transferring user credentials
entered in the form of a web application is relevant today.
credentials between client and Therefore, the main goal of this paper is to develop an
server effective and simple way to verify user input of credentials
In modern cyberspace, where most of the world’s users are (login and password) to access the internal resources of a
located in virtual networks when companies migrating their web application and prevent Bruteforce and Man-in-the-
computing to cloud service providers, and when the number
CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0003-3376-0631 (O. Korchenko);
and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0003-3017-5752 (Y. Ivanchenko);
∗
Corresponding author. 0000-0003-3415-9039 (I. Ivanchenko);
†
These authors contributed equally. 0000-0001-8436-5792 (Y. Pedchenko);
agkorchenko@gmail.com (O. Korchenko); 0009-0005-2150-2194 (M. Petrovska)
evivancenko@gmail.com (Y. Ivanchenko); © 2024 Copyright for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
ihor.ivanchenko@npp.nau.edu.ua (I. Ivanchenko);
pedchenko.ievhenii@npp.nau.edu.ua (Y. Pedchenko);
pmarisha2004@gmail.com (M. Petrovska)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
168
Proceedings
�Middle (MITM) attacks using improved and built-in web The novelty of this paper is the improvement of the user
application tools [2]. authentication system on web applications by applying
To achieve this goal, the following tasks need to be procedures for security verifying the input of credentials
completed: and contents to detect malicious code, which will allow
companies to protect the transfer of credentials and
1. Analyze existing technologies and web attacks personal data of users at the initial stage of the company’s
that cause monetary and reputational losses to growth and protects company’s services from leakage,
companies. hacking and disruption without the use of third-party
2. Develop an improved HLD (High-Level Design) technologies [3].
system, algorithm, and software solution for Based on the analysis, Table 1 shows a list of the Top 5
secure transmission and verification of user commercial technologies used by companies and a list of
credentials (login and password). threats that are prevented by these technologies:
3. Conduct an experimental study of the developed
improved version of the user credentials input
verification.
Table 1
Top 5 commercial technologies that are needed to protect companies’ web application
Bruteforce OWASP Top DoS DDoS Bots Malware Man-in-the-Middle
Technology|Attack
Attacks 10 Attacks Attacks Attacks Attacks Attacks (MITM) Attacks
Web Application Firewall
+ + + + +
(WAF) [4]
DoS/DDoS Protection [5] + + +
Multi-factor Authentication
+ +
(MFA) [6]
Static Application Security
+ + +
Testing (SAST) [7]
Dynamic Application
+ + + +
Security Testing (DAST) [8]
It should be considered that companies eliminate enter the login and password of the user registered in the
vulnerabilities that are found after writing web applications web application.
and publishing them on the Internet using each of the above Level 2. After the user enters the login and password, a
technologies. Hash function is generated for the login using the SHA-256
encryption algorithm [10] to make it impossible to decrypt
3. Developing of high-level design the encrypted data and transfer it to the web application
server for further processing.
system Level 3: After the web application server receives the
To present the principle of operation of the encryption encrypted user login, three additional protection and
methods used to transfer the login and password to the web verification modules are enabled to prevent the use of the
application server, a High-Level Design (system) was Bruteforce attack.
developed that visually demonstrates the step-by-step
processing of the input data by the user and their sequential The first stage is the store of the client’s IP address.
transmission to the web application server. In the second stage, the number of unsuccessful
This approach is based on the 10-level principle (each of attempts to authorize the client is counted.
these levels will be described below) of transferring login In the third stage, the received content is checked
and password to authenticate the user and ensure the for embedded injections that may affect the
authorization of a legitimate user to the internal resources functionality of the web server and the web
of the web application, as shown in Fig. 1. application database.
Level 0. This level is used to establish an encrypted
connection between the client and the server, in this case After successful verification by the built-in security
between the client’s browser and the server side of the modules and a verdict that the session is from a legitimate
website using the SSL protocol, which contains a set of user, the main module is connected, which downloads all
ciphers and protocols not lower than TLS 1.2 or TLS 1.3 [9], possible Hash functions of all users’ logins to the web
and the size of the encryption key is not lower than 4096 server’s RAM, and searches this list for the received Hash
bits. The use of this encrypted connection is necessary to login from the user.
avoid MITM attacks and to prevent a legitimate user from Level 4. After finding an identical unique user, a one-
joining the session. time “Salt” (token) [11] is created on the web server side,
Level 1. At the first level, after successfully establishing which is recorded in the database and transferred to the
a connection with the web server, the user is displayed the user. This token is valid only once and the next time the user
web application login page, where the user is prompted to logs in, the “Salt” will be changeLevel 5. When the client
receives a one-time token, the password encryption process
169
�starts. To transfer the password, we use our own developed function from the database, and a similar operation is
encryption algorithm consisting of three steps: performed as described in Level 5 for the received encrypted
Creating a Hash function of the password entered by the data. After all the necessary calculations are performed, the
user. generated encrypted password is compared with the one-
Adding a one-time “Salt” (token) to the created Hash time token and the encrypted password received from the
function of the password. client.
Creating a Hash function for the data string obtained in It is important to note that before comparing the data,
the second step. the data received from the user is checked for injections to
As a result, we get an encrypted password that cannot prevent database hacking and disruption of the web server.
be decrypted back, since a one-way encryption method is Level 8. At this almost final level, in case of successful
used. comparison of the login Hash function and the encrypted
Also, it is important to note that the encrypted password password received from the user, a final one-time access
string will be different for each authorization, so this helps token is generated for the user, which entitles the user to
to avoid MITM attacks and prevent the reuse of the access the internal resources of the web application and
encrypted password string for authorization on the web receive a link to the main page. Accordingly, the new one-
application. time token is also stored in the database.
Level 6. After encrypting the user’s password at Level Level 9. After successfully passing all of the above
5, the encrypted login and password are transmitted to the levels, the user successfully authenticates to the web
web application server via the created SSL channel. application and follows the link received from the web
Level 7. After the web application server receives the application, which gives the user the right to use the
encrypted login and password from the user, the procedure capabilities of the web application within the limits of the
described in Level 3 is repeated, and the user’s login is authorized access rights and the configured role-based
compared by the Hash function, which allows you to get a access model (RBAC) [12].
one-time token (Salt) and password in the form of a Hash
Figure 1: High-level design system of secure login and password transmission from client to web application server via
secured tunnel
The algorithm described above, presented as an HLD 4. Experimental investigation of the
system, will allow companies developing web applications
to provide comprehensive verification and secure transfer developed algorithm processing
of user credentials to the webserver to avoid the possibility for secure transmission of user’s
of MITM and Bruteforce attacks and prevent the need to credentials
purchase commercial solutions (types of which are
presented in Table 1) at the early stages of company and Based on the third section of this paper, which presents the
web application development. algorithm of the developed approach to securely transfer
user credentials to the web application server, the practical
application of this algorithm will be presented.
Demonstrations of the developed algorithm will be
presented below in this section.
170
�For example, it will be used in the web application under When you enter the user credentials and click the “Login”
development—“Enco Console”, which contains a user login button, the algorithm described in the third section of this
and password field to access the internal capabilities and paper is executed. To provide a visual view of how user data
data of the web application (Fig. 2). For testing, we used the is being processed at each stage of execution, a function was
next test credentials: root (login) and qwerty12345 added that displays an intermediate result.
(password). At level 2 of the developed algorithm, after entering the
login and password, a hash function of the user’s login is
created and the processed data is sent to the web server
(Fig. 3), as shown in the image below.
After successfully transferring the user’s login Hash
function to the web application server and performing the
necessary checks on the server side, the user receives a one-
time token that will be valid only until the user is re-
requested to log in (Fig. 4).
Figure 2: User authorization form
Figure 3: Creating a Hash function for the user’s login “root”
Figure 4: Successfully receiving a one-time token (Salt) from the web server
After the successful receipt of a one-time token on the client 1. Creating a Hash function for the entered user
side, the process of encrypting the user’s password takes password makes it impossible to decrypt this line
place, which must be transferred to the webserver to gain of code.
access to the internal resources of the web application 2. Adding the received one-time token (Salt) to the
(Fig. 5). There are three main operations involved in created password Hash function and forming a
encrypting a user’s password: single 128-character expression [13].
3. Create a Hash function for the single expression
created in step 2.
Figure 5: Encrypting a user’s password before sending it to the web application server
After the web application server has successfully verified changed. Along with receiving the session key, the user
the received function, the user is sent a session key that will receives a link to a page that provides access to the internal
be valid only for one user session and, at the next login, both resources of the web application (Fig. 6).
the one-time token and the one-time session key will be
171
�Figure 6: Getting a session key and a link to go to the next internal page of the web application
As you can see, the developed algorithm has 10 levels of provides a practical application and display of the algorithm
verification, where each level launches and executes a at each stage of the transmission and receipt of encrypted
different set of procedures that check each field entered by data between the client’s web browser and the web
the user and the data transmitted to the web application application server, which allows you to clearly understand
server. That’s why, thanks to the implementation of this what data is being processed and at what time. Through the
algorithm, businesses in the early stages of development use of one-time tokens, the company can avoid reusing
have the opportunity to protect their resources from two tokens and compromising data in the database by gaining
types of attacks: MITM and Bruteforce since to prevent unauthorized access to the data in the database. Also, it is
MITM attacks, it is assumed that it will not be possible to worth noting that this algorithm works in such a way that
resend the token, since when the authorization page the data sent to the web server is not transferred to the
reloads, the token will already be updated and, at the same database in any way, and the data is processed on an
time, the data received from the user does not interact with intermediate server that interacts with both the client and
the database directly, but only through the server side of the the database, which prevents SQL-Injection attacks and the
web application. To prevent a Bruteforce attack, the server use of any other injection that relates specifically to the
side, when receiving hash functions, logs the number of corruption of data in the database.
successful/failed authorization attempts by the user, where
it is established that after 3 unsuccessful password attempts, References
the user’s account and IP address are blocked for up to 30
minutes. [1] Y. Shcheblanin, et al., Research of Authentication
Methods in Mobile Applications, in: Cybersecurity
Providing in Information and Telecommunication
5. Conclusions Systems Vol. 3421. (2023) 266–271.
The analysis conducted at the beginning of this paper has [2] M. TajDini, V. Sokolov, V. Buriachok, Men-in-the-
identified the key needs and threats that require the Middle Attack Simulation on Low Energy Wireless
purchase of commercial web application security products. Devices using Software Define Radio, in: 8th
For enterprise-level companies, these solutions are International Conference on "Mathematics.
available, as well as the engineering resources that will be Information Technologies. Education": Modern
involved in supporting their operation, but for small SMB Machine Learning Technologies and Data Science,
companies or new companies that are just starting, the vol. 2386 (2019) 287–296.
purchase of the described set of solutions is unaffordable. [3] D. Shevchuk, et al., Designing Secured Services for
That is why it was decided to improve the existing Authentication, Authorization, and Accounting of
algorithms, which will allow new companies or SMBs to Users, in: Cybersecurity Providing in Information and
protect the credentials of users or customers of a web Telecommunication Systems II Vol. 3550 (2023) 217–
application from attacks such as Man-in-the-Middle and 225.
Bruteforce. To build a secure data transmission channel [4] Akamai’s Team, What Is a Web Application Firewall
between the client and the server, an algorithm consisting (WAF)? (2023). URL:
of 10 levels was proposed, which describes the interaction https://www.akamai.com/glossary/what-is-a-waf
between the client’s web browser and the web application [5] AWS’s Team, What is a DDoS Attack? (2023). URL:
server and describes the step-by-step operation of the https://aws.amazon.com/shield/ddos-attack-
encryption algorithm. Also, while using and implementing protection/?nc1=h_ls.
this algorithm on the authorization page, it is worth [6] AWS’s Team, What is Multi-Factor Authentication
considering subprocesses that are connected at two levels (MFA)? (2023). URL: https://aws.amazon.com/what-
on the server side and provide additional verification of user is/mfa/?nc1=h_ls.
activity when entering a login and password on the
authorization page. Also, for visualization, the last section
172
�[7] Synopsys’s Team, Static Application Security Testing
(2023). URL:
https://www.synopsys.com/glossary/what-is-sast.html
[8] Synopsys’s Team, Dynamic Application Security
Testing (DAST) (2023). URL:
https://www.synopsys.com/glossary/what-is-
dast.html
[9] Cloudflare’s Team, Why use TLS 1.3? (2023). URL:
https://www.cloudflare.com/learning/ssl/why-use-tls-
1.3/#:~:text=TLS%201.3%20is%20the%20latest,TLS%20h
andshakes%2C%20among%20other%20improvements
[10] Sectigo’s Team, SHA 256 Algorithm Explained by a
Cyber Security Consultant (2023). URL:
https://sectigostore.com/blog/sha-256-algorithm-
explained-by-a-cyber-security-consultant/
[11] Auth0’s Team, Adding Salt to Hashing: A Better Way
to Store Passwords (2023). URL:
https://auth0.com/blog/adding-salt-to-hashing-a-
better-way-to-store-passwords/
[12] Imperva’s Team, Role-Based Access Control (RBAC)
(2023). URL: https://www.imperva.com/learn/data-
security/role-based-access-control-rbac/
[13] ProxyDefense’s Team, What Is Cryptographic
Strength: Definition, Examples & More (2023). URL:
https://proxydefense.com/cryptographic-strength/
173
�