Passwords

Presented by: Lakshmi.V Arpana

Shree.A

Outline

GPAIntroduction Overview of the Authentication MethodsThe survey

Recognition Based Techniques Recall Based Techniques

Discusssion Security Usability

Conclusion

04/12/23

2

Passwords

Introduction

How about text-based passwords ? Difficulty of remembering passwords

easy to remember -> easy to guess hard to guess -> hard to remember

Users tend to write passwords down or use the same passwords for different accounts

An alternative: Graphical Passwords Psychological studies: Human can remember pictures

better than text

04/12/23

3

Passwords

Graphical Password Scheme

If the number of possible pictures is sufficiently large, the possible password space may exceed that of text-based schemes, thus offer better resistance to dictionary attacks.

can be used to: workstation web log-in application ATM machines mobile devices

04/12/23

4

Passwords

Overview of the Authentication Methods

Token based authentication

Biometric based authentication

Knowledge based authentication

04/12/23

5

Passwords

Recognition Based Techniques

Dhamija and Perrig SchemePick several pictures out of many choices, identify them laterin authentication.

04/12/23

6

Passwords

Recall Based Techniques

Sobrado and Birget Scheme System display a number of pass-objects (pre-selected by

user) among many other objects, user click inside the convex hull bounded by pass-objects.

04/12/23

7

Passwords

Recognition Based Techniques

Other Schemes

Using human faces as password

Select a sequence of images as password

04/12/23

8

Passwords

Recall Based Techniques

Draw-A-Secret (DAS) SchemeUser draws a simple picture on a 2D grid, the coordinates of

the grids occupied by the picture are stored in the order of drawing

04/12/23

9

Passwords

Recall Based Techniques

“PassPoint” SchemeUser click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in correct sequence.

04/12/23

10

Passwords

Recall Based Techniques

Other Schemes

Grid Selection Scheme

Signature Scheme

04/12/23

11

Passwords

Schemes Not In This Paper

Using distorted images to prevent revealing of passwords

Using images with random tracks of geometric graphical shapes

04/12/23

12

Passwords

Security

Is a graphical password as secure as text-based passwords?

04/12/23

13

Passwords

Usability

Pictures are easier to remember than text strings

Password registration and log-in process take too long

Require much more storage space than text based passwords

04/12/23

14

Passwords

Conclusion

main argument for graphical passwords: people are better at memorizing graphical passwords than text-based passwords

It is more difficult to break graphical passwords using the traditional attack methods such as:burte force search, dictionary attack or spyware.

Not yet widely used, current graphical password techniques are still immature

04/12/23

15

Passwords

HMAC-OTP

04/12/23

16

Passwords

What is 2FA

AuthenticationServer

Provisioning

Retrieval

Validation-1

Transport

(OTP-Token,(OTP-Validation Service)

349382

Validation-2

04/12/23

17

Passwords

Trend

HOTP value(1997

)

Trunc(HOT

P value)(2005

)

Different way of

entering (2012)

04/12/23

18

Passwords

Definition

HOTP- HMAC based one time password algorithmDefinition: Let k-secrete key c-counter HMAC(K,C) = SHA1(K ⊕ 0x5c5c… ∥ SHA1(K ⊕

0x3636… )) Then HOTP(K,C) is mathematically defined by HOTP(K,C) = Truncate(HMAC(K,C)) &

0x7FFFFFFF

04/12/23

19

Passwords

HOTP Value

HOTP-Value = HOTP(K,C)

mod 10d, where d is the desired number of digits

04/12/23

20

Passwords

Notation & Symbols

s: string

|s|:length of the string

n:number

|n|:length of the number

04/12/23

21

Passwords

Contd..

s[i]:string at ith bit

stToNum: function that as i/p a string s returns the number whose binary representation is s

Example: stToNum(110)=6

04/12/23

22

Passwords

Symbols

C:Counter value, moving factor

K:screate key b/w client and server

S:Synchronization parameter

Digit:number of digit in an HOTP Value

04/12/23

23

Passwords

Generation of HOTP Value

Step-1 Generate HMAC Value(HMAC-SHA-1) Let HS=HMAC-SHA-1(k,c) [ HS=20 bytes (say)]Step-2 Generate 4byte string(DT) sbits=DT(HS) [returns 32-bit

string]Step-3 Compute HOTP Value Let Snum=stToNum(sbits) return D=Snum mod 10^Digit

04/12/23

24

Passwords

Why DT?

The purpose of DT is to extract a 4 byte dynamic binary code from 160 bit(20byte)

04/12/23

25

Passwords

Cryptographic Hash function

Hello

Hai Dear

How are you

CHF

CHF

CHF

DX006YT YGC4

HG902E5E UR84

TYUR FGBV DB

BLOCKS DIGEST

04/12/23

26

Passwords

Definition

HMAC (K,m) = H((K ⊕ opad) ∥ H((K ⊕ ipad) ∥ m))where

H is a cryptographic hash function, ||: concatenation

⊕ : exclusive or (XOR)

opad is the outer padding (0x5c5c5c…5c5c) ipad is the inner padding (0x363636…3636).

04/12/23

27

Passwords

Implementation

function hmac (key, message) { if (length(key) > blocksize) then key = hash(key) end if if (length(key) < blocksize) then key = key ∥ [0x00 * (blocksize - length(key)) end if o_key_pad = [0x5c * blocksize] ⊕ key i_key_pad = [0x36 * blocksize] ⊕ key return hash(o_key_pad ∥ hash(i_key_pad ∥ message))End of function

04/12/23

28

Passwords

THANK YOU

04/12/23

29

Passwords