*This Image Based Authentication System is being developed for Jaypee University of Information Technology (JUIT). It is being developed using Scripting languages. PHP (ver. 5) and MySQL along with AJAX have been used extensively.
Abstract: - Secure environments protect their resources against unauthorized access by enforcing access
control mechanisms. So when increasing security is an issue text based passwords are not enough to counter such problems. The need for something more secure along with being user friendly is required. This is where Image Based Authentication (IBA) comes into play. IBA encapsulated in Kerberos Protocol, Version 5, and provides clients a completely unique and secured authentication tool to work on. IBA enhances the security level in an exceptionally user friendly way. This paper is a comprehensive study on the subject of using images as the password set and the implementation of Jaypee University of Information Technology (JUIT) IBA system called as JUIT-IBA is, the 3 levels communication in Kerberos Protocol. This tool provides a secure channel of communication between the communicating entities. The assortment of image set as client‟s password aims at thwarting Brute Force attacks, Shoulder attack, and Tempest attack at the client side while the attacks at the server side can be averted by putting into practice Kerberos protocol. This paper describes how our system works along with the evaluation of its performances in different computing environments.
Keywords:- Image Based Authentication System, AJAX, MySQL, Diffie-Hellman key Exchange,
Kerberos Protocol, Keystroke Logging, Tempest Attack, Shoulder Attack, Brute-force Attack.
I. INTRODUCTION
Authentication plays an important role in protecting resources against unauthorized use. Many
authentication processes exist from simple password based authentication system to costly and computation
intensive biometric authentication systems [1, 2, 3, 4, 5] Passwords are more than just a key. They serve
several purposes. They authenticate us to a machine to prove our identity-a secret key that only we should
know. They ensure our privacy, keeping our sensitive information secure. They also enforce non
repudiation, preventing us from later rejecting the validity of transactions authenticated with our passwords.
Our username identifies us and the password validates us. But passwords have some weaknesses: more
Security Analysis and Implementation of
*
JUIT–Image Based Authentication System
using Kerberos Protocol
than one person can posses its knowledge at one time. Moreover, there is a constant threat of losing your
password to someone else with malicious intent. Password thefts can and do happen on a daily basis, so we
need to protect them. Now merely using some random alphabets grouped together with special characters
does not ensure safety. We need something new, something different as our password to make it secure.
Besides being different it should also be easy enough to remembered by you and equally difficult to be
hacked by someone else. This is what Image Based Authentication system provides you with [6].
The human brain is more adept in recalling a previously seen image than a previously seen text [7]. In a
recent user study conducted at University of California at Berkeley, image-based authentication (IBA)
systems have been found to be more user-friendly than the usual text-based systems [8]. Besides being user
friendly we need to strengthen the security during authentication also. This is done using the Kerberos
protocol [9, 10, 11, 12, 13].
Kerberos provides very secure authentication procedure which has been described in this paper. This paper
describes the basic IBA system, analyzes it for its performance and covers most types of attacks possible on
this system along with methods to prevent them.
Section II deals with the experimental setup of IBA. It discusses the protocol used in IBA along with a case
study to describe the authentication procedure. It also covers the area of AJAX and gives information about
the number of images and grids to be used by this IBA system.
II. EXPERIMENTAL SETUP FOR IMAGE BASED AUTHENTICATION SYSTEM
A. Kerberos Protocol
In comparison to Text Based Authentication, Image Based Authentication system is a more user-friendly and secured way of authentication. In spite of using images as user‟s password set, which saves user from Brute Force attack, shoulder attack also to some extent, security still remains a subject to be focused upon.
of communication between the user‟s workstation and the server can be monitored by hackers and those trying to penetrate into the system. The instant user is confronted with the login page, the session starts. If
user is unable to login within the specified session, his time expires and he has to re-login into the system.
Specifying sessions, guards users‟ against brute force attacks i.e. if some intruder is constantly trying to
break into the system by permutations and combinations, the time factor will forbid him to do so. Sessions
do not prevent the intruders from monitoring the channel and thereby routing the packets to unauthorized
destinations. So, in addition to sessions we append the concept of shared secret keys. User and the service
which user wants to avail, communicate with each other by encrypting and correspondingly decrypting the
messages using Data Encryption Standard algorithm [6, 19]. The 56-bit key, which goes as one of the two
inputs to the DES algorithm is provided by the secret keys, shared and decided in advance, for the transfer
of services.
Another matter of concern between the two communicating parties is trust. The two communicating entities
should give assurance that they are the ones who claimed. There comes a necessity to call for a trusted third
party i.e. a party between the user and the service. The dependency between the user and the service
regarding trust leads to the notion of an Authentication Server (AS). This provides shared-key third-party
authentication in a distributed network. Rather than trusting all workstations, we trust only a central
authentication server. The trusted third party is further decomposed into two components – the
Authentication Server (AS) and the Ticket Granting Server (TGS).
The protocol works as follows. The Authentication Server is where the user can negotiate to claim his
identify. In the IBA tool, after the user feeds his username, the AS is called. The first requirement is that,
username and AS agree on two large numbers, n and g such that n is always less than g. After deciding on n and g, the user‟s workstation calculates,
A = (1)
where x is a private key of the user, and sends A to the AS (Refer Equation (1)). In order to make the communication more reliable, user also sends a nonce Na (random number generated on the user‟s end) to
the AS. So, the payload transmitted in the packet from userAS contains: a) username (should contain
alphanumeric character), b) Na, c) A. The AS after receiving the packet, sets up a key between the AS and
the TGS, by computing
B = (2)
y being the private key of the AS (Refer Equation (2)), also generates a new nonce, Nb. The AS sends B
and previously received A (From Equation 1), along with Nb to TGS. AS sends A to TGS so that TGS can
create the shared secret key between the user and the service at a later phase. TGS, calculates
C = n (3)
and sends it to AS, along with the Nb received from AS and also a newly created nonce Nc. AS now
determines the shared secret key,
BC = (4)
and forwards it to TGS. For verification purpose, AS also puts the nonce Nc together with BC, thereby
producing a shared secret key between the AS and the TGS. In parallel to key generation between AS and
TGS, AS also responds to the request by user. It passes a packet to user, which can be revealed only if the
user selects correct images from the image password set. Consequently, the password set of the user
becomes the shared secret key between the user and the AS. Once the user has successfully selected his
image based password set, he receives a series of keys. The initial key is the shared secret key between user
and TGS. Shared secret key between user and TGS is determined by AS and is simply
AC = (5)
Next key in row is BC (Refer Equation (4)), which is the shared key between AS and TGS. Key BC is
used to encrypt the following data – a) username, b) AC. Key BC cannot be revealed by user, because it is
shared between AS and TGS. On receiving the keys from AS, user sends TGS key BC as it is. User also
appends the service it wants to avail; in addition to the session time encrypted with the secret key user is
sharing with TGS. TGS now creates the shared secret key; it is going to share with the service. TGS sends
D = (6)
v being the private key of the service. S in turn, sends D (Refer Equation (6)), Nc and a new nonce Nd to
TGS. TGS now generates the shared secret key by computing,
CD = (7)
and sends the same to S, together with the nonce Nd. Next, TGS responds to user by sending the service,
user had requested for along with the shared secret key AD, which is determined by TGS, encrypted with
the key AC. It also sends key AD appended to the username A, encrypted with the shared secret key CD
(Refer Equation (7)). The second part of the message cannot be revealed by the user, since the key CD is
only shared between TGS and the service. Finally user sends the second part of the message to the service
as it is. (t) IBA User Authentication Server Ticket Generation Server IBA Tool
Figure 1: Kerberos Protocol with shared key used for JUIT - IBA system
1) Selecting n and g
User XYZ begins to interact with the system by entering his username. The alphanumeric, username
entered by the user gives us the platform to determine n and g, such that g is always less than n. Large
values for n and g are used in practice, so the tool is dependent only on 64-bit computer. Next step is the
conversion of the characters to their corresponding ASCII codes. In the subsequent case study, we have
restricted ourselves to the first ten numerals. We now calculate n by multiplying the digits at odd positions. Taking the worst case, i.e. suppose we have all 9‟s at odd positions, the value of n comes out to be 59049. Adding the same numerals gives us g. In this case, g comes out to be 45. So in any case, the value will
never exceed 59049. Subsequently, we choose a range for the generation of a random number, y. The data
type constraint is supposed to be considered while formulating the range. Although PHP is a loosely typed
language i.e. it automatically takes the data type of a variable (for e.g. If a number is exceeding the range of
integer, PHP takes it as float). The data types supported by PHP are integer which is equivalent to long in
C, floating point numbers whose range is equivalent to double type in C. On a 64-bit platform, range is not
a subject of concern, as it gives the feasibility to produce huge nonces (random numbers).
2) Case Study
Username entered is #PAL7(#. For convenience, we restrict ourselves to first 5 alphanumeric characters.
On converting the alphanumeric characters to ASCII codes, we get a string of codes 35 80 65 76 55.
Following this, we now take the first numeral of every ASCII code, such that we have no zero in between
and multiply them. If we get a zero we skip it and move further. In this case the value of n and g comes out
to be 5040 and 29 respectively. Now we chose 34, a random number, and calculate A as follows:
A = mod 29 = 24
and sends the same to AS. When AS receives A, it initiates key exchange mechanism with TGS. AS
computes B by choosing a random number other than 34,
AS sends B and A to TGS. TGS picks up another random number, 44, and calculates C and BC
C = ( ) mod 29 = 7
BC = = 24
and TGS sends C to AS. AS now computes BC and AC
BC = (( = 24
AC = = 25
Since and gives us the same key. Therefore, on appending BC to
the username it becomes ready to act as a key and encrypt data. AS also provides a shared secret key AC,
between the user and TGS, thereby appends AC to username and sends the same to user. AS also encrypts
the username and the key 25#PAL7(# ( shared secret key between user and TGS), with the key
24#PAL7(#( shared secret key between AS and TGS), and sends it to the user. User is permitted to use
these keys only if he enters his image based password set correctly. On entering the password set
successfully, user obtains the shared key between the user and the TGS. User sends the encrypted message
to TGS along with the session key (which provides a time slot for the user and TGS to communicate), and
the service (in this case JUIT-IBA tool), user wants to avail. TGS makes use of the key 24#PAL7(# and
decodes the username and the secret key shared between the user and TGS. TGS starts the key exchange
process with the JUIT-IBA tool. TGS sends the previously computed C to the Service and the service in
return picks up a random number 18, and works out D and CD
D = ( ) mod 29 = 20
CD = = 23
Service sends D and CD to TGS and TGS verifies the shared secret key CD,
CD = = 23
The shared secret key between TGS and Service, is set by adding CD to the username 23#PAL7(#. TGS
also computes the secret key between the user and the service by determining AD
Next TGS sends the user a message containing the following – First of all, TGS encrypts the service and
the key 16#PAL7(# ( shared secret key between user and service) with the key 25#PAL7(#. Secondly, it
encrypts the username (which it receives from the user in the prior step) and the key 16#PAL7(#, with the
key 23#PAL7(#. Now when the user receives the above message, he decrypts it with the respective key and
can start the communication process with the JUIT-IBA tool. The entire communication process is also
guided by a session i.e. as soon as the session expires, user has to re-login.
B. AJAX Explanation
AJAX, shorthand for Asynchronous JavaScript and XML, is a web development technique [14, 15, 16, 17].
The intent is to make web pages feel more responsive by exchanging small amounts of data with the server
behind the scenes, so that the entire web pages does not have to be reloaded each time the user makes a change. This is meant to increase the web page‟s interactivity, speed and usability. Traditional web applications force you to wait a few seconds, watch the page redraw, every time we refresh the page. In
AJAX, the browser allows the JavaScript to call the server without pasting the entire page back to the
server, but instead retrieves small amount of data dynamically and updates the parts of the page. This
makes it possible to improve the page performance to a greater extent.
1) AJAX Client-Server Communication
Figure 2: AJAX Client – Server Communication
Diagram: Basic AJAX Web Application Model
User Interface (Web Page)
AJAX Engine
Web Server
1) User interaction invokes AJAX call.
2) AJAX Engine creates an XMLHttpRequest to the server.
3) Web Server process the request and returns the data.
4) AJAX Engine returns data back or render the data on the user interface
The AJAX engine allows the user‟s interaction with the application to happen asynchronously – independent of communication with the server. So the user is never staring at a blank browser window.
Figure 4: AJAX Implementation in JUIT-IBA. The above module is a part of JUIT-IBA system.
C. Image Set Generation and Selection
This section deals with another important part in the security of IBA - the selection of images in an image set and generation of image set itself. Image set is a collection of „n‟ images arranged into „r‟ rows and „c‟ columns. For JUIT-IBA system, n=40 arranged into 4 rows (r=4) and 10 columns (c=10). It‟s the discretion of the designers to choose „n‟, „r‟ and „c‟. Several factors should be considered while choosing n, r and c. „n‟ should be chosen such that it should increase the security of the system yet keeping the system user-friendly. While „r‟ and „c‟ should be chosen such that image grid that appears to the user should not be visible in one eye-span i.e. a user must scroll up or down/ left or right to view the entire image grid. This
way electromagnetic hardware devices designed to capture the image grid from distance will not be of any
harm i.e. Tempest attack can be restricted to some extent.
The system divides it‟s users into three levels namely beginner, moderate and advanced (in hierarchy from lowest level to highest level). As the user proceeds up the hierarchy, it becomes difficult for the intruder to
beginner from which he/she can select 5 images (max.); further the system provides 4 image sets (i.e. 4 x
40 = 160 images) for an intermediate level user, from which he/she can select 9 images (max.) as his/her
password while for an advanced user, it has 5 image sets (i.e. 5 x 40 = 200 images) and from these he/she
can select up to 13 images. This maximum limit for selection of images as your password set is not based
on any mathematical calculation. It is merely decided by the designers of the JUIT-IBA system to provide
an easy usage of the system without compromising the security level.
The Images selected to form an image set:
1) should not be easily describable
2) should be easy to remember
3) should be unique and abstract
4) should differ in color schemes and structure
The security of the system can be compromised if we do not select proper images for the image set. Also
we have to keep in mind that a user should be able to remember his image password easily.
Another important aspect relating to image set is how these images are arranged when presented to a user.
We use a random display of images within an image set i.e. within an image set, images are arranged
randomly and their position is no where related to previous image set that was generated. By doing this, the
system protects itself from many security attacks (to be discussed later) especially from an eavesdropper
looking from behind.
Now moving onto the selection of images i.e. how the user chooses the images to login into the system. As
mentioned earlier the user is first asked for username after which he/she is given the first image set. Since
the images are arranged randomly, his password image will appear in random position & not fixed position.
Though the arrangement of the image sets is same i.e. first Image set Number 1 will appear to user
followed by Image Set 2 and so on. But images within the image set will shuffle every time. Considering
the security aspect, the JUIT - IBA system doesn‟t change the mouse cursor when taken over any image.
Microsoft Windows). But to protect itself from the on-looker, the system has incorporated this feature
while selecting your password images. Also there is no special mark on the images that you have currently
selected. This way, no third person will be able to make out the password.
Apart from this the user can go back to any of the previous image sets to select or de-select his password
images. Like a user XYZ can select 2 images from Image Set 1, 1 image from Image Set 2 and so on. Now
if he has forgotten to select an image from Image Set 1, then he can always jump to Image Set 1 directly
without going through intermediate Image Sets. But the user can only jump to an Image Set that he has
already traversed i.e. he can jump to Image Set 2 from Image Set 4 and back to Image Set 4 if and only if
he has traversed through atleast four Image Sets. He cannot jump to Image Set 4 from Image Set 1 if he has
not yet opened Image Set 2. This is depicted in Figure 2.
Figure 5: Order in which Image Sets appear to the user & the flow of control between image sets for the user.
Section III deals with the performance of this IBA system. It covers the areas of Security of the image password set along with time and performance analysis of the image set. It also covers the comparison of JUIT-IBA with UFL-IBA system.
III. PERFORMANCE OF JUIT-IBASYSTEM
A. Attack Scenario at Client Side
This section discusses the security performance of the JUIT-IBA system. It satisfies almost all the possible
attacks on any image based system. This section also includes the preventive measures that have been taken
to prevent these attacks and how is it better than text based passwords.
1) Keystroke Logging
For Keystroke Logging (Refer Figure (6) and (7)). This is one of the key attacks attempted by a hacker in
password authentication systems. Is most common when text based passwords are use to authenticate users.
The attacker observes the key strokes of a user and later can have access to the system. Now taking a look
into the IBA system. An attacker may attempt to note down the positions of the displayed images in an
image grid but it would be of no use as no image is displayed in its same position inside the image grid
when it is generated for the next time.
Figure 7: Screenshot showing the same image grid as figure 3 but at different time instant. Note the encircled image and its position. It has changed randomly. All other images have changed their position
2) Shoulder Attack
For Shoulder Attack (Refer Figure (8)). This is a simple attack in which an eavesdropper looks into the
screen of a user from behind to get the required information about the password. To counter this attack the
images that have been selected to be displayed in the image grid are all very abstract images which are not
describable easily. Also while selecting an image; it is not highlighted, so the attacker does not get a clue as
to which image was selected. Most of the display screens use a resolution of 800x600 pixels. The Image
grid in JUIT-IBA is designed in such a way that at any given instant all the 40 images of a particular image
set are not visible to the onlooker. One complete row and almost two and a half columns are hidden in a
single display. This further reduces the risk of shoulder attack. To further confuse the attacker, the images
have been chosen in such a way that each image has atleast one closely resembling image in the grid. This
Figure 8: Screenshot showing one of the image grid. Note: the entire grid is not visible at one time. We need to scroll up/down or right/left to view the entire grid.
3) Tempest Attack
For Tempest Attack (Refer Figure (9) and (10)). Electromagnetic emanations from a monitor can be read
by sensitive receiver equipments kept at certain distance from it [9, 18, 19]. The attacker can extract the
color information from the images. When a user selects an image it is not displayed on the screen but stored
in the background. So this insures that the attacker cannot get the color information of the selected images.
Even if the attacker manages to extract information of the displayed image grid he would still have to
figure out the password from that grid which is not an easy task. Now when the user wants to see the
selected images, those images are displayed to the user as black and white as well as blurred so as to send
Figure 9: Screenshot showing the images that a user has selected. Note the encircled image. It‟s black & white to hide the color information and it‟s blurred also. This prevents tempest attack.
Figure 10: Screenshot showing the images that a user has selected. Note the encircled image. When the user moves the mouse over those images, they become colored. This is done to provide a facility to users to view his selected images.
4) Brute Force Attack
Another very common attack and is one of the biggest threats to password-based authentication systems. In
brute force attack, all the possible combinations have to be tried to crack the password. Doing this on the
IBA is not possible because this means that the attacker has to sit and try out all the combinations. The IBA
system has a time limit imposed on each of its image grid page and the session expires after certain time.
This means that the attacker must start from scratch after the session expires. Also if the number of
unsuccessful attempts is four in number then the account gets disabled and a mail is required to be sent to
the administrator to activate the account. The activation code is sent to the user‟s email address and hence
the attacker cannot do anything about it.
B. Attack Scenario at Server Side
1) Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be solved by using multiple Kerberos servers.
2) Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have time availability period and, if the host clock is not synchronized with the clock of Kerberos server, the
authentication will fail. The default configuration requires that clock times are no more than 10
minutes apart.
C. Timing Analysis
Image Sets Internet (low traffic) Internet (high traffic) Ethernet LAN (100 Mbps)
Image Set 1 0.00341 0.00402 0.00224 0.00382 0.00392 0.00322 0.00218 0.00318 0.00228 Image Set 2 0.00222 0.00302 0.00229 0.00296 0.00305 0.00271 0.00212 0.00313 0.00196 Image Set 3 0.00412 0.00454 0.00335 0.00401 0.00421 0.00337 0.00392 0.00428 0.00232
Figure 11: Graph showing the time taken to generate image sets in different scenarios.
As a web application, the JUIT-IBA System performs well. Generation of Image Sets is the most time
consuming module of this system. Hence we show the timing graphs of Image Set Generation only. As
mentioned earlier, this system uses AJAX which increases the time performance by many folds.
D. Comparison with University of Florida Image Based Authentication System (UFL-IBA)
1) In UFL-IBA shoulder attack is relatively easy as compared with JUIT-IBA. This is due to the
following reasons:
a) There appears a red box on the images that are selected, in UFL-IBA, by the user making it
easier for the attacker to identify the selected image. While the JUIT-IBA does not let the
onlooker get any clue as to which image was selected.
b) At any given instant all the 36 images are visible to the onlooker in one view. This is not the
case with JUIT-IBA.
c) One can find very distinct images which stand out from the rest of the images, so if u user
has selected those images as the password then it can be easily found out. In contrast to this
the images in JUIT-IBA have atleast one image amongst them which resembles the other,
making it difficult for the onlooker to deduce the password set.
0 0.0005 0.001 0.0015 0.002 0.0025 0.003 0.0035 0.004 0.0045 0.005 Image Set 1 Image Set 2 Image Set 3 Ti m e ta ke n t o gen era te t h e im age se t (i n s ec s) Internet(Low Traffic) Internet(High Traffic) LAN (100 MBPS)
2) A person can go back from one image grid to the previous one making it vulnerable to get hacked.
In JUIT-IBA a person is only allowed to visit the image grid which he/she has already visited.
Meaning that if once the user reaches image grid number 3 then only he/she is allowed to go back to
grid number 1 and 2. Suppose if the user is on grid number 2 then he/she can only go to grid number 1 and not 3. The “Back” button on the browser does not let you revert back to the previous grid making it more secure.
3) The selected images are displayed on the left hand side column and get highlighted when the mouse
cursor is moved over them. This means that they are prone to shoulder and tempest attacks when
highlighted. On the other hand JUIT-IBA does not display the selected images anywhere on the
screen making it impossible for the attacker to identify them.
The remaining sections cover Importance of this IBA system followed by Conclusion and references.
IV. IMPORTANCE OF THE SYSTEM
With increasing computation power, text based passwords are no longer safe. How ever strong be the
encryption algorithm, it will go down in a few years of time. Hence a need for a system, which interacts
with user to authenticate, arises. This gave birth to BIOMETRICS in which physical presence of human is
required. Here we are using images as a password which is non describable & shuffles its position every
time. Hence human presence is required for proper authentication. Apart from this, we discussed some of
the possible attacks that can be launched on these kinds of system and how can we safeguard ourselves
from those attacks. Therefore, seeing the level of security & the ease of use of this system, we can say these
systems will be very popular in the near future.
V. CONCLUSIONS
Image Based Authentication systems combined with strong protocol (Kerberos Protocol) assures a scope
for secured systems in the future. Such systems provide a secure channel of communication between the
these systems. As we have seen in this paper, JUIT-IBA system proves it's toughness against today‟s
cryptanalytic algorithms & other basic hacking mechanisms. Apart from the security factor, the run time
performance of the system is most apt for today's internet configuration. Hence on the basis of security
(Kerberos with Shared Keys) performance, time performance & ease of usage of such systems, we can
conclude this paper by saying that IBA Systems hold a vital position in the future of network security.
VI. REFERENCES
[1] Andrew S. Tanenbaum and Maarten Van Steen, “Distributed Systems,” Pearson Education.
[2] Faulkner, Information Services: Enterprise Network Security Guidelines: Prevention and Response and Hacker Attacks, Digital Edition, June 1, 2001.
[3] Vijay K. Bhargava, H. Vincent Poor, Vahid Tarokh, and Seokho Yoon, Communications, Information and Network Security (The Springer International Series in Engineering and Computer Science), Hardcover, December 31, 2002.
[4] Security in Distributed and Networking Systems (Computer and Network Security) by Yang Xiao (Hardcover - Sep 30, 2007).
[5] Cristian Darie, Bogdan Brinzarea, Filip Chereches-Tosa, and Mihai Bucica, AJAX and PHP: Building Responsive Web Applications, Paperback, March 1, 2006.
[6] Richard E. Newman, Piyush Harsh, and Prashant Jayaraman, “Security Analysis of and Proposal for Image Based Authentication,” 2005.
[7] David Melcher, “The persistence of visual memory for scenes,” Nature, 412(6845) pp. 401, July 2001. [8] Rachna Dhamija and Adrian Perrig, “A user study Using Images for Authentication,” Proceedings of the 9th
Usenix Security Symposium, August 2000.
[9] William Stallings, “Cryptography and Network Security,” Pearson Education. [10] http://www.Kerberos.info.
[11] http://en.wikipedia.org/wiki/Kerberos.
[12] Jason Garman, Kerberos: The Definitive Guide, Paperback, August 26, 2003. [13] Brian Tung, Kerberos: A Network Authentication System, Paperback, May 4, 1999. [14] http://www.w3schools.com/ajax/default.asp.
[15] Lee Babin, Beginning Ajax with PHP: From Novice to Professional, Paperback, October 16, 2006.
[16] Chris Ullman and Lucinda Dykes, Beginning Ajax (Programmer to Programmer), Paperback, March 19, 2007.
[17] Cristian Darie, Bogdan Brinzarea, Filip Chereches-Tosa, and Mihai Bucica, AJAX and PHP: Building Responsive Web Applications, Paperback, March 1, 2006.
[18] Win van Eck, “Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?,” Computers and Security, vol. 4, pp. 269-286, 1985.
[19] Markus G. Kuhn, “Electromagnetic Eavesdropping Risks of Flat-Panel Displays,” Proceedings of the 4th Workshop on Privacy Enhancing Technologies, May 2004.