Authentication and password storing improvement using SXR algorithm with a hash function

Received Apr 13, 2020 Revised Jun 2, 2020 Accepted Jun 15, 2020 Secure password storing is essential in systems working based on password authentication. In this paper, SXR algorithm (Split, Exclusive OR, and Replace) was proposed to improve secure password storing and could also be applied to current authentication systems. SXR algorithm consisted of four steps. First, the received password from users was hashed through a general hash function. Second, the ratio and the number of iterations from the secret key (username and password) were calculated. Third, the hashed password and ratio were computed, and the hashed password was divided based on the ratio (Split) into two values. Both the values were applied to XOR equation according to the number of iterations, resulting in two new values. Last, the obtained values were concatenated and stored in the database (Replace). On evaluating, complexity analyses and comparisons has shown that SXR algorithm could provide attack resistance with a stronger hashed password against the aforementioned attacks. Consequently, even if the hackers hacked the hashed password, it would be challenging and would consume more time to decrypt the actual one, because the pattern of the stored password is the same as the one that has been hashed through the general hash function.


INTRODUCTION
In the 21 st century, Information Technology plays a significant role in our daily activities. Many agencies rely on information technology for accessing various services on the internet such as financial transactions, e-mail, social networks, remote desktop, access via command line, etc. The usage of various services consists of three parts: Confidentiality, Integrity, and Availability [1]. Confidentiality means storing the information or keeping the information confidential, which only allows access to those who have the right to the information. Integrity means protecting the information to remain complete and accurate. There should be a verification mechanism to check for alterations that may occur without permission. Availability means the ability to access the network data or resources whenever necessary. In other words, a person with the right or permission to access the network information or data source can access it at all times without any latency [2].
Secure Password Storing is a critical issue [3,4], and there are many methods to choose from cryptography to the usage of a hash function. These can change the messages so that they could not be read as actual messages anymore or in some cases, even if they could be read, they could not be understood.
From the related work discussed in this paper, most of the existing techniques usually had focused on improving the hash function. Although the salted password has can improve the efficiency of store passwords, it may require stores in the database. The proposed SXR in this paper, on the other hand, focuses on manipulating the original hash value by Split, XOR, and Replace based on username and password.

PROPOSED METHOD
At present, almost all websites only use one-factor authentication. The user just enters username and password to access the information on that website. Especially, medium and small websites do not have a budget to use TLS or multi-factor authentication services [19], such as OTP, biometric, token, etc. This makes the websites possibly insecure, and there is a high risk of being hacked [20,21]. Most users prefer to use the same username and password on all websites, and this is their weakness. When an attacker decrypts this information into a plaintext, the attacker can use that username and password on other websites, thereby impersonating the rightful person. The attacker may gain access to important and confidential information from these websites if they do not have professional data protection standards [22,23].
This research has divided the experimental method into two parts: the first part is the speed test, and the second part is a security test for attack from malicious users. In this experiment, we applied the operating principle of mathematical equations, called XOR (Exclusive -OR), which was used as the key to the design and development of algorithms. XOR was used to design the equations for the calculation of the 3 equations to increase password security. The first equation was the equation to find the ratio (Split), the second equation was the equation for finding the number of iterations (Iteration). The third equation was a replacement equation (Replace). The working of the whole system is shown in Figure 1. 3. The hash value was produced.
5. The ciphertext was obtained here.

Figure 1. System workflows
The workflow of systems consisted of five steps, see Figure 1. The first step was to use the password in the plain text format that the general public could understand. The second step was to select a hash function that was used for the transformation of the password that made it human-readable, consisting of popular algorithms, such as MD5, SHA1, SHA2, SHA224, SHA256, and SHA512. The third step was the result of the hash function format that humans do not understand. With each data passing through the hash function, it must have been unequal and had specific characteristics. The results of this process were called hash value. The fourth step was the introduction of the SXR algorithm. The algorithm has been proposed to increase the efficiency of the hash values. They were obtained from the previous steps to make it more complex. The detail of the work process is explained in Figure 2. The last step was the results obtained through the SXR algorithm. This information was unique and could not be calculated backward.
The SXR algorithm was used to increase the efficiency of the hash values, see Figure 2. First step, the password was used through the hash function. For example, the username was "Jakka1b2" and the password was "Polpong" after passing the hash function with the MD5 algorithm, the result was "f7540c62489302e-375e48c6e6670f6f2". To create the secret key, the first 4 characters of the password "Polp" and the last 4 characters of the username "a1b2" were used to generate the secret key "a1b2Polp". Second step, the secret key was configured to be used to calculate the ratio (section 3.1), and the number of iterations (section 3.2) was used in the processing. Third step, the first equation was used to calculate the ratio (90%) and the second equation to calculate the number of iterations (27,548  In the fourth step, the hash value was divided into two parts based on the values obtained in the third step. For example, the calculated ratio was 90% of the hash value "f7540c62489302e375e48c6e6670f6f2". The 90% ratio would divide "F7540c62489302e375e48c6e6670 | f6f2" and then bring the divided values to move the bit in the middle by moving from right to left. The result would be "02e375e48c6e6670 | f6f2f7540c624893" and then "02e375e48c6e6670". This result was assigned as the first part, while "f6f2f7540c624893" was the second part to be use in the next step. To create the new password, the authors used both values from the fourth step to calculate by using the SXR equation (section 3.3) which performed all calculations according to the number of iterations obtained from the iterations equation in the fifth step. The last step was to collate the results of the calculations from the fifth step by combining the value of the first part with the second part and saved it to the database.

Ratio equation
The ratio ( 1) is the equation used to determine the ratio of the password obtained from the calculation with the hash function. The result was divided into two parts as follows: where Index : to determine the ratio in the group to be in the range 0 -99% To calculate ratio, the authors used the secret key ("a1b2Polp") of username and password. Thus, the ratio equation was [((a ⨁ P) + 128) * ((1 ⨁ o) + 128))] mod 99 = ratio, the ratio of this equation was 90%.

Iterations equation
The equation for finding the number of iterations (2) is the equation used to determine the number of iterations. Calculating the password generation of new hash values could be performed as follows: where Index [2] : the position of the 3 rd character of the secret key Index [6] : the position of the 7 th character of the secret key Index [3] : the position of the 4 th character of the secret key Index [7] : the position of the 8 th character of the secret key 128 : to increase the size of the bits in 1 character to the size in the binary number 00000000 -11111111 (0-255) With the number of iterations, it was very likely that the ratioof the iteration equation was [((b ⨁ l) + 128) * ((2 ⨁ p) + 128))] = iteration, the iteration of this equation was 27,548.

SXR equation
The equation for SXR ( 3) is the equation used to calculate hash values with the XOR operator combined with moving the bit to the right as follows: where X i : the value obtained from the division of half from the first part of the (1) X j : the value obtained from the division of half from the second part of the (1) i : the value obtained from calculating the number of iterations from the (2) The SXR equation for calculating the new password with the ratio and the number of iterations were devided into two equations. The X i1 was the first part, the X j1 was the second part and the i was defined by the number of iterations. For example, if the hash value that divided by the ratio was " 02e375e48c6e6670-f6f2f7540c624893" , the X i1 of this hash value was " 02e375e48c6e6670" , the X j1 of this hash value was " f6f2f7540c624893" and the i was " 27,548" . Then, the two values were arranged together (X yn and X in-1 ), which result in the new password of this hash value which was "ec962b4538afab7c66971839e6629ef9" and it was kept in the database as depicted in (4).

RESULTS AND DISCUSSION
The proposed SXR algorithm with hash function was evaluated in two aspects: processing time and attack resistance. For the experiment, the popular passwords of 2018 and the test set 4 forms were utilized. The evaluation was divided into five parts. The first part was data used in performance testing. The second part was performance evaluation. The third part was comparison of the effectiveness of resistance to attack. The fourth part was collision efficiency comparison. The fifth part was application of the SXR algorithm.

Dataset and experiment setting
For the experiment, the data consisted of five forms referenced from the research on "Password Entropy and Password Quality" [24] and the other four forms which consisted of the first form (test set 1) was a popular year 2018 [25], second form (test set 2) all lowercase characters

Performance evaluation
The performance evaluation was divided into two parts. Thefirst part was the size, the number of bits that have come out from the normal process and the SXR algorithm implementation. Second part was a comparison of the time spent in the process between normal and through the SXR algorithm.
Examples used in performance testing include Username : ChanGa1b2 Password : Jakkapong Ramark: The results were in different font sizes according to each algorithm. The second method was a method of SXR algorithm that used the a1b2Jakk as a secret code to increase the efficiency of the password. It can be seen that the hash values obtained from both forms generated different font sizes. The output value of each character, thus, is different. It was found that the average time of the traditional hash function was 0.00004001-0.000156 seconds from the MD5, SHA1, SHA256 and SHA512 algorithms. As for the hash function that has been enhanced with the SXR algorithm, it was found that the average time taken from four algorithms is 0.002308 to 0.015632 seconds. Experimental results showed that the traditional hash function took less time to perform than the hash function that has been enhanced by the SXR algorithm, which spent approximately 50 times longer. This means traditional hash functions have good performance in terms of operational time. Moreover, in the test of the time spent in processing, results are less than 0. 1 seconds [ 26] . In terms of actual usage, humans will not realize the difference in the processing time. The results are shown in Table 2.

Comparison of the effectiveness of resistance to attack
This research compared the resistance against attack between traditional hash algorithms and hash algorithms that enhanced security with the SXR algorithm by comparing the resistance to attack with Dictionary attack, Brute-force and Birthday attack. This attack-resistance performance experiment was tested by using the 100 passwords that were encrypted with traditional hash functions and hash functions that have been enhanced with the SXR algorithm is shown in Table 3.  The experiment result in Table 3 shows the comparison of the effectiveness of resistance to attack with Brute-force and Dictionary attack in traditional hash algorithms, and hash algorithms that enhanced security with the SXR algorithm of test set 1 to 5. The result showed 0% in all experiments because the usage of passwords and secret key to make the attack techniques and methods currently unable to calculate the decoding.
In addition, the results from the SXR algorithm had the same size and format as the normal encryption methods. It was even difficult to calculate the hash value of that data. Thus, the decrypting method of the SXR algorithm could be achieved by creating a new algorithm. In order to enter the information used to find the hash value, it must consist of two variables, passwords and secret codes which is the requirement to be searched using Brute-force technique. The efficiency of decrypting using the Brute-force attack can be presented as the Big O notation as follows: From the ( 5) , the value O( n 2 ) is derived from the Brute-force of the SXR algorithm which has the following steps: Notation: hash P : Hash value of the password that the attacker desires to search from the SXR algorithm P bf : The password assigned by the attacker to the initial value of the Brute-force P ld : Password list that the attacker assigns as a search value with the Dictionary attack SC bf : The secret code assigned by the attacker to the initial value of the Brute-force SXR h : The results from applying the P bf and SC bf variables are calculated through (1)-(3).

Algorithm 1: Brute-force SXR Verification
Input : a hashed password hash P a start password brute-force Pbf a start secret key SCbf Output: true or false Start 1: Pbf  char(00000000) 2: SCbf  char(0000) 3: while (hash P =! SXRh) do 4: Pbf  Pbf + 1 bit 5: for (i  0; i <= 127 8 ; i++) { 6: SCbf  SCbf + 1 bit 7: SXRh  SXRfunction (Pbf , SCbf) 8: if (SXRh = hash P) then 9: return true 10: end if 11: end for 12: end while Stop The Brute-force SXR Verification was an algorithm for calculating the plaintext of passwords and secret codes. The attacker would bring the hash value from the attack ( hash P) to find the plaintext of the password and secret code in the Brute-force method, by assigning the password from 8 to 12 digits. The initial value of the first loop is 00000000 and plus 1 bit each for the next loop. Then set the value of the secret code to 4 to 8 digits, starting at 0000 in the first loop, and plus 1 bit each of the next loop. The password and secret codes consisted of numbers, characters, special characters that are all possible in the range of 4 to 8 characters. The result was the password (P bf ) and the secret code (SC bf  From the Dictionary attack SXR Verification algorithm, calculating the plaintext value of the secret code by the attacker could bring the hash value from the attack ( hash P) to find the plaintext value of the secret code using dictionary attack by comparing the value from the password list by password, find the secret code in the same way as Brute-force method. The result was a password ( P ld ) and a secret code ( SC bf ). Then, the processing time during the attack had been analyzed as adopted from the method of Wenjian Luo [27], as shown in Table 4.   Table 4 hightlighted that the SXR method is more secure in preventing dictionary attack than other methods. Inclusively, the equation by adding 1 more secret code is considered the strength of this research. While existing techniques usually try to improve the hash function [ 18,28] , the proposed SXR technique focuses on the password storing. Enhancing security could be done by calculating the ratio that divides the hash value and the number of iterations. Unlike existing salted password approaches, they need to add character set to the password to increase strength, but also need to store this character set in the database [10,11]. Our SXR is to use the username and password as the basis for improving the efficiency to increase the complexity of password, so the decrypting must consist of two parts. Our technique neither intervenes nor modifies the hash algorithm. It strengthens the password after the hash function and keeps the password in the database. Thus, the proposed technique is applicable to any existing hash algorithm. The only disadvantage is that the encryption time is increased because the username and password are used to create a secret key. However, users will not be aware of the encryption time. The performance of the proposed technique is considered by using the processing time for a hash password. As per the experiment, the average time of the hash function with the SXR algorithm is 0. 002308 to 0. 015632 seconds. Although result has taken more time than the traditional hash function by 50 times, in actual use, the processing time is less than 0. 1 seconds. Humans will not realize the difference in the processing time [26]. As for the resistance against attack, the proposed technique can prevent 100% from Dictionary attack, Brute-force and Birthday attack.

CONCLUSIONS AND FUTURE WORK
At present, database threats come in many ways, and there are many reports of database attacks occurring. The severity of these attacks seems to be becoming more dangerous, whether it is the loss of data, property or distrust in the security criteria of the system or website. Consequently, the criteria or methods for storing passwords are considered to be a priority in system development. The method of storing passwords has many forms, such as encryption using the hash function. The main objective of the above methods are maintaining the security of a database so that the security system remains stable and reliable, and can verify the accuracy of the information and be able to prevent or report when there has been an unauthorized modification of data.
In this paper, we proposed SXR algorithm by calculating the username and password to get a secret key, then bringing them through the SXR algorithm and store the password into the database. Although the password attacker will get the password or may get into the database; it would not help to make it easier to randomly find the correct password, because the form of the password stored is the same as the password through the general hash function.
Experimental results have shown that the popular password that is introduced through the algorithm proposed with the MD5 algorithm can increase the security of the database. Even if the database is attacked, password attacker cannot decrypt the data, thus the data stored in the database is secure. This research can help in building credibility for web application developers or various identity authentication software among users. In future work, the authors plan to utilize in investment transactions for increasing security of the data with multi-factor authentication such as IP address, OTP, biometrics, etc., as well as to improve the SXR algorithm scheme with proper encryption in order to increase the attack resistance.