document4

7
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334) International Journal of Research in IT & Management 29 http://www.mairec.org COMBINING CAPTCHA AND GRAPHICAL PASSWORDS FOR USER AUTHENTICATION T. S. Ravi Kiran* Y. Rama Krishna** ABSTRACT Text passwords have been widely used for user authentication, however, it is well-known that text passwords are insecure for a variety of reasons .Graphical password schemes are believed to be more secure and more resilient to dictionary attacks than textual passwords, but more vulnerable to shoulder surfing attacks. Many recognition-based graphical password schemes alone, in order to offer sufficient security, require a number of rounds of verification, introducing usability issues. In this paper we suggest a hybrid user authentication approach combining CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) and graphical passwords to provide increased security. Keywords: CAPTCHA, Graphical Passwords, User Authentication, Phishing, Security *Lecturer, Department of Computer Science, P.G.Centre, P.B.Siddhartha College of Arts & Science, Vijayawada. **Assistant Professor, KITE Women’s College of Professional Engineering Sciences, Shabad, India.

Upload: anusha

Post on 14-Nov-2015

215 views

Category:

Documents


1 download

DESCRIPTION

Abstract

TRANSCRIPT

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 29 http://www.mairec.org

    COMBINING CAPTCHA AND GRAPHICAL PASSWORDS FOR USER

    AUTHENTICATION T. S. Ravi Kiran*

    Y. Rama Krishna**

    ABSTRACT Text passwords have been widely used for user authentication, however, it is well-known that

    text passwords are insecure for a variety of reasons .Graphical password schemes are

    believed to be more secure and more resilient to dictionary attacks than textual passwords,

    but more vulnerable to shoulder surfing attacks. Many recognition-based graphical password

    schemes alone, in order to offer sufficient security, require a number of rounds of

    verification, introducing usability issues. In this paper we suggest a hybrid user

    authentication approach combining CAPTCHA (Completely Automated Public Turing tests

    to tell Computers and Humans Apart) and graphical passwords to provide increased

    security.

    Keywords: CAPTCHA, Graphical Passwords, User Authentication, Phishing, Security

    *Lecturer, Department of Computer Science, P.G.Centre, P.B.Siddhartha College of Arts &

    Science, Vijayawada.

    **Assistant Professor, KITE Womens College of Professional Engineering Sciences,

    Shabad, India.

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 30 http://www.mairec.org

    INTRODUCTION Authentication is indeed at the heart of any secure system; a user has to be authenticated

    before he/she can be involved in online transactions, enter a secured vault, open a safe or

    reach his/her email account[1]. If sensitive information or unauthorized access is given to a

    wrong identity, the entire security of one system will collapse. Generally, the most common

    and convenient authentication method is the traditional alphanumeric password. However,

    their inherent security and usability problems [2, 3] led to the development of graphical

    passwords as an alternative. To date, there have been several graphical password schemes,

    such as [4, 5, 6, 7, 8]. They have overcome some drawbacks of traditional password schemes,

    but most of the current graphical password schemes remain vulnerable to spyware attacks.

    Most current graphical password schemes require users to enter the password directly,

    typically by clicking or drawing. Hence, passwords are easily exposed to a third party who

    has the opportunity to record a successful authentication session CAPTCHA (Completely

    Automated Public Turing tests to tell Computers and Humans Apart) is a program that

    generates and grades tests that are human solvable, but beyond the capabilities of current

    computer programs [9]. CAPTCHA is now almost a standard security mechanism for

    addressing undesirable or malicious Internet bot programs and major web sites such as

    Google, Yahoo and Microsoft all have their own CAPTCHAs. The rest of the paper is

    organized as follows. Section 2 briefly reviews related work. Sections 3 present our scheme.

    Conclusions and future work are addressed in section 4.

    RELATED WORKS There are many different ways a user can be authenticated by a system. This section looks at

    a number of different authentication systems to analyze their strengths and weakness.

    Alphanumeric Passwords

    An alphanumeric password is an authentication mechanism that utilizes letters, upper and

    lower case, numbers and some special characters such as exclamation marks and pound signs.

    A combination of all of these is used to form a string the user enters into a computer to

    authenticate themselves. Passwords of this nature are generally held to follow two guidelines;

    they must be memorable allowing the user to authenticate quickly and easily and that they

    must be secure [10].Alphanumeric passwords utilize recall which from the statement above is

    much harder for a user to remember their password. This means that in general users will be

    inclined to create an easily remembered password, which again reduces the security of the

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 31 http://www.mairec.org

    system. This point is further highlighted by the need to regularly change passwords to

    effectively 'reset' any attempts to steal a user's password

    Biometrics

    One alternative to the use of alphanumeric passwords is the use of biometrics. Biometrics is

    the utilization of uniquely and personally identifiable biological and physical information

    [11]. This authentication method does not rely on user password selection so does not fall

    foul of the failings described above. Also, as this mechanism makes use of the personal

    attributes of the user as opposed to a password it is not possible to shoulder surf this

    technology. There are many biometric systems in place today such as the use of finger prints

    or voice recognition. Authentication takes place by comparing previously stored information

    against the information a user provides when they wish to authenticate. To many this may

    seem like the logical choice when it comes to replacing alphanumeric passwords with a far

    more secure system, but it too has flaws

    Graphical Passwords

    Graphical passwords can be largely classified into three categories: recognition-based, cued-

    recall, or recall-based. In recognition-based graphical passwords, users are required to

    recognize and then select a set of preselected images from a larger set. In cued-recall, the

    images cue the user, for example, to click a set of points on an image. In recall-based, users

    are required to recall a password without any cues, a graphical password is the use of a

    picture, a part of a picture or several pictures together to authenticate a user. Graphical

    passwords have by in large been attributed to Blunder [12, 13] his system required a user to

    click several points on an image, the points were then compared with the stored version and

    the user was authenticated or the authentication failed and the user was rejected. Whilst

    alphanumeric passwords rely on a single stage many graphical passwords systems require the

    user to pass a number of stages or challenges to authenticate. This raises an important issue

    relating to how long it takes to authenticate and how long a user feels is too long to

    authenticate.

    PassFaces

    This system was developed by Real User Corporation [14] and makes use of the human

    ability to recognize faces. To register with the system the user selects four faces from a large

    bank of available choices. When a user wishes to authenticate themselves they are presented

    with an array of nine faces, arranged in three rows of three. One of the faces is part of the

    user's password while the other eight all act as decoys. The user then touches the face to

    select it and the system then displays the next set of faces. The challenges continue until the

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 32 http://www.mairec.org

    user has selected four faces, it is at this point that the user passes or fails authentication.

    There are a number of issues with this system; some relate to security and others relate to

    usability. The main usability concern, which is becoming more and more redundant as

    network speeds increase, is the time it could take to load the faces. This issue is particularly

    relevant when the authenticating server is based in a remote location, as is likely to be the

    case with public space interactions.

    Draw-a-Secret

    Unlike the PassFaces system this is a recall based authentication method. To log in using this

    method the user must reproduce an image on a grid which is displayed on the screen. The

    system registers pen down and pen up events and the order in which the parts of the grid are

    touched between these events occurring which the author of refers to as a stroke [15]. The

    'password' that is stored by the system is not the drawing itself but is instead the record of

    strokes the user has performed. As the system does not record the exact drawing but instead a

    representation of the drawing it is possible to inexactly reproduce the image but still achieve

    authentication.

    PassPoints

    This system is a direct descendant of Blonder's system where the user has to touch several

    points on the screen in order to gain access to the system. As with Draw-a-Secret a

    background image is used to help the user remember the location of their points. This again is

    a recall based method of authentication, with the twist that the image acts as a cue to assist

    with the task of recollection [16]. This system effectively falls between a pure recognition

    based and a pure recall based system. To register with the system the user must select an

    image they wish to use and then select the points they wish to authenticate with. This again

    brings the issue of allowing user selection as it has been shown that here too users are

    inclined to choose images that they associate with. The other major issue is that the image

    must not be too cluttered or too sparse.

    PROPOSED SCHEME The proposed scheme is a combination of CAPTCHA and recognition-based graphical

    password which is less subjective to phishing attack. Password can be created during user

    registration or after registration and be changed any time after creation. A graphical password

    policy is defined by displaying an interface which contains Random text CAPTCHAs and

    images. Figure 1 illustrates the proposed interface.

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 33 http://www.mairec.org

    Figure 1 Interface of proposed scheme

    The users choose combination of CAPTCHA and images as their graphical passwords. For

    each round of verification, the specified number of text CAPTCHAs and images are

    randomly selected by the system from a database. A user then chooses a specified number of

    text CAPTCHAs and images as her graphical password .This process repeats for the specified

    number of rounds. If the user does not like a particular set of images, he may request a new

    one or upload her own images to be included in the selection process. In the register phase,

    users are required to select and remember CAPTCHAs and images as their password. To be

    authenticated, users need to distinguish his/her CAPTCHA-images .The user must correctly

    select all images (one or more) pre-registered for this account in each round of graphical

    password verification. The user as usual enters a user name and authentication begins. In

    password verification, the proposed scheme displays the interface of CAPTCHA and Images

    and the user chooses out her preregistered combination of CAPTCHAs and Images. After the

    user completes verification, if correct he is granted account access. Otherwise, access is

    denied.

    CONCLUSION Our proposed scheme offers some advantages in countering common attacks against text

    passwords, such as naive key logging and phishing. In this paper, we have presented a new

    approach to protect users password against spyware attack. Our main contribution is that we

    introduce CAPTCHA into the realm of graphical passwords to resist spyware programs.

    From a security viewpoint, this exploration is expected to advance the development of

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 34 http://www.mairec.org

    graphical passwords. Our future work concentrates on improving the login time and

    memorability.

    REFERENCES [1] L. V. Ahn, M. Blum, Nicholas J. Hopper and J. Langford, CAPTCHA:CAPTCHA: Using

    hard AI problems for security, In the Proceedings of Eurocrypt03, pp. 294-311, 2003,

    available at: http://www. captcha.net/, Visited on Sep. 27, 2005.

    [2] M. Akao, S. Yamanaka, G. Hanaoka, et al., Personal entropy fromgraphical passwords:

    Methods for quantification and practical keygeneration, IEICE Trans. On Fundamentals of

    Electronics Communications and Computer Sciences, E87A (10), pp. 2543-2554, Oct. 2004.

    [3] D. Davis, F. Monrose, and M. K. Reiter, On User Choice in Graphical Password

    Schemes. In the 13th USENIX Security Symposium, 2004.

    [4] R. Dhamija and A. Perrig, Deja Vu: A User Study Using Images for Authentication. In

    the 9th USENIX Security Symposium, 2000.

    [5] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The Design and Analysis of

    Graphical Passwords. In the 8th USENIX Security Symposium, 1999.

    [6] D. Klein, Foiling the Cracker: A Survey of, and Improvements to, Password Security. In

    the 2nd USENIX Security Workshop, pp. 514, 1990.

    [7] M. Orozco and A. El Saddik, Signature Identification with Haptic devices, In proceedings

    of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces,

    and Measurement Systems, Giardini Naxos, Italy, Jul. 2005.

    [8] J. Ortega-Garcia, J. Bigun, D. Reynolds, J. Gonzalez-Rodriguez, Authentication gets

    personal with biometrics. In Signal Processing Magazine, IEEE Volume 21, Issue 2, pp. 50-

    62, Mar. 2004.

    [9] J. Ortega-Garcia, J. Fierrez-Aguilar, J. Martin-Rello, and J. Gonzalez-Rodriguez,

    Complete signal modeling and score normalization for function-based dynamic signature

    verification, In Proc. 4th Int. Conf. Audio and Video-Based Person Authentication, AVBPA

    2003, LNCS 2688, pp. 658-667, Jun. 2003.

    [10] B. Pinkas and T. Sander, Securing Passwords Against Dictionary Attacks. In

    Proceedings of the ACM Computer and Security Conference (CCS 02), pp. 161-170. ACM

    Press, Nov. 2002.

    [11] R. Plamondon and S. N. Srihari, On-line and off-line handwriting recognition: A

    comprehensive survey, IEEE Trans. Pattern Anal. MachineIntell.,vol. 22, no. 1, pp. 63-84,

    Jan. 2000.

  • IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)

    International Journal of Research in IT & Management 35 http://www.mairec.org

    [12] Reachin Technologies, available at: http://www.reachin.se, Visited on Jan. 3rd, 2006.

    [13]S. Chiasson. Usable Authentication and Click-Based Graphical Passwords. PhD thesis,

    Carleton University, Ottawa, Canada, January 2009.

    [14]S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot. Influencing Users Towards

    Better Passwords: Persuasive Cued Click-Points. In Proc. of HCI08, September 2008.

    [15]S. Chiasson, P.C. van Oorschot, and R. Biddle. Graphical Password Authentication Using

    Cued Click Points. In Proc. of ESORICS07, volume 4734, pages 359374, September 2007.

    [16]D. Davis, F. Monrose, and M. Reiter. On User Choice in Graphical Password Schemes.

    In Proc. of 13th USENIX Security Symposium, August 2004.