Enhancing User Authentication Scheme using
Encrypted Negative Password
Dr. Arvind Harish Badseshi
Associate Professor Department of Computer Science
Department of Computer science, and Engineering,
MVJ College of Engineering, VTU MVJ College of Engineering, VTU
Bangalore, India Bangalore, India
arvind@mvjce.edu.in hbadseshi@gmail.com
Abstract— Password based authentication is the widely used
form of authentication. Secure storage of this password is vital
for any authentication system. Our implementation provides
secure authentication and password storage scheme that can be
integrated with existing authentication systems. This scheme
uses Encrypted Negative Password(ENP) which is capable of
crippling precomputation attacks to a greater extent. Our
authentication solution receives plain password from the client
and runs it down through multiple layers of security functions.
Initially, received plain password from the client is hashed using
cryptographic hash function. Intermediate phase of this solution
involves transforming this hashed password into a negative
password. Using a symmetric key algorithm the generated
negative password is encrypted. Finally, solution is deployed on
a virtual machine as a cloud service that can be used by various
application vendors.
KEYWORDS: authentication, encryption, security, negative
password, password storage.
I. INTRODUCTION
Despite a growing number of graphical and biometric
authentication mechanisms, passwords remain the dominant
method of authentication due to for its low cost availability
and ease of deployment. Since passwords are commonly used
to protect accounts with valuable assets (e.g., Bank or Email
accounts), they have increasingly been subjected to several
attacks[*]. Carrying out an online guessing attack is usually
limited by keeping a fixed number of login attempts.
However, passwords may be leaked from weak systems.
Vulnerabilities are constantly being discovered, and not all
systems could be timely patched to resist attacks, which gives
adversaries an opportunity to illegally access weak systems
[*]. Since passwords are often reused, adversaries may log
into high security systems through cracked passwords from
less secured systems.
Typical password protection schemes include hashed
password, salted password and key stretching. Studying and
analyzing complexities introduced by various schemes, we
incorporated Encrypted Negative Password scheme in our
solution as it does not introduce extra elements and is more
efficient than the typical password protection schemes.
II. LITERATURE REVIEW
W. Luo, Y. Hu, H. Jiang and J. Wang have proposed
a password protection scheme that derives Encrypted
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©2019 XXXX
Luther Stevenson
Department of Computer Science
and Engineering,
MVJ College of Engineering, VTU
Bangalore, India
luther1096@gmail.com
Negative Password from a given plain password for securely
storing passwords on the database. According to this
framework, first, the plain password given by the client is
hashed using a cryptographic hash function. Then, this
hashed password is transformed into a negative password.
Finally, the negative password is encrypted using a
symmetric-key algorithm that results in an Encrypted
negative password.
The cryptographic hash function and symmetric
encryption gives strong security that makes it difficult to
crack passwords. Furthermore, for a given plain password
there exists lots of corresponding ENPs this makes it
impervious to precomputation attacks. The authors have put
forth two implementations of ENP: ENP1 and ENP2
including their generation and verification algorithms.
The analysis and comparison of attack complexity
of hashed password, salted password, key stretching and the
ENP shows that the ENP could withstand lookup table
attacks, it does so without introducing extra element(e.g.,
salt) and under dictionary attacks ENP provides stronger
password protection[1].
M. C. Ah Kioon, Z. S. Wang, and S. Deb, In their
paper provide analyses and security risks of a variant of
hashing algorithm called MD5 and they also provide different
solutions, such as salts and iterative hashing. They have also
proposed new approaches to using the MD5 algorithm in
password protection[2].
MD5 is a commonly used form of Hashing
algorithm. An hashing algorithm takes a plain password of
arbitrary size and converts it into strings of fixed size.
Hashing provides a one-way encryption feature which makes
it theoretically difficult for hackers to decipher them.
However, dictionary attacks and rainbow table attacks are
possible to thwart these attacks the authors have proposed six
solutions viz; using a strong password whose probability of
existing in a dictionary are less, using salts, key stretching,
chaining method of hashing, encrypting the password before
hashing and XORing cipher [2]
A. Biryukov,D. Dinu, and D. Khovratovich have
proposed an hashing scheme called Argon2. Argon2
summarizes the state of the art in the design of memory-hard
functions. It is a streamlined and simple design. It aims at the
highest memory filling rate and effective use of multiple
computing units, while still providing defense against
tradeoff attacks. Argon2 is optimized for the x86 architecture module, can make API access request that can be readily
and exploits the cache and memory organization of the recent integrated in their application.
Intel and AMD processors.
Argon2 has two variants: Argon2d and Argon2i.
Argon2d is faster and uses data-depending memory access,
which makes it suitable for cryptocurrencies and applications
with no threats from side-channel timing attacks. Argon2i
uses data-independent memory access, which is preferred for
password hashing and password-based key derivation.
Argon2i is slower as it makes more passes over the memory
to protect from tradeoff attacks.
Argon2 is recommended for the applications that
aim for high performance. Both versions of Argon2 allow to
fill 1 GB of RAM in a fraction of second, and smaller
amounts even faster. It scales easily to the arbitrary number
of parallel computing units. Its design is also optimized for
clarity to ease analysis and implementation[3].

III. PROPOSED SYSTEM

In our implementation, a password protection scheme
called Encrypted Negative Password (abbreviated as ENP) is
used. ENP is based on Negative Database (abbreviated as
NDB), cryptographic hash function and symmetric
encryption. NDB takes its inspiration from biological immune
systems and has variety of applications. The proposed system
is divided into two layers viz; a).Business layer and b).Client
layer. The implemented solution is deployed on a virtual
machine as a cloud service that can be used by various
application vendors.
A. Business layer
In this section, all the core functionalities and business
aspects of the implementations are handled. Core
functionalities of solution include registration and
verification sub-layers for the authentication scheme. These
sub-layers make use of authentication data table to store and
verify ENP.
In the registration phase, initially, the plain password
from client is received and hash is computed on it. Next,
negative password is generated on the already computed
hash. Further, to strengthen security to greater extent,
symmetric encryption is performed on the negative password.
The result is termed ENP, and is stored in the authentication
data table. Moreover, for a given plain password there exists
several possible ENPs. This makes precomputation attacks
(e.g., lookup table attack and rainbow table attack) infeasible.
In the verification phase, ENP is retrieved from the
authentication data table and inverse operations of
registration phase are carried out to obtain hash. Hash of user
entered password is compared against the obtained hash from
the verification phase.
B. Client layer
The client layer exposes the functionalities of the business
layer to the external entities. User interface and reusable APIs
form the client layer. Web based interface or phone
application can make API calls to use the solution deployed
on cloud. Application vendors in need of robust security
Fig 1: A Hierarchical Architecture of ENP Solution
IV. METHODOLOGY
A. Registraion phase
The registration phase can be divided into six steps
1) User enters his/her username and password
using a client interface. Then, the username and
plain password are transmitted to the server
through a secure channel;
2) If the received username already exists in the
authentication data table, “The username already
exists!” is returned as a response, which means
that the server has rejected the registration
request, and the registration phase is terminated;
otherwise, go to Step (3);
3) The password is hashed using the selected
cryptographic hash function;
4) The hashed password is transformed into a
negative password using an NDB generation
algorithm;
5) The negative password is encrypted to an ENP
using the selected symmetric-key algorithm,
where the key is the hash value of the plain
password. As an additional option, multi-
iteration encryption could be used to further
enhance passwords;
6) The username and the resulting ENP are stored
in the authentication data table and “Registration
success” is returned as a response, which means
that the server has accepted the registration
request.
B. Verification Phase
The verification phase can be divided into five steps
1) User enters his/her username and password using a
client interface. Then, the username and plain
 password are transmitted to the server through a Step 1: Compute the Hash code of the input String ‘str’ using
secure channel; SHA256 Algorithm
hashStr  sha256(str)
2) If the received username does not exist in the
Step 2: Convert the ‘hashStr’ into binary format
authentication data table, then “Incorrect username
binaryStr  strToBinary(hashStr)
or password!” is returned as a response, which
Step 3:
means that the server has rejected the
m  binaryStr.length
authentication request, and the authentication phase
decryptedNDB  empty[m][m]
is terminated; otherwise, go to Step (3);
k0
3) Search the authentication data table for the ENP for i  0 to m with step size of 1
corresponding to the received username; decryptedNDB[k][i]AES.decrypt(ndb[i])
k++;
4) The ENP is decrypted using the selected
Step 4:
symmetric-key algorithm, where the key is the hash for i  0 to m with step size of 1
value of the plain password; thus, the negative
if (NUMBEROFSP(ndb[i]) != i)
password is obtained;
return false;
5) If the hash value of the received password is not Step 5:
the solution of the negative password, then X[]  empty[m]
“Incorrect username or password!” is returned as a for i  0 to m with step size of 1
response, which means that the server has rejected index  INDEXOFSP(ndb[i])
the authentication request, and the authentication x[index]  ndb[i][index]
phase is terminated; otherwise, “Authentication for j  i+1 to m with step size of 1
success” is returned, which means that the server ndb[j][index] = ‘*’
has accepted the authentication request. if (hash == x) return true
else return false

Pseudo-code V. CONCLUSION AND FURTHER IMPLEMENTATION

In this project, we implemented a password
Registration Algorithm protection scheme called ENP, and presented a password
authentication framework based on the ENP. In our
framework, the entries in the authentication data table are
Input: A password String ‘str’ ENPs. The analysis and comparison of the attack
Step 1: complexities of hashed password, salted password, key
Compute the Hash code of the input String ‘str’ stretching and the ENP show that the ENP could resist lookup
using SHA256 Algorithm table attack and provide stronger password protection under
hashStr  sha256(str) dictionary attack. It is worth mentioning that the ENP does
Step 2: not need extra elements (e.g., salt) while resisting lookup
Convert the ‘hashStr’ into binary format table attack.
binaryStr  strToBinary(hashStr)
Step 3: Other NDB generation algorithms can be introduced
Compute the Random permutation of ‘binaryStr’ to ENP to further enhance security in the future. Deployed
permutedBits  randomPermutation(binaryStr) ENP solution can be managed and leveraged as a B2B
Step 4: solution.
m  permutedBits.length
ndb[]  empty[m] REFERENCES
for i  0 to m with step size of 1
x[]  CREATESYMBOLS(m); [1] W. Luo, Y. Hu, H. Jiang and J. Wang, "Authentication by Encrypted
for j  0 to i with step size of 1 Negative Password," in IEEE Transactions on Information Forensics
x[j]  permutedBits.charAt(j); and Security, vol. 14, no. 1, pp. 114-128, Jan. 2019.
x  invertPermutation(x) [2] M. C. Ah Kioon, Z. S. Wang, and S. Deb Das, “Security analysis of
MD5 algorithm in password storage,” in Proceedings of Instruments,
ndb[i]  x Measurement, Electronics and Information Engineering. Trans Tech
result[][]  empty[m][m] Publications, Oct. 2013, pp. 2706–2711.
for i  0 to m with step size of 1 [3] A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: New generation
result[i]  AES.encrypt(ndb[i]) of memory-hard functions for password hashing and other
return result applications,” in Proceedings of 2016 IEEE European Symposium on
Security and Privacy, Mar. 2016, pp. 292–302.
[4] S. Boonkrong and C. Somboonpattanakit, “Dynamic salt generation
and placement for secure password storing,” IAENG International
Verification Algorithm Journal of Computer Science, vol. 43, no. 1, pp. 27–36, 2016.

Input: A password String ‘str’ and a negative database ‘ndb’