document4
DESCRIPTION
AbstractTRANSCRIPT
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 29 http://www.mairec.org
COMBINING CAPTCHA AND GRAPHICAL PASSWORDS FOR USER
AUTHENTICATION T. S. Ravi Kiran*
Y. Rama Krishna**
ABSTRACT Text passwords have been widely used for user authentication, however, it is well-known that
text passwords are insecure for a variety of reasons .Graphical password schemes are
believed to be more secure and more resilient to dictionary attacks than textual passwords,
but more vulnerable to shoulder surfing attacks. Many recognition-based graphical password
schemes alone, in order to offer sufficient security, require a number of rounds of
verification, introducing usability issues. In this paper we suggest a hybrid user
authentication approach combining CAPTCHA (Completely Automated Public Turing tests
to tell Computers and Humans Apart) and graphical passwords to provide increased
security.
Keywords: CAPTCHA, Graphical Passwords, User Authentication, Phishing, Security
*Lecturer, Department of Computer Science, P.G.Centre, P.B.Siddhartha College of Arts &
Science, Vijayawada.
**Assistant Professor, KITE Womens College of Professional Engineering Sciences,
Shabad, India.
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 30 http://www.mairec.org
INTRODUCTION Authentication is indeed at the heart of any secure system; a user has to be authenticated
before he/she can be involved in online transactions, enter a secured vault, open a safe or
reach his/her email account[1]. If sensitive information or unauthorized access is given to a
wrong identity, the entire security of one system will collapse. Generally, the most common
and convenient authentication method is the traditional alphanumeric password. However,
their inherent security and usability problems [2, 3] led to the development of graphical
passwords as an alternative. To date, there have been several graphical password schemes,
such as [4, 5, 6, 7, 8]. They have overcome some drawbacks of traditional password schemes,
but most of the current graphical password schemes remain vulnerable to spyware attacks.
Most current graphical password schemes require users to enter the password directly,
typically by clicking or drawing. Hence, passwords are easily exposed to a third party who
has the opportunity to record a successful authentication session CAPTCHA (Completely
Automated Public Turing tests to tell Computers and Humans Apart) is a program that
generates and grades tests that are human solvable, but beyond the capabilities of current
computer programs [9]. CAPTCHA is now almost a standard security mechanism for
addressing undesirable or malicious Internet bot programs and major web sites such as
Google, Yahoo and Microsoft all have their own CAPTCHAs. The rest of the paper is
organized as follows. Section 2 briefly reviews related work. Sections 3 present our scheme.
Conclusions and future work are addressed in section 4.
RELATED WORKS There are many different ways a user can be authenticated by a system. This section looks at
a number of different authentication systems to analyze their strengths and weakness.
Alphanumeric Passwords
An alphanumeric password is an authentication mechanism that utilizes letters, upper and
lower case, numbers and some special characters such as exclamation marks and pound signs.
A combination of all of these is used to form a string the user enters into a computer to
authenticate themselves. Passwords of this nature are generally held to follow two guidelines;
they must be memorable allowing the user to authenticate quickly and easily and that they
must be secure [10].Alphanumeric passwords utilize recall which from the statement above is
much harder for a user to remember their password. This means that in general users will be
inclined to create an easily remembered password, which again reduces the security of the
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 31 http://www.mairec.org
system. This point is further highlighted by the need to regularly change passwords to
effectively 'reset' any attempts to steal a user's password
Biometrics
One alternative to the use of alphanumeric passwords is the use of biometrics. Biometrics is
the utilization of uniquely and personally identifiable biological and physical information
[11]. This authentication method does not rely on user password selection so does not fall
foul of the failings described above. Also, as this mechanism makes use of the personal
attributes of the user as opposed to a password it is not possible to shoulder surf this
technology. There are many biometric systems in place today such as the use of finger prints
or voice recognition. Authentication takes place by comparing previously stored information
against the information a user provides when they wish to authenticate. To many this may
seem like the logical choice when it comes to replacing alphanumeric passwords with a far
more secure system, but it too has flaws
Graphical Passwords
Graphical passwords can be largely classified into three categories: recognition-based, cued-
recall, or recall-based. In recognition-based graphical passwords, users are required to
recognize and then select a set of preselected images from a larger set. In cued-recall, the
images cue the user, for example, to click a set of points on an image. In recall-based, users
are required to recall a password without any cues, a graphical password is the use of a
picture, a part of a picture or several pictures together to authenticate a user. Graphical
passwords have by in large been attributed to Blunder [12, 13] his system required a user to
click several points on an image, the points were then compared with the stored version and
the user was authenticated or the authentication failed and the user was rejected. Whilst
alphanumeric passwords rely on a single stage many graphical passwords systems require the
user to pass a number of stages or challenges to authenticate. This raises an important issue
relating to how long it takes to authenticate and how long a user feels is too long to
authenticate.
PassFaces
This system was developed by Real User Corporation [14] and makes use of the human
ability to recognize faces. To register with the system the user selects four faces from a large
bank of available choices. When a user wishes to authenticate themselves they are presented
with an array of nine faces, arranged in three rows of three. One of the faces is part of the
user's password while the other eight all act as decoys. The user then touches the face to
select it and the system then displays the next set of faces. The challenges continue until the
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 32 http://www.mairec.org
user has selected four faces, it is at this point that the user passes or fails authentication.
There are a number of issues with this system; some relate to security and others relate to
usability. The main usability concern, which is becoming more and more redundant as
network speeds increase, is the time it could take to load the faces. This issue is particularly
relevant when the authenticating server is based in a remote location, as is likely to be the
case with public space interactions.
Draw-a-Secret
Unlike the PassFaces system this is a recall based authentication method. To log in using this
method the user must reproduce an image on a grid which is displayed on the screen. The
system registers pen down and pen up events and the order in which the parts of the grid are
touched between these events occurring which the author of refers to as a stroke [15]. The
'password' that is stored by the system is not the drawing itself but is instead the record of
strokes the user has performed. As the system does not record the exact drawing but instead a
representation of the drawing it is possible to inexactly reproduce the image but still achieve
authentication.
PassPoints
This system is a direct descendant of Blonder's system where the user has to touch several
points on the screen in order to gain access to the system. As with Draw-a-Secret a
background image is used to help the user remember the location of their points. This again is
a recall based method of authentication, with the twist that the image acts as a cue to assist
with the task of recollection [16]. This system effectively falls between a pure recognition
based and a pure recall based system. To register with the system the user must select an
image they wish to use and then select the points they wish to authenticate with. This again
brings the issue of allowing user selection as it has been shown that here too users are
inclined to choose images that they associate with. The other major issue is that the image
must not be too cluttered or too sparse.
PROPOSED SCHEME The proposed scheme is a combination of CAPTCHA and recognition-based graphical
password which is less subjective to phishing attack. Password can be created during user
registration or after registration and be changed any time after creation. A graphical password
policy is defined by displaying an interface which contains Random text CAPTCHAs and
images. Figure 1 illustrates the proposed interface.
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 33 http://www.mairec.org
Figure 1 Interface of proposed scheme
The users choose combination of CAPTCHA and images as their graphical passwords. For
each round of verification, the specified number of text CAPTCHAs and images are
randomly selected by the system from a database. A user then chooses a specified number of
text CAPTCHAs and images as her graphical password .This process repeats for the specified
number of rounds. If the user does not like a particular set of images, he may request a new
one or upload her own images to be included in the selection process. In the register phase,
users are required to select and remember CAPTCHAs and images as their password. To be
authenticated, users need to distinguish his/her CAPTCHA-images .The user must correctly
select all images (one or more) pre-registered for this account in each round of graphical
password verification. The user as usual enters a user name and authentication begins. In
password verification, the proposed scheme displays the interface of CAPTCHA and Images
and the user chooses out her preregistered combination of CAPTCHAs and Images. After the
user completes verification, if correct he is granted account access. Otherwise, access is
denied.
CONCLUSION Our proposed scheme offers some advantages in countering common attacks against text
passwords, such as naive key logging and phishing. In this paper, we have presented a new
approach to protect users password against spyware attack. Our main contribution is that we
introduce CAPTCHA into the realm of graphical passwords to resist spyware programs.
From a security viewpoint, this exploration is expected to advance the development of
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 34 http://www.mairec.org
graphical passwords. Our future work concentrates on improving the login time and
memorability.
REFERENCES [1] L. V. Ahn, M. Blum, Nicholas J. Hopper and J. Langford, CAPTCHA:CAPTCHA: Using
hard AI problems for security, In the Proceedings of Eurocrypt03, pp. 294-311, 2003,
available at: http://www. captcha.net/, Visited on Sep. 27, 2005.
[2] M. Akao, S. Yamanaka, G. Hanaoka, et al., Personal entropy fromgraphical passwords:
Methods for quantification and practical keygeneration, IEICE Trans. On Fundamentals of
Electronics Communications and Computer Sciences, E87A (10), pp. 2543-2554, Oct. 2004.
[3] D. Davis, F. Monrose, and M. K. Reiter, On User Choice in Graphical Password
Schemes. In the 13th USENIX Security Symposium, 2004.
[4] R. Dhamija and A. Perrig, Deja Vu: A User Study Using Images for Authentication. In
the 9th USENIX Security Symposium, 2000.
[5] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The Design and Analysis of
Graphical Passwords. In the 8th USENIX Security Symposium, 1999.
[6] D. Klein, Foiling the Cracker: A Survey of, and Improvements to, Password Security. In
the 2nd USENIX Security Workshop, pp. 514, 1990.
[7] M. Orozco and A. El Saddik, Signature Identification with Haptic devices, In proceedings
of the IEEE International Conference on Virtual Environments, Human-Computer Interfaces,
and Measurement Systems, Giardini Naxos, Italy, Jul. 2005.
[8] J. Ortega-Garcia, J. Bigun, D. Reynolds, J. Gonzalez-Rodriguez, Authentication gets
personal with biometrics. In Signal Processing Magazine, IEEE Volume 21, Issue 2, pp. 50-
62, Mar. 2004.
[9] J. Ortega-Garcia, J. Fierrez-Aguilar, J. Martin-Rello, and J. Gonzalez-Rodriguez,
Complete signal modeling and score normalization for function-based dynamic signature
verification, In Proc. 4th Int. Conf. Audio and Video-Based Person Authentication, AVBPA
2003, LNCS 2688, pp. 658-667, Jun. 2003.
[10] B. Pinkas and T. Sander, Securing Passwords Against Dictionary Attacks. In
Proceedings of the ACM Computer and Security Conference (CCS 02), pp. 161-170. ACM
Press, Nov. 2002.
[11] R. Plamondon and S. N. Srihari, On-line and off-line handwriting recognition: A
comprehensive survey, IEEE Trans. Pattern Anal. MachineIntell.,vol. 22, no. 1, pp. 63-84,
Jan. 2000.
-
IJRIM Volume 2, Issue 4 (April 2012) (ISSN 2231-4334)
International Journal of Research in IT & Management 35 http://www.mairec.org
[12] Reachin Technologies, available at: http://www.reachin.se, Visited on Jan. 3rd, 2006.
[13]S. Chiasson. Usable Authentication and Click-Based Graphical Passwords. PhD thesis,
Carleton University, Ottawa, Canada, January 2009.
[14]S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot. Influencing Users Towards
Better Passwords: Persuasive Cued Click-Points. In Proc. of HCI08, September 2008.
[15]S. Chiasson, P.C. van Oorschot, and R. Biddle. Graphical Password Authentication Using
Cued Click Points. In Proc. of ESORICS07, volume 4734, pages 359374, September 2007.
[16]D. Davis, F. Monrose, and M. Reiter. On User Choice in Graphical Password Schemes.
In Proc. of 13th USENIX Security Symposium, August 2004.