Implicit Password Authentication System

Aim: Authentication is the first line of defense against compromising confidentiality and integrity. Though traditional login/password based schemes are easy to implement, they have been subjected to several attacks. As an alternative, token and biometric based authentication systems were introduced. However, they have not improved substantially to justify the investment. Thus, a variation to the login/password scheme, viz. graphical scheme was introduced. But it also suffered due to shoulder-surfing and screen dump attacks. In this paper, we introduce a framework of our proposed (IPAS) Implicit Password Authentication System, which is immune to the common attacks suffered by other authentication schemes.

Existing System: Most of the existing authentication schemes require processing both at the client and the server end. Thus, the acceptability of any authentication scheme greatly depends on its robustness against attacks as well as its resource requirement both at the client and at the server end. The resource requirement has become a major factor due to the proliferation of mobile and hand-held devices. Nowadays with the use of mobile phones, users can access any information including banking and corporate database. In this paper, we specifically target the mobile banking domain and propose a new and intelligent authentication scheme. However, our proposal can also be used in other domains where confidentiality and integrity are the major security requirements.

Various Authentication schemes: There are several authentication schemes available in the literature. They can be broadly classified as follows: - What you know - What you have and - What you are The traditional username/password or PIN based authentication scheme is an example of the what you know type. Smartcards or electronic tokens are examples of what you have type of authentication and finally biometric based authentication schemes are examples of the What you are type of authentication. Some authentication systems may use a combination of the above schemes. Proposed System: However, our proposed (IPAS) may also be implemented in any client-server environment, where we need to authenticate a human as a client (IPAS will not work in machine-to-machine authentication). We also assume that the server has enough hardware resources like RAM and

CPU. This is not un-realistic as high-end servers are becoming cheaper day-byday. The bank may have a database of 100 to 200 standard questions. During the time of registration, a user should pick 10-20 questions from the database (depending upon the level of security required) and provide answers to the selected questions.

For example, the user may choose the following questions: - The maker of your first car? - The city you love to visit or visited? - Date of birth? For each question, the server may create an intelligent authentication space using images, where the answers to the particular question for various users are implicitly embedded into the images. During the time of authentication, the server may pick one or more questions selected by the users at the time of registration randomly (the number of questions depends on the level of service requested). For each chosen question, the server may choose an image randomly from the authentication space and present IT to the user as a challenge. Using the stylus or the mouse, the user needs to navigate the image and click the right answer. For example, the server may present the user with the picture of the Globe. The user should correlate to Question 2. If Sydney is the city the user loves to visit or has visited, he needs to click on to Australia.

SOFTWARE REQUIREMENTS:
Operating System Techniques Front End Server : Windows 2000 server Family. : JDK 1.5 : Servlets, JSP, HTML : Tomcat 6.0

HARDWARE REQUIREMENTS:
Processor RAM : Any Processor above 500 MHz : 128Mb.