D EFEATING MITM A TTACKS ON C RYPTOCURRENCY E XCHANGE A CCOUNTS WITH I NDIVIDUAL U SER K EYS

Presented herein is a User-SpecificKey Scheme based on Elliptic Curve Cryptography that defeats man-in-the-middle attacks on cryptocurrency exchange accounts. In this scheme, a separate public and private key pair is assigned to every account and the public key is shifted either forward or backward on the elliptic curve by a difference of the account user’s password. When a user logs into his account, the server sends the shifted public key of his account. The user computes the actual public key of his account by reverse shifting the shifted public key exactly by a difference of his password. Alternatively, shifting can be applied to the user’s generator instead of the public key. Described in detail is as to how aman-in-the-middle attack takes place and how the proposed scheme defeats the attack. Provided detailed security analysis in both the cases of publickey shifting and generator shifting. Further, compared the effectiveness of another three authentication schemes in defending passwords against MITM attacks.


INTRODUCTION
Man-in-the-middle (MITM) attack is a very serious concern for cryptocurrency exchanges as their user accounts are deemed huge honey pots for hackers. In a MITM attack, a hacker positions himself between an account user's computer and the exchange server [1] . One viable technique of MITM attack is key spoofing wherein the attacker intercepts the public key of the server and replaces it with his public key. Unaware of the attack, the user encrypts his account password during login with the attacker's fraudulent public key and submits the ciphertext to the exchange server. As the attacker has already positioned himself between the user and the server, he intercepts the ciphertext and decrypts it with his matching private key that will exactly decrypt the password to its original plain text [2] . The stolen password is used later for stealing crypto assets from the account.
During a login session, a user's password is encrypted by the server's public key which is certified by a certifying authority. Standard browsers check the key certificate and verify the authenticity of the public key and alert the user on any mismatch on ownership of the key [3] . However, only a few astute users that are technically knowledgeable of the attack understand its complicacies. Most layman users ignore the alert and proceed further to submit their login credentials.
Even in case a hybrid encryption approach is used wherein the user sends the server a symmetric key encrypted by its public key, which is used for symmetric encryption of the remaining communication, the same MITM attack becomes successful. In this case, the attacker will compromise the symmetric key instead of the user's password which will subsequently lead to password compromise.
Every exchange server obtains a public and private key pair from a certificate authority to secure all its communication with its account users. The same key pair is used to encrypt and decrypt all communications, irrespective of the user the server is communicating with, and this practice gives way to MITM attacks through key spoofing.  As shown in the above figure, the server's public key is passed to the user machine during login. The user's login credentials are encrypted with the public key to generate a ciphertext which is passed to the server where it is decrypted by the server's private key to generate the plain password. The public and private key pair remains the same for every communication with the server, irrespective of the user. The public key needs to be certified by a certifying authority.  As shown in the above figure, a MITM attacker positions himself between a user computer and the cryptocurrency exchange server. At the time of user login, the attacker intercepts and replaces the server's public key with his own public key for which he has already computed a matching private key. Unaware of the attack, the user encrypts his credentials withthe attacker's fraudulent public key, creates a ciphertext and submits it. On its way to the server, the attacker intercepts the ciphertext and decrypts it with his fraudulent private key which will exactly result in the original plaintext login credentials [4] .
One viable way of defeating such MITM attacks is to create and assign a separate and exclusive key to each user, which is related to the user's password itself some way or the other.

RELATED WORK
In 2007, Trabelsi et al proposed a solution to ARP poisoning attacks often used as part of MITM attacks. The proposed solution replaces the traditional stateless ARP cache with a stateful ARP cache and also uses a novel Fuzzy Logic approach to differentiate malicious ARP replies from genuine ones [5] . However, this solution works only for Local Area Networks whereas the Internet is an open network where the user or the application server has no control.
In 2012, Krishna Kumar et al explored MITM attacks and suggested a solution that forces authentication before key exchange. The solution requires that both the sender and receiver have a private key and digitally sign some exponents they exchange during communication [6] . However, in a login scenario, the login user requires no private key and only the server does.
In 2013, Italo Dacosta et al proposed a new protocol, Direct Validation of Certificates (DVCert) that enables domains to directly and securely vouch for their certificates using previously established user authentication credentials instead of depending on third-parties for certificate validation [7] . However, this approach has faced critical challenges due to its cost, complexity and its introduction of new privacy risks.
In 2014, Sounthiraraj et al discovered that many Android apps are vulnerable to SSL/TLS manin-the-middle attacks. They presented a system called SMV-HUNTER to automatically detect such vulnerabilities by combining both static and dynamic analyses [8] . However, this is only a method of detecting Android apps from the Google Play Store vulnerable to MITM attacks. In fact, they did not present any defeating mechanism to defeat MITM attacks.
In 2015, Aqeel Sahi et al proposed a method to secure the Diffie-Hellman protocol using Geffe generation of binary sequences that can fortify systems against MITM attacks. Geffe generator generates pseudo random sequences with high level randomness [9] . However, this method is designed for communication between two users and it requires that each user compute and possess a private key. A secure user login to a cryptocurrency exchange account does not require a private key, which would be a burden for the user.
Le Wang et al proposed in 2016 an approach to detect MITM attacks based on the received signal strength indicators which indicate the power level being received by the antenna. The received indicators are processed and analyzed to detect any rogue access points using which hackers launch their MITM attacks [10] . However, this approach provides only a mechanism to detect rouge Aps on wireless networks, which are used to as a means to MITM attacks. Itdoe not provide any defeating mechanism to defeat MITM attacks.
In 2017, Robbi Rahim discussed in his research paper a method to defeat MITM attacks using interlock protocol created by Ron Rivest and Adi Shamir [11] . In his method Rahim splits the ciphertext into two parts and sends both the parts to the other party. However, when a man-inthe-middle collects both the parts, the message can be decrypted.
In 2017, Sanjeev Kumar et al presented an identity based authentication method wherein the server creates a unique id as a function of the server serial number, user computer's serial number and the user's government id such as social security number [12] . However, in the United States, social security number is treated as very confidential information and it is not advisable to submit it to any third party servers. The basic elliptic curve cryptography scheme generates a public and private key based on some elliptic curve discrete mathematical problem. The key computation, message encryption and decryption will take place through the following steps:

THE BASIC ECC SCHEME
-Server selects an arbitrary discrete Generator G on the elliptic curve -Server selects an arbitrary number ns as its private key -Server computes its public key Ps = ns G -Server passesG and Ps to login user -User encodes his message M to a discrete point PM on the elliptic curve -User selects a random number r -User computes his ciphertext CM = {r G, PM + rPs}and sends CM to server -Server computes the original message PM = PM + r Ps -nsr G Replacing Ps with ns G in the above equation, PM + r ns G -nsr G = PM. Hence, the original message is obtained. In User Specific ECC Key Scheme, the server creates a separate public and private key pair for each user and the user's password is encrypted using that particular public key whenever he logs into his account. The public key or the generator of the user is shifted either backward or forward on the elliptic curve by a difference of the user's password.

Public Key Shifting by Password
In this case the public key Psis shifted either backward or forward to a new point on the elliptic curve by a difference of the user's password and the shifted public key is passed to the user instead of the original one. In backward shifting, the serverencodesthe user's password to a discrete point Pw on the elliptic curveand computes the shifted public key Psw= Ps -Pw.All the three valuesthe generator G, the private key ns, and Psw are stored in the database as a user record.

User Sign Up
When a user signs up for a new account on the server, he fills in his user id and password and submits the form which passes the encrypted credentials to the server. Fig.3 below illustrates capturing of the user's password, creating his key pair and shifting the public key backward by the password.
The server public key shown in the figure is not the userspecific key. It is the server's generic public key obtained from a certifying authority. On retrieving the user's password from the user's signup request, the server performs the following steps: -Decrypt and capture the user's password -Select an arbitrarygenerator G on the elliptic curve -Select an arbitrary number nsas the private key -Compute Ps = ns G -Encode user's password to a point Pw on the elliptic curve -Compute the shifted public key Psw= Ps -Pw -Store G, nsandPswin database

User Login
When a user wants to login to his account, the following steps as shown in Fig. 4 will take place: -User sends only his userid to the server -Server retrieves the G and Pswvalues of the user from the database based on his user id -Server sends G and Pswto the login user's machine -User encodes his message M to a discrete point PM on the elliptic curve -User encodes his password to a discrete point Pwon the elliptic curve -User computes Ps= Psw+ Pw -User selects a random number r -User computes his ciphertext CM = {r G, PM + r Ps}and sends CM to server -Server retrieves the private key ns of the user account -Server computes the original message by subtracting the first term multiplied by ns from the second term as below: PM = PM + r Ps -nsr G Replacing Ps with ns G in the above equation, PM + r ns G -nsr G = PM. Hence, the original message is obtained.

Security Analysis
The Canceling the second and forth terms in the above, the MITM attacker is left with PM + r Pw which is not the original message and eventually it reads junk for the attacker. The attacker can compute the original message PM by subtracting rPw from PM + r Pw. However, it is not possible for him to guess the random number selected by the user and his password.
Similarly, in forward shifting of the public key, the server computes the shifted public key as Psw= Ps + Pw and the user computes the original public key as Ps= Psw-Pw. Rest all steps of computation remain the same on both the user and server side.
Requiring the password to hack a password is a paradoxical situation defeating MITM attacks.

Generator Shifting by Password
In this case, the Generator G is shifted either backward or forward to a new point on the elliptic curve by a difference of the user's password, and the shifted Generator Gw is passed to the user instead of the original Generator. In backward shifting, the server encodes the user's password to a discrete point Pw on the elliptic curve and computes the shifted Generator Gw = G-Pw. All the three values Gw, the private key ns and the public key Ps are stored in the database as a user record.

User Sign Up
When a user signs up for a new account on the server, he fills in his user id and password and submits the form which passes the encrypted credentials to the server. Fig.5 below illustrates capturing the user's password, creating his key pair and shifting the generator backward by the password.
The server public key shown in the figure is not the userspecific key. It is the server's generic public key obtained from a certifying authority. On retrieving the user's password from the user's signup request, the server performs the following steps: -Decrypt and capture user's password -Select an arbitrarygenerator G on the elliptic curve -Select an arbitrary number nsas the private key -Compute Ps = ns G -Encode user's password to a point Pw on the elliptic curve -Compute the shifted generator Gw= G -Pw -Store Gw, nsand Ps in database

User Login
When a user wants to login to his account, the following steps as shown in Fig. 6 will take place: -User sends only his user id to the server -Server retrieves the Gw, nsand Ps values of the user from the database based on his user id -Server sends Gw and Ps to login user's machine -User encodes his message M to a discrete point in the elliptic curve PM -User encodes his password to Pwon the elliptic curve -User computes G= Gw+ Pw -User selects a random number r -User computes his ciphertext CM = {r G, PM + r Ps}and sends CM to server -Server retrieves the private key ns of the user account -Server computes the original message PM = PM + r Ps -nsr G Replacing Ps with ns G in the above equation, PM + r ns G -nsr G = PM. Hence, the original message is obtained.

Security Analysis
The additional point Pw involved in the computation of Gw foils MITM attacks. When a MITM attacker positions himself in between the user and server, he needs to replace Gwwith his own Gwhack which should be computed as Ghack-Pw for which he needs the user' password. Without knowing the user's password, if the attacker passes his own Ghack and Ps-hack, the user computes his ciphertext CM = {r G, PM + r Ps-hack} where G= Ghack+ Gw, and the hacker intercepts and tries to decrypts it as below: Multiplying the first term of the ciphertext CMwith the hacker's private key ns-hack and subtracting it from the second term, PM + r Ps-hack -ns-hack r G= PM + r Ps-hack -ns-hack r G = PM + r Ps-hack -ns-hack r Ghack-ns-hack r Gw = PM + r ns-hack Ghack-ns-hack r Ghack-ns-hack r Gw Substituting Ps-hack = ns-hack Ghackthe above expression becomes PM + r ns-hack Ghack-ns-hack r Ghack-ns-hack r Gw Cancelling the second and third terms in the above expression, the MITM attacker is left with PM -ns-hack r Gw which is not equal to the original message PM and eventually it reads junk for the attacker.
To remove the effect of ns-hack r Gw the attacker needs to know the random value r and the user's password.
Similarly, in forward shifting of the generator, the server computes the shifted generator Gw = G+Pw and the user computes the original generator G= Gw-Pw. Rest all steps of computation remain the same on both the user and serverside.
Requiring thepassword to hack a password is again a paradoxical situation defeating MITM attacks. Fig. 7 shows the authentication process taking place on the server when it receives the ciphertext CM from the user.

FORGOT PASSWORD AND UPDATE PASSWORD IMPLEMENTATION
When a user forgets his password and creates a new password, the same procedure as discussed in section 4 will take place. The existing values Psw or Gw are cleared from the database and the newly computed values are updated in the user record.
Most online applications require that their users change their passwords once every month to secure them from brute force attacks. Even in such a case, the existing values are replaced with the newly computed values.

APPLICABILITY TO PASSWORD HASH
Today, most servers store their user passwords only in hash form and not in encrypted form. Hashed password prevents their compromise by internal adversary elements as hash functions are irreversible. The industry standard hash function SHA256 offers good security to passwords stored in database. SHA512 and higher bit hash functions also can be used to hash passwords for accounts that store very huge crypto assets and perform high value transactions.
User Specific Key scheme can also be implemented with hashed passwords. In this case, the public key or the generator of the user is shifted either backward or forward by a difference of the password hash as below: Backward shifting of public key: Psw-hash = Ps-Pw-hash Forward shifting of public key: Psw-hash = Ps+ Pw-hash When a user tries to login to his account, the server retrieves the shifted public key of the account Psw-hash and passes it to the user. The user runs the same hash function on his password and computes the actual public key Ps=Psw-hash + Pw-hash for backward shifting and Ps=Psw-hash -Pw-hash for forward shifting.
If the hash length is higher than the ECC key length, the password hash may be truncated after N bits before computing the shifted public key or generator, where N is the ECC key length, and the same truncation is performed over the hash by the user.

TECHNICAL IMPLEMENTATION
On the serverside, computation of the public key, private key, shifted public key or shifted generator and decryption can be achieved through any standard serverside programming languages such as Java, Python, Scala, C++ and C#. Alternatively, it can be achieved using any standard cryptography libraries.
On clientside, computation of the actual public key of the user account and encryption can be achieved through any standard browser side scripting languages such as JavaScript. Alternatively, any standard JavaScript cryptography libraries can be used.
With the User Specific ECC scheme, authentication takes two steps:user submitting his user id to the server and getting from it his shifted public key and generator or vice versa in the first step, and encrypting his password and submitting it to the server in the second step. This can be achieved with a single button click without any page refresh using AJAX (Asynchronous JavaScript and XML) programming.
User Specific ECC scheme can be wrapped as an additional layer under the standard SSL/TLS layer applied in all secure communications on the web. With this implementation, the user password or its hash encrypted with his specific public key is in turn encrypted by the SSL/TLS public key of the server which is common for all users. On serverside the SSL/TLS ciphertext is decrypted first followed by the user specific decryption with the account specific private key on the server.

PERFORMANCE ANALYSIS
At the time of registration, the User Specific Key Scheme computes a key pair for the user. It is a one-time computation only. Thereafter, during every login the server and user need to add or subtract the shifted public key or generator which adds only a negligible computational overhead.
When encryption or decryption is performed, the ECC algorithm performs several addition operations over the selected elliptic curve depending upon the key size. One more addition or subtraction of the shifted key or generator causes very negligible computational overhead, which at the same time defeats MITM attacks.

ADVANTAGES OF THE KEY SCHEME
User Specific Key scheme defeats MITM attacks through key spoofing as each user has a specific key assigned to his account on the server. Actually, the userspecific public and private keys are stored on serverside and the user is not required to store or remember any of these keys. At the time of login what the user gets from the server is his public key and generator where one of them is shifted by a difference of his password or password hash in backward or forward direction. As the actual public key or generator is computed using the user's password which he enters in his login form, the MITM attacker fails to successfully decrypt the password ciphertext even though he intercepts and replaces the key parameters sent from the server.
If a user registration went fine without any MITM attack, the MITM attacker will never be able to compromise his account. Most of the banks provide mobile apps to enable their customers to perform transactions. These apps do not provide any public and private key pair to their customers. Similarly, customers performing online banking transactions through the banks' websites do not possess personal keys for transaction security. Even in case banks and cryptocurrency exchanges provide public and private keys to their account holders, it can not stop the MITM attacker from reading through the original plain text information signed by the user's private key and the attacker can steal any confidential information in the message. This is because the user encrypts the message with the attacker's public key for which the attacker is already in possession of the matching private key.
User Specific Key scheme individually fortifies the security of each user account. Even if an attacker compromises a particular user's password by brute force attack, all the remaining accounts are still secured. The attacker needs to compromise each account individually which is practically infeasible. On the other hand, if an attacker is able to spoof the SSL/TLS public key or compute the private key from the public key through an extensive computing effort, he can compromise all user accounts saved on the server.

COMPARISON WITH OTHER AUTHENTICATION SCHEMES
The following table shows the effectiveness of different authentication methods, including the User Specific Key Scheme, in defending user accounts against MITM attacks.

CONCLUSION
Man-in-the-middle (MITM) attack is a very serious attack that has been causing huge financial losses to cryptocurrency buyers, traders as well as exchanges. Usually, hackers launch MITM attacks to target account passwords using which they steal crypto coins from accounts on the exchange server. MITM attacks have been successful despite the implementation of SSL/TLS protocol over online communications.
A user specific ECC key scheme is proposed that defeats MITM attacks through key spoofing. The proposed scheme creates a separate public and private key pair for each account holder at the time of sign up. The public key or the generator of the user is shifted on the elliptic curve backward or forward by a difference of the user's password or its hash. At the time of login, the server passes the shifted parameter to the user using which the user reverse shifts his parameter before encryption to its original value by adding or subtracting his password point on the elliptic curve. The additional password parameter involved in the encryption foils MITM attacks.
The key generation process, public key or generator shifting, encryption and decryption are explained with detailed steps and also proved as to how the encryption thwarts MITM attacks, thereby saving individuals and financial organizations from heavy losses.
The proposed scheme works with plain, encrypted and also hashed passwords stored in the database. It also offers another advantage of individual security to each user account. Even if the attacker compromises one particular account, rest all accounts remain intact, which is not the case with the general SSL/TLS encryption protocol implemented on the server.
A recommendation for future work is that security product developers conduct a proof of concept of the proposed scheme and test it with ethical MITM attacks spoofing the public key.