International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008Certified Journal, Volume 3, Issue 8, August 2013)103
3LAS (Three Level Authentication Scheme)
Kunal Mulwani
1, Saurabh Naik
2, Navinkumar Gurnani
3, Dr. Nupur Giri
4, Prof. Sharmila Sengupta
5 1, 2,3,4,5Vivekanand Education Society's Institute of Technology, Computer Engineering, University of Mumbai,Maharashtra, India
Abstract
—
Textual passwords are more commonly used in day to day life. They tend to be more vulnerable as far as security is concerned. Users tend to pick short password that are easy to remember which makes the password vulnerable for attackers to break. Furthermore, textual password is vulnerable to hidden camera,shoulder-surfing,key loggers, spyware and brute force attack. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder surfing and key loggers.Keywords-- Graphical password, Textual password, Password, Security
I. INTRODUCTION
In our day to day life, we happen to surf hundred of websites on internet. But website security and user privacy on internet has been a great concern. Every website we visit, normally the user logins by providing login credentials.
But there are certain security concerns:
1.Someone standing behind or besides you can intentionally see the credentials (The Shoulder Surfing Problem).
2.There may be a key logger installed in the system, on which the login credentials are typed.
The vulnerabilities of the textual password have been well known. Users tend to pick short password that are easy to remember which makes the password vulnerable for attackers to break. Furthermore, textual password is vulnerable to shoulder-surfing, hidden camera,spyware,key loggers and brute force attack. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder surfing and key loggers.There is a need for solving the above stated problem.In this paper, we propose a Three Phase Textual-Graphical Password Authentication scheme. This technique seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surfing, hidden-camera, spyware attacks, key loggers and brute force attack. It can replace or coexist with conventional textual password systems without changing existing user password profiles.
The Scheme shows significant potential bridging the gap between conventional textual password and graphical password.
The proposed scheme has an extremely wide scope as it can be used for banking application, ATM services and other such application where user interaction with private data is controlled by means of password authentication.
II. LITERATURE REVIEW
Textual passwords exist since 1960. From then, they have been a common mechanism to authenticate users. Applications that we use in our day to day life use textual passwords to authenticate users. The main motivation behind the graphical password is the fact that human can easily remember graphical password as compared to textual[1]. Graphical passwords tend to be more secure as compared to textual passwords.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008Certified Journal, Volume 3, Issue 8, August 2013)104
Sobrado and Birget [6] developed a graphical password technique. In their scheme, the system first displays a number of 3 pass-objects (pre-selected by a user) among many other objects. To be authenticated, a user needs to recognize pass-objects and click inside the triangle formed by the 3 pass-objects.Huanyu Zhao and Xiaolin Li [7] designed an authentication system based on textual-graphical password scheme. In the proposed system user will be presented a screen of characters. His password will be presented in a form of invisible triangle i.e. the first three characters will form the corners of a invisible triangle, then starting from second character another invisible triangle is formed and so on. In each of the triangle user either has to click or has to use, the central character of the triangle, as session password.
III. 3LASSYSTEM
3LAS extends the basic working of S3PAS [7]. There are minor differences. Instead of using triangle, 3LAS uses square. S3PAS had password appearing in single instance, whereas 3PAS has multiple instances. As the name suggests, 3LAS has three levels of authentication which can be used as per the needs of security level.
The three levels are as follows:
A. LEVEL – 1: Random Character in Grid
This is the first level of 3LAS. In this level, a screen with random characters will appear in front of user. This screen will also contain user’s password as a part of random characters. User’s password will be broken down into pieces; each piece will contain four characters of the user password. First instance will contain the first four characters as corners of 3 x 3 matrices (Invisible Square). Second instance will contain next four characters and so on. In order to go for next instance user will click on any of the possible characters within the square viz. north, south, east, west, or center. User cannot click on the corners of square as it represents his password characters, which will make this scheme to be more vulnerable. At the time of registration, user will be asked to define a pattern of clicking a character at different instance. In first instance user can click on central character, in next instance he can click on left character and so on as per the user’s choice. These characters will form a ―session password‖, similar to S3PAS [7]. In this scheme, the 3 x 3 matrix will appear at random position at different instance. Moreover the screen of random characters will be different every time i.e. the character position will change at every instance. Also the characters appearing within the invisible square will be different at every instance.
Consider an e.g. Jack wants to login. His password is ―mydad123‖. He’ll first enter his id and then he’ll get the following screen as shown in Fig.1.
In this screen, Jack has to search for his password in the form of 3 x 3 matrices. First four password characters in this case ―myda‖, will appear as corners of Invisible Square. He will click on the chosen character. It is assumed that he chose center and left. So in first instance he will click on the central character ( _). After clicking on central character, Jack will successfully go to next instance which is represented as shown in Fig.2.
1.Level – 1 First Instance.
Now, Jack has to search for next four characters of his password i.e. ―d123‖ in the screen following the same procedure as explained.
2. Level – 1 Second Instance.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008Certified Journal, Volume 3, Issue 8, August 2013)105
It is because, the square is appearing at different positions in the screen and the characters of session password are different at every instance.B. Level – 2: Random Character in Grid with Session password
Although Level -1 is shoulder surfing resistant, it is still vulnerable. A snap shot feature of key logger can be used to determine the password. Attacker will have multiple sessions snapshots, which if compared will lead to actual recognition of password and possibly the scheme too. In order to overcome the above vulnerability, another scheme can be used. This scheme proposes that, instead of clicking on the characters of session password, user will remember those characters, and at the end the user has to enter the session password which will lead to its authentication. Every time the user tries to log in, he will get a different session password. Thus the key logger snapshot won’t be able to help the attacker in cracking the password.
Considering same e.g. Jack with password ―mydad123‖ will follow the same procedure as that of Level – 1. But now instead of clicking on the characters, Jack will now memorize those characters and after successfully completing the last instance he will be asked to enter the session password. The screen will appear as shown in Fig.3. After memorizing his session password character he’ll click on the next button. Then he gets the next instance as shown in Fig. 4.
3. Level – 2 First Instance.
User will be authorized with the help of session password, which will be generated from the actual password, keeping actual password intact. Here Jack has to enter the session password i.e. ―_K‖ And thus he’ll be authenticated.
4. Level – 2 Second Instance.
C. Level – 3: Random Character in Grid with Session password and grid variations
Level – 2 is highly secured. It is difficult to crack the user’s password. If more secured environment is required then the next proposed scheme is highly suitable. It is similar to Level – 2. Till now the size of grid was constant as 3 x 3. But in order to make it more complex, we can introduce a change in size of grid. At one instance, grid may be of size 3x3, in other it can be of 5 x 5 and so on. Even though the size of grid varies, the possible candidates for session password within the square will be 5 viz. north, south, east, west, or center.
Considering the above e.g. Jack using his password ―mydad123‖, wants to log in. Following the same procedure of finding first four characters in the corners of Invisible Square continues, with the difference of variation in grid size. At first instance he gets the screen as shown in Fig. 5.
He searches for his password characters in the screen and gets it in 5 x 5 grid. He memorizes the central character and clicks on next button. After that he get the next screen as shown in Fig 7.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008Certified Journal, Volume 3, Issue 8, August 2013)106
5. Level – 3 First Instance.
This scheme is highly secured to security attacks like shoulder surfing and key loggers.
6. Level – 3 Second Instance.
IV. ANALYSIS AND DISCUSSION
A. Shoulder Surfing Resistant
Textual & Graphical passwords are vulnerable to shoulder surfing. But 3LAS system is shoulder surfing resistant as the attacker won't be able to guess what user is typing or clicking. And Level -3 makes it more complicated for attacker to crack the password.
B. Random clicks, Brute force, & Dictionary attack resistant.
Notations Used
G: Grid corner positions
L: Length of the password in letters. I: Instance number defined by I=L/G M: Matrix defined by m * n
PV: Position count which defines the different possible positions where the password can be present
GV: Grid variations of various combinations N: Number of chances allowed to the user to
enter the password.
Probability of retrieving the password using brute force attack, Dictionary attack and Random Click
Level -1: Random Character in Grid
Probability of breaking password (P) is given by ,
P
=Level -2: Random Character in Grid with Session password
Probability of breaking password (P) is given by,
P
=
Level -3: Random Character in Grid with Session password and grid variations
Probability of breaking password (P) is given by,
P=
For example,
Worst case checking of Level 3where password size is 8 characters is given by,
Let M=8 * 10 (Grid size)
PV=5 (LEFT, RIGHT, TOP,BOTTOM,CENTER)
L=8(minimum length of password)
G=4 (Grid corner positions possible in a square matrix)
I=8/4=2
GV= 3 (3 X 3, 5 X 5 , 7 x 7 matrix allowed for user to select)
P =
= 3.08641e-9
Best case checking of Level 3 where password size is 16 characters is given by,
Let M=8 * 10 (Grid size)
PV=5 (LEFT,RIGHT,TOP,BOTTOM,CENTER)
L=16(maximum length of password)
G=4 (Grid corner positions possible in a square matrix)
I=16/4=4
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008Certified Journal, Volume 3, Issue 8, August 2013)107
P =
= 3.716891e-27
V. CONCLUSION
We proposed a three level authentication system.3LAS demonstrates desirable features of a secure authentication system being immune to shoulder surfing, hidden camera and spyware attacks. According to the system requirement, desired level of security can be achieved by using three proposed levels of authentication.
REFERENCES
[1] R. N. Shepard. Recognition memory for words, sentences and pictures. Journal of Verbal Learning and Verbal Behavior, 6:156– 163, 1967.
[2] G. E. Blonder, "Graphical passwords," in United States Patent, vol.5559961, 1996.
[3] W. Jansen, "Authenticating Mobile Device User Through Image Selection," in Data Security, 2004.
[4] W. Jansen, "Authenticating Users on Handheld Devices," in Proceedings of Canadian Information Technology Security Symposium, 2003.
[5] W. Jansen, S. Gavrila, and V. Korolev, "A Visual Login Technique for Mobile Devices," in National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003. [6] L. Sobrado and J. C. Birget. Graphical passwords. The Rutgers
Scholar, An Electronic Bulletin for Undergraduate Research,4, 2002.
