International Journal of Research in Information Technology (IJRIT) International Journal of Research in Information Technology (IJRIT)International Journal of Research in Information Technology (IJRIT) International Journal of Research in Information Technology (IJRIT)
www.ijrit.comwww.ijrit.com www.ijrit.comwww.ijrit.com ISSN 2001-5569
AUTHENTICATION SCHEMES FOR SESSION PASSWORD USING COLOUR AND IMAGES
Sarvesh R. Rathod, Vivek Sangale, Suraj Kakade, Noor Khan
Yadavrao Tasgaonkar Institute of Engineering & Technology,Bhivpuri Road, Karjat, Maharashtra, INDIA
Abstract - Authentication is a process of determining whether someone or something is in fact who or what to be declared. For authentication mostly textual passwords are used. Textual passwords are the most common method used for authentication. But textual passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shoulder surfing. Graphical passwords are introduced as alternative techniques to textual passwords. Most of the graphical schemes are vulnerable to shoulder surfing. To address this problem, text can be combined with images or colours to generate session passwords for authentication. Session passwords can be used only once and every time a new password is generated. In this paper, two techniques are proposed to generate session passwords using text, images and colours which are resistant to shoulder surfing.
Index Terms: Authentication, session passwords, shoulder surfing
I. INTRODUCTION
The most common method used for authentication is textual password. The vulnerabilities of this method like eves dropping, dictionary attack, social engineering and shoulder surfing are well known. The alternative techniques are graphical passwords and biometrics. But these two techniques have their own disadvantages. Biometrics, such as finger prints, iris scan or facial recognition have been introduced but not yet widely adopted.
The major drawback of this approach is that such systems can be expensive and the identification process can be slow. There are many graphical password schemes that are proposed in the last decade. Personal Digital Assistants are being used by the people to store their personal and confidential information like passwords and PIN numbers. Authentication should be provided for the usage of these devices.
In this, two new authentication schemes are proposed for PDAs. These schemes authenticate the user by session passwords.
Session passwords are passwords that are used only once. Once the session is terminated, the session password is no longer useful. For every login process, users input different passwords. The session passwords provide better security against dictionary and brute force attacks as password changes for every session. The proposed authentication schemes use text and colors for generating session passwords.
II.EXISTINGSYSTEMS
Various comprehensive investigations on the existing authentication schemes have been accomplished. And it has been discerned that none of the recent authentication schemes can resist all sorts of attacks. With this outcome, this paper proposes an authentication schemes which overcomes all the existing authentication schemes. Literature review reveals all the studies that are done in past. Some of the authentication schemes are discussed as follows:
A. Dhamija and Perrig[1]:
Proposed a graphical authentication scheme in which the user identifies the pre-defined images to prove the authentication of the user. In this scheme, during registration the user selects a set of images from a predefined set of images. Later on at the login time the user has to select the images that he had selected during the registration time to prove his authentication. But this system is vulnerable to shoulder-surfing.
Fig 1 Random images used by Dhamija and Perrig.
B. Pass faces[2] :
Later on a new schemes was introduced known as Passfaces.In this scheme there is a grid of nine faces and the user to select on image from the grid.the user chooses four images of human as their password and have to select their pass image from the other eight images.since there are four user select images it is done four times.But this schemes was very easy to attacks by guessing or trying for number of time.
Fig 2 Pass Faces C. Draw –A-Secret[3]:
Similar to this a same scheme was introduced by Syukri[4]. This authentication scheme was based on the principle that the user has to draw his signature by using mouse. This scheme had two stages of implementation viz. the registration phase and the verification phase. At the time of registration the user draws a signature that is extrated by the system.At the time od registration the signature is taken as an input and normalozation is done and then the parameters are extracted and cheking is done and the user is authenticated if the parameters gets matched.But drawing with mouse is not so easy and acutals parameters cannot be matched with the signature that was drawn at the registration time.this schemes is prone to forgery of signature.
Fig 3 Draw-A-Secret D Story-Scheme:
To overcome this shoulder surfing attacks a scheme was proposed by Haichang et al [7].This schemes is the combination of DAS and Story schemes. The user has to draw a curve along the images to prove their authenticity.
Fig 4 Story Scheme
To overcome shoulder surfing, many schemes are proposed. Zhao and Li [12] proposed a shoulder surfing resistant scheme
“S3PAS”. The main idea of the system was to integrate both textual and graphical schemes to provide high security.
III.PROPOSEDSYSTEMOVERVIEW A. Authentication Scheme Module
1) Hybrid Textual Authentication Scheme
a) During registration, user should rate colors as shown in figure 5. The User should rate colors from 1 to 8 and he can remember it as “RLYOBGIP”. Same rating can be given to different colors.
Fig 5: Rating of Colours by User
b) During the login phase, when the user enters his username an interface is displayed based on the colours selected by the user.
The login interface consists of grid of size 8×8. This grid contains digits 1-8 placed randomly in grid cells. The interface also contains strips of colours as shown in figure 6. The colour grid consists of 4 pairs of colours. Each pair of colour represents the row and the column of the grid.
Fig 6: Login Interface
Figure 6 shows the login interface having the color grid and number grid of 8 x 8 having numbers 1 to 8 randomly placed in the grid. Depending on the ratings given to colors, we get the session password. As discussed above, the first color of every pair in color grid represents row and second represents column of the number grid. The number in the intersection of the row and column of the grid is part of the session password. Consider the figure 9 ratings and figure 10 login interface for demonstration. The first pair has red and yellow colors. The red color rating is 1 and yellow color rating is 3. So the first letter of session password is 1st row and 3rd column intersecting element i.e. 3. The same method is followed for other pairs of colors. For figure 10 the password
is “3573”. Instead of digits, alphabets can be used. For every login, both the number grid and the color grid get randomizes so the session password changes for every session.
c) During registration phase for image authentication, user will be asked to choose five images of his choice which will be stored in the database. During registration user needs to select a point on each image. The x-coordinate & y-coordinate of the selected point in the image will be stored in the database. Fig7 shows registration of image authentication.
Fig7: Registration for image authentication
Now, during login phase the user will b shown his images in random order and he needs to click on the point of authentication for respective images as done in registration phase. If the use fails to authenticate then he needs to start the process from the beginning of authentication.
2. Registration Module:
This module is used to registered user Details in three parts. They are Name authentication password, Color Priority Password and Image Authentication details. First, user is going to enter the normal password but it using capital A-Z letters and 0-9 Numbers.
Second the user to put the color priority in eight colors and then image authentication registration. Fig 8 shows the registration module.
Fig 8 Registration Module
3. User Interaction Module:
This module is used to perform the user to chat with other user and send file to another user and also download it. User can change our own personal details and also change password.
IV.SYSTEMWORKING
Fig 9: Block diagram of registration phase
Fig 10: Authentication Diagram
A. Hardware Requirements:
Server:
One computer for server. The Database Administrator can use the same computer. The server computer must have processor with clock speed above 1 GHZ and should at least have 256 MB of RAM. More memory will give better performance.
Client:
One computer for the user to access web application. The client computer must have processor with clock speed above 1 GHZ and should at least have 256 MB of RAM.
B. Software Requirement:
1) Operating System: Windows 2000-SP4 or Windows XP SP2 is required for development as well as running the project. We used Windows XP SP2 for development purpose.
2) JRE: JRE should be installed for application to run.
3) MySQL: It is used as database management system for our project. This requirement applies only to server and not compulsory for User.
4) Internet Browser: Microsoft Internet Explorer 7 is required by the website.
V.SECURITYANALYSIS
As the interface changes every time, the session password changes. This technique is resistant to shoulder surfing. Due to dynamic passwords, dictionary attack is not applicable. Hidden camera attacks are not applicable to PDAs because it is difficult to capture the interface in the PDAs.
Dictionary Attack: Here in this attack, hacker uses the set of dictionary words and authenticate by trying one word after one. The Dictionary attacks fails towards our authentication systems because session passwords are used for every login.
Shoulder Surfing: These techniques are Shoulder Surfing Resistant. In this scheme, the ratings decide the session password. But with session password you can’t find the ratings of colors. Even by knowing session password, the complexity is 84 .So these are resistant to shoulder surfing.
Guessing: Guessing can’t be a threat to the pair based because it is hard to guess secret pass and it is 364.The hybrid textual scheme is dependent on user selection of the colors and the ratings.
Brute force attack: These techniques are particularly resistant to brute force due to use of the session passwords.
User Study
We conducted the user study of the proposed techniques with 10 participants for each technique. As the techniques are new, first the participants were briefed about the techniques. They were given demonstrations for better understanding purpose. Then each user was requested to login. After that, the usability study was conducted with the students in two sessions. The sessions were conducted in time frame of one week.
Table 1 shows the registration time for each technique. Table 2 shows the log-in time for each technique for the first session of user study. Table 3 shows the log-in time for the second session which was taken after one week of first session.
Table 1: registration time for passwords
Techique Avg Max Min
Hybrid Textual Authentication
58 78 48
Table 2: Login time for correct password at login1
Table 3: Login time for correct password at login2
It is observed that, as the user get practised over, he is able to login without any problem. If the user is able to remember the password or ratings of colors, the schemes are resistant to shoulder surfing. The easiest way to remember ratings for colors is to use some concept or story and this leads to successful login in the Hybrid Textual Authentication
VI. CONCLUSION
In this paper, two authentication techniques based on colour and images are proposed for PDAs. These techniques generate session passwords and are resistant to dictionary attack, brute force attack and shoulder-surfing. Both the techniques use grid for session passwords generation. For hybrid textual scheme, ratings should be given to colors, based on these ratings and the grid displayed during login, session passwords are generated. However these schemes are completely new to the users and the proposed authentication techniques should be verified extensively for usability and effectiveness.
ACKNOWLEDGEMENT
We are immensely obliged to Prof. Gayatri Naik, for motivating us for the idea of this topic, and for her immense support in gathering resources and for his guidance and supervision which made this project report successful.
We would like to say that it has indeed been a fulfilling experience for working out this project report. Lastly, we thank almighty, our parents, for their constant encouragement without which this project would not be possible.
REFERENCES
[1] R. Dhamija and A. Perrig “Déjà Vu: A User Study Using Images for Authentication”. In 9th USENIX Security Symposium,2000.
[2] Real User Corporation: Passfaces. www.passfaces.com
[3] Jermyn, I., Mayer A., Monrose, F., Reiter, M., and Rubin., “The design and analysis of graphical passwords” in Proceedings of USENIX Security Symposium, August 1999.
[4] A. F. Syukri, E. Okamoto, and M. Mambo, "A User Identification System Using Signature Written with Mouse," in Third Australasian Conference on Information Security and Privacy (ACISP): Springer-Verlag Lecture Notes in Computer Science (1438), 1998, pp. 403-441.
[5] G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed. United States, 1996.
[6] Passlogix, site http://www.passlogix.com.
[7] Haichang Gao, ZhongjieRen, Xiuling Chang, Xiyang Liu UweAickelin, “A New Graphical Password Scheme Resistant to Shoulder-Surfing
[8] S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, “Design and longitudinal evaluation of a graphical password system”. International J. of Human-Computer Studies 63 (2005) 102-127.
[9] W. Jansen, "Authenticating Mobile Device User through Image Selection," in Data Security, 2004.
[10] W. Jansen, "Authenticating Users on Handheld Devices “in Proceedings of Canadian Information Technology Security Symposium, 2003.
[11] Zeng Z. Liu X., Yin L. And Liu Z. (2010) Journal of Computers.
[12] Zhao H. And Li X. (2007) 21st International Conference On Advance Information Networking and Application Workshops(AINAW).
Techique Avg Max Min
Hybrid Textual Authentication
48 72 29
Techique Avg Max Min
Hybrid Textual Authentication
40 64 26