0% found this document useful (0 votes)
58 views5 pages

Graphical Password Authentication System in An Implicit Manner

GAS

Uploaded by

Saran Sk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
58 views5 pages

Graphical Password Authentication System in An Implicit Manner

GAS

Uploaded by

Saran Sk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

International Journal of Cryptography and Security

ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, 2012, pp.-27-31.


Available online at http://www.bioinfo.in/contents.php?id=115

GRAPHICAL PASSWORD AUTHENTICATION SYSTEM IN AN IMPLICIT MANNER

SUCHITA SAWLA*, ASHVINI FULKAR, ZUBIN KHAN AND SARANG SOLANKI


Department of Computer Science, Jawaharlal Darda Institute of Engineering & Technology, Yavatmal, MS, India.
*Corresponding Author: Email- [email protected]

Received: February 21, 2012; Accepted: March 15, 2012

Abstract- Authentication is a process by which a system verifies the identity of a user. Authentication may also be generalized by saying
that “to authenticate” means “to authorize”. For example, users tend to pick passwords that can be easily guessed, on the other hand, if a
password is hard to guess, then it is often hard to remember. To address this problem some researchers have developed authentication
methods that use pictures as passwords, known as graphical passwords. We classify these techniques into two categories: recognition-
based and recall-based approaches which are discussed in this paper along with the strengths and limitations of each method. We have
proposed a new technique for authentication. It is a variation to the login/password scheme using graphical passwords used in an implicit
manner. This Graphical Password Authentication System in an Implicit Manner is immune to the common attacks suffered by other authenti-
cation schemes.
Keywords- Authentication, Graphical Password.

Citation: Suchita Sawla, et al. (2012) Graphical password authentication system in an implicit manner. International Journal of Cryptog-
raphy and Security, ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, pp.-27-31.

Copyright: Copyright©2012 Suchita Sawla, et al. This is an open-access article distributed under the terms of the Creative Commons At-
tribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are
credited.

Introduction authenticate” means “to authorize” or provide authorization to the


Authentication deals with the security as an act of showing the user. It is important that the same authentication technique may
belongings to its owner only. Various authentication schemes are not be used in every scenario. For example, a less sophisticated
available these days. But out of these entire how many are truly approach may be used for accessing a “chat server” compared to
secure? To answer it lets go through the background of graphical accessing a corporate database [15]. Most of the existing authen-
passwords. We deal with graphical passwords because graphical tication schemes require processing both at the client and the
password schemes act as a possible alternative to text-based server end. Thus, the acceptability of any authentication scheme
schemes, motivated partially by the fact that humans can remem- greatly depends on its robustness against attacks as well as its
ber pictures better than text [10]. Pictures are generally easier to resource requirement both at the client and at the server end.
be remembered or recognized than text. In addition, if the number Here specifically the mobile banking domain is targeted and a
of possible pictures is sufficiently large, the possibility of password new and intelligent authentication scheme is proposed.
space exceeds than that of text-based schemes and thus offers In this paper, we conduct a study of the existing graphical pass-
better resistance to dictionary attacks. Because of these ad- word techniques. We will discuss the strengths and limitations of
vantages, there is a growing interest in graphical password. Au- each method. The rest of the paper is organized as follows: 2.
thentication is a process by which a system verifies the identity of specifies various graphical password techniques, 3. deals with
a user. It is a process of determining whether a particular individu- various authentication schemes, 4. Proposed Graphical Password
al or a device should be allowed to access a system or an appli- Authentication System in an Implicit Manner along with its
cation or merely an object running in a device [15]. Also, adequate strengths and weaknesses compared with the existing schemes,
authentication is the initial step of defense for protecting any re- 5. deals with conclusion and future directions.
source. Authentication may also be generalized by saying that “to

International Journal of Cryptography and Security


ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, 2012
Bioinfo Publications 27
Graphical password authentication system in an implicit manner

Various Graphical Password Techniques in a particular order in this recognition-based systems. Some
In general, the graphical password techniques can be classified examples of recognition-based system are explained below.
into two categories: recognition-based and recall-based graphical An image password called Awase-E [7] is a new system which
techniques [10]. enables users to use their favorite image instead of a text pass-
word for authentication purpose. Even though Awase-E system
Recognition Based System has a higher usability, the system cannot tolerate replay attack.
Using recognition-based techniques, a user is presented with a set Adding to this, a user may always tend to choose a well-known
of images and the user passes the authentication by recognizing (or associated with the user through some relation, like son, wife
and identifying the images he or she selected during the registra- or a place visited etc.) image which may be prone to guessing
tion stage. There are many graphical password authentication attacks. Weinshall and Kirkpatrick [14] studied a recognition-
schemes which designed by using recognition-based techniques. based scheme and concluded that users can still remember their
We only introduce two typical schemes. The first one is PassFac- graphical password with 90% accuracy even after one or two
es which was developed by Real User Corporation [10]. The user months. Their study supports the theory that human remember
will be asked to choose four or more images of human faces from images better than text.
a face database as their future password. In the authentication Although a recognition-based graphical password seems to be
stage, the user sees a grid of nine faces, consisting of one face easy to remember, which increases the usability, it is not com-
previously chosen by the user and eight cheat faces (figure 1). pletely secure. Also, it is obvious that recognition based systems
The user recognizes and clicks anywhere on the known face. This are vulnerable to replay attack and mouse tracking because of
procedure is repeated for several rounds. The user is authenticat- the use of a fixed image as a password. Thus, these drawbacks
ed if he/she correctly identifies the four faces. The technique is are considered in the proposed system, which overcomes the
based on the assumption that people can recall human faces easi- problems of recall based schemes too.
er than other pictures.
Recall-based System
In recall-based systems, the user is asked to reproduce some-
thing that he/she created or selected earlier during the registra-
tion phase. Recall based schemes can be broadly classified into
two groups, viz: pure recall-based technique and cued recall-
based technique.

Fig. 1- An example of Passfaces Pure Recall-based Techniques


In this group, users need to reproduce their passwords without
Also a survey concluded that user’s password selection is affected any help or reminder by the system. Draw-A-Secret technique [8],
by race and gender. This makes the Passfaces’s password some- Grid selection [3], and Passdoodle [5] are common examples of
what predictable. pure recall-based techniques.
Another recognition-based scheme is Pass-Objects which was DAS (Draw-A-Secret) scheme is the one in which the password is
developed by Sobrado and Birget [6]. The system will display a a shape drawn on a two-dimensional grid of size G * G as in Fig-
number of pass-objects among many other objects. Then, to au- ure 3. Each cell in this grid is represented by distinct rectangular
thenticate, the program shows a variety of similar objects on the coordinates (x, y). The values of touch grids are stored in tem-
screen, and the user is asked to click inside the area that the se- poral order of the drawing. If exact coordinates are crossed with
lected objects make. For instance, if you chose three Pass- the same registered sequence, then the user is authenticated. As
Objects, when those three objects are displayed on the screen, it with other pure recall-based techniques, DAS has many draw-
will form a triangle. What a user will then do is click inside of this backs. In 2002, a survey concluded that most users forget their
newly formed invisible triangle for authentication. It will then ask stroke order and they can remember text passwords easier than
for the same action again, but with the icons on the screen in dif- DAS. Also, the password chosen by users are vulnerable to
ferent positions. Figure 2 is an example of this method. Sobrado graphical dictionary attacks and replay attack.
and Birget suggested using 1000 icons and ten attempts. This will In 2004, the Grid selection technique was proposed by Thorpe
yield 2.6×1023 combinations of possible Pass-Objects. This is a and Van Oorschot [3] to enhance the password space of DAS. To
greater combination than a 15 character alphanumeric password improve the DAS security level, they suggested the "Grid Selec-
used today. tion" technique, where the selection grid is large at the beginning,

Fig. 2- An example of Pass-Objects Fig. 3- Example of DAS

A group of images are displayed to the user and an accepted A fine grained grid from which the person selects a drawing grid,
authentication requires a correct image being clicked or touched a rectangular area to zoom in on, in which they may enter their

International Journal of Cryptography and Security


ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, 2012
Bioinfo Publications 28
Suchita Sawla, Ashvini Fulkar, Zubin Khan and Sarang Solanki

password as shown in Figure 4. This technique would increase


the password space of DAS, which improves the security level at
the same time. Actually, this technique only improves the pass-
word space of DAS but still carries over DAS weaknesses

Fig. 7- Example of PassPoint System

Five or six click points on an image can produce more passwords


than 8-character text-based passwords with standard 26-
Fig. 4- Example of Grid Selection Model character alphabet. For more security, the Passpoint system
stores the image password in a hashed form in the password file.
Passdoodle, is a graphical password of handwritten drawing or In order to be authenticated, the user has to click close to the
text, normally sketched with a stylus over a touch sensitive selected points, within some measured tolerance distance from
screen as shown in Figure 5. Goldberg et. al have shown that the pass point. To log in, the user should click with the tolerance
users were able to recognize a complete doodle password as of such a click point.
accurately as text-based passwords. Unfortunately, the Passdoo-
dle scheme has many drawbacks. Users were fascinated by oth- Various Authentication Schemes
er users' drawn doodles, and usually entered other users' pass- Current authentication methods can be divided into three main
word merely to a different doodles from their own. It is concluded areas:
that the Passdoodle scheme is vulnerable to several attacks such  Token based authentication
as guessing, spyware, key-logger, and shoulder surfing.  Biometric based authentication
 Knowledge based authentication

Token based techniques, such as key cards, bank cards and


Fig. 5- Example of Passdoodle
smart cards are widely used. Many token-based authentication
systems also use knowledge based techniques to enhance secu-
Cued Recall-based Techniques
rity. For example, ATM cards are generally used together with a
In this technique, the system gives some hints which help users
PIN number.
to reproduce their passwords with high accuracy. These hints will
Biometric based authentication techniques, such as fingerprints,
be presented as hot spots (regions) within an image. The user
iris scan, or facial recognition, are not yet widely adopted. The
has to choose some of these regions to register as their pass-
major drawback of this approach is that such systems can be
word and they have to choose the same region following the
expensive, and the identification process can b e s l o w
same order to log into the system. The user must remember the
and often unreliable. However, this type of technique provides the
“chosen click spots” and keep them secret. There are many im-
highest level of security.
plementations, such as Blonder scheme [1] and PassPoint
Knowledge based techniques are the most widely used authenti-
scheme [6].
cation techniques and include both text-based and picture-based
In 1996, Blonder designed a method where a pre-determined
passwords. The picture-based techniques can be further divided
image is shown to the user on a visual display and the user
into two categories: recognition-based and recall-based
should “click” on some predefined positions on the image in a
graphical techniques. Using recognition-based techniques, a user
particular order to be authenticated as in Figure 6. This method
is presented with a set of images and the user passes the au-
was later modified and presented as Passpoint.
thentication by recognizing and identifying the images he or she
selected during the registration stage. Using recall-based tech-
niques, a user is asked to reproduce something that he or she
created or selected earlier during the registration stage.

Problems Faced by These Techniques


Fig. 6- Example of Blonder Scheme
Traditional alphanumeric passwords are always vulnerable to
guessing and dictionary attack. In order to overcome the key
In 2005, the PassPoint scheme was created to be similar to the
logger based attacks, newer systems using graphical keyboard
Blonder's scheme while overcoming some of its main limitations.
may also be defeated if the attacker uses a screen capture mech-
In Passpoint, the image can be an arbitrary photograph or paint-
anism, rather than using a key logger. An attacker may use a
ings with many clickable regions as shown in Figure 7. This will
screen capture program and record a short video clip and send it
increase the password space of Passpoint scheme which in turn
to a remote server for publishing. So, as an alternative, a token
will increase the security level. Another source of difference is
based authentication method may be used either as a stand-
that there is no predefined click area with clear boundaries like
alone authentication or used in addition to the traditional alphanu-
the Blonder scheme. The user password could contain any cho-
meric password.
sen sequence of points in the image, which increases the usabil-
Although image based authentication systems reviewed in this
ity level of this scheme.

International Journal of Cryptography and Security


ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, 2012
Bioinfo Publications 29
Graphical password authentication system in an implicit manner

seminar address most of the threats, still they suffer from the implicit way. Here the other images like zebra-crossing may rep-
following attacks: replay, Shoulder-surfing, and recording the resent the answer zebra, the images of vegetables might repre-
screen. One may argue that replay attack can be prevented using sent vegetarian food which the user likes, and the image of milk
encryption and tamper-proof time stamps, and physical shoulder- represent the white color and so on. So the conclusion is that the
surfing may be known to the user as this process is invasive. answer is provided indirectly i.e. implicitly. Next time, if the same
However, due to the availability of high-bandwidth to mobile de- question is chosen by the server, the same scenario may not be
vices and light-weight, high-efficient video codecs, a rogue pro- presented. For the next time, the server may show an images
gram may still capture and publish remotely. Since all the image among which the correct answer be shown by an image showing
based password schemes known to us use static passwords, the a blue ink pen and so on. The user needs to click on this blue ink
recorded movie may be replayed and with some human- pen image correlating it to the answer blue to implicitly convey his
interaction, the user’s password may be decoded. answer. Since every time the server uses a different scenario and
the answers are given implicitly, the proposed system is immune
Graphical Password Authentication System In An Implicit to screen capture attack. Also, except for the server and the legit-
Manner imate user, for others, the answers may look fuzzy. For example,
The proposed Graphical Password Authentication System in an if the user clicks “Blue Ink Pen”, it may even mean the “type of
Implicit Manner is similar to the PassPoint scheme with some writing tool the user likes the most”, or may represent his “favorite
finer differences. In every “what you know type” authentication color” and so on.
scheme, the server requests the user to reproduce the fact given
to the server at the time of registration. Here the password is
considered as a piece of information known to the server at the
time of registration and at the time of authentication, the user give
this information in an implicit form that can be understood only by
the server. It is explained through a Mobile Banking example. Fig. 8-Example of the system

Mobile Banking Framework


As an example mobile banking is considered. However, it may The bank may have a set of 100 to 200 questions. Every user
also be implemented in any client-server environment, where selects a set of 10 to 20 questions at the time of registration and
there is a need to authenticate a human as a client (it will not provides their individual answer. For each question, the system
work in machine-to-machine authentication). It is also assumed then either creates an authentication space (the space that repre-
that the server has enough hardware resources like RAM and sents implicit answers for the questions using images) if it is not
CPU. The bank may have a database of 100 to 200 standard available or add the new user’s answer to the existing authenti-
questions. During the time of registration, a user should pick 10- cation space. Once the authentication space is created, the sys-
20 questions from the database (this number of questions de- tem is ready for authenticating a user.
pends upon the level of security required in the system) and pro- First, a user may request access to the system by presenting his
vide answers to the selected questions. user name and the level of access required. This may be sent as
For example, the user may choose the following questions: a plain text. Depending on the level of access required, the sys-
1. Your favorite subject ? tem might choose one or more questions registered by the user
2. What is the color of your eye? during the time of registration process. For each question, the
3. Place of your birth? server may choose random images from the authentication space
For each question, the server may create an intelligent authenti- that represents the correct answer. The chosen images will con-
cation space using images, where the answers to the particular tain a correct answer along with incorrect answers. It is upto the
question for various users are implicitly embedded into the imag- user to correlate with the question the image shown on the
es. During the time of authentication, the server may pick one or screen.
more questions selected by the users at the time of registration
randomly (the number of questions depends on the level of ser- Strength
vice requested). For each chosen question, the server may As one can easily see, it is immune to shoulder surfing and screen
choose an image randomly from the authentication space and -dump attacks. Also, the authentication information is presented to
present it to the user as a challenge. Along with the correct an- the user in an implicit form that can be understood and decoded
swer image the images which are incorrect are also shown to the only by the legitimate end-user. Traditional password based au-
user. Using the stylus or the mouse, the user needs to navigate thentication schemes and PassPoint are special cases. The
the image and click the right answer. For example, the server strength of this system depends greatly on how effectively the
may present the user with the images which are answer to other authentication information is embedded implicitly in an image and
questions along with the image representing the correct answer. it should be easy to decrypt for a legitimate user and highly-fuzzy
The user should correlate to Question 2. If blue is the color of the for a non-legitimate user.
user’s eye, he needs to click on the relevant image as shown in
Figure 8. Conclusion
The other images may be answer to other questions. But this people are better at memorizing graphical passwords than text-
answer is not shown directly, it is represented by the image in an based passwords, the existing user studies are very limited and

International Journal of Cryptography and Security


ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, 2012
Bioinfo Publications 30
Suchita Sawla, Ashvini Fulkar, Zubin Khan and Sarang Solanki

there is not yet convincing evidence to support this argument.


Our preliminary analysis suggests that it is more difficult to break
graphical passwords using the traditional attack methods such
as brute force search, dictionary attack, or spyware.
The proposed Graphical Password Authentication System in a
Implicit Manner provides authentication information to be implicitly
presented to the user. If the user “Clicks” the same grid-of-interest
compared with the server, the user is implicitly authenticated. No
password information is exchanged between the client and the
server. Since the authentication information is conveyed implicit-
ly, it can tolerate shoulder-surfing and screen dump attack, which
none of the existing schemes can tolerate. The strength lies in
creating a good authentication space with a sufficiently large
collection of images to avoid short repeating cycles. Compared to
other methods reviewed in this paper, it requires human-
interaction and careful selection of images and “Click” regions. It
may also need user training.

References
[1] Birget J.C.,Dawei H., et al. (2006), Information Forensics
and Security, IEEE Transactions on 1(3),395-399.
[2] Dirik A. E., Memon N., et al. (2007). 3rd symposium on Usa-
ble privacy and security.
[3] Haichang G., Xiyang L., et al. (2009).Fourth International
Conference on Graphical Passwords.
[4] Lashkari A. H., Towhidi F., et al. (2009) ICCEE '09. Second
International Conference.
[5] Masrom M.,Towhidi F., et al. (2009). AICT 2009. Interna-
tional Conference.
[6] Pierce J.D., Jason G. Wells, Matthew J. Warren, and David R.
Mackay. (2003).1st Australian Information security Manage-
ment Conference,
[7] Renaud K. (2009) J. Vis. Lang. Comput. 20(1),1-15.
[8] Wiedenbeck S.,Waters J.,Birget J.C.,Brodskiy A., Memon N.
(2005) Symposium on Usable Privacy and Security (SOUPS),
6-8
[9] Wiedenbeck S.,Waters J.,Birget J.C., Brodskiy A., Memon N.
(2005) International J. of Human-Computer Studies (Special
Issue on HCI Research in Privacy and Security), 63, 102-
127.
[10]Sabzevar A.P. and Stavrou A. (2008) IEEE International Con-
ference on Signal Image Technology and Internet Based
Systems (SITIS).
[11] Takada T. and Koike H. (2003) Human-Computer Interaction
with Mobile Devices and Services 2795:,347-351.
[12] Wei-Chi K. and Maw-Jinn T. (2005) Local Computer Net-
works.
[13] Wells Jason, Hutchinson Damien and Pierce Justin En-
hanced Security for Preventing Man-in-the-Middle Attacks in
Authentication, formation Security Management Conference.
58.
[14] Xiaoyuan S., Ying Z., et al. (2005) Computer Security Appli-
cations Conference.
[15] Sadiq Almuairfi, Parakash Veeraraghavan and Naveen Chila-
mkurti (2011) Workshops of International Conference on Ad-
vanced Information Networking and Applications.

International Journal of Cryptography and Security


ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, 2012
Bioinfo Publications 31

You might also like