• No results found

Enhancing Security Using Graphical Patterns Selection (ENSUGPS)

N/A
N/A
Protected

Academic year: 2020

Share "Enhancing Security Using Graphical Patterns Selection (ENSUGPS)"

Copied!
6
0
0

Loading.... (view fulltext now)

Full text

(1)

1.

Preethi.D

1

., Priya.J

2

,Saranraj,G3

1.&2.Student of pre-final year,3.Asst.proffessor

2.

Department of Computer Science and Engineering, Dhanalakshmi srinivasan college,

Perambalur- 620009, Tamil Nadu, India.

,

Abstract- The various forms of authentication methods has drawbacks since alphanumeric usernames and passwords can be easily hacked. Graphical passwords are the images or representation of images as passwords. These are easy to remember and also provide more security. Humans can easily remember picture than textual character. There are various graphical password schemes or graphical password software in the market. However, very little research has been done to analyze graphical passwords that are still immature.

Therefore, this project work presents a technique to enhance security using Graphical Patterns. (ENSUGPS). This ENSUGPS is a new alternative user interface system for the user authentication. The major goal of this work is to reduce the network delay as well as the memory space required, especially for graphical passwords, since infinite passwords of the same kind have to be maintained in regard to pass point’s scheme.

Index Terms —Hacking techniques, Authentication and

computer security

I. INTRODUCTION

There has been a great deal of hype for graphical passwords since two decade due to the fact that primitive‘s methods suffered from an innumerable number of attacks which could be imposed easily. Here we will progress down the taxonomy of authentication methods.

To start with we focus on the most common computer authentication method that makes use of text passwords. Despite the vulnerabilities, it‘s the user natural tendency of the users that they will always prefer to go for short passwords for ease of remembrance [10] and also lack of awareness about how attackers tend to attacks.

Unfortunately, these passwords are broken mercilessly by intruders by several simple means such as masquerading, Eaves dropping and other rude means say dictionary attacks, shoulder surfing attacks, social engineering attacks[10][1]..

To mitigate the problems with traditional methods, advanced methods have been proposed using graphical as passwords. The idea of graphical passwords first described by Greg Blonder (1996). For Blonder, graphical passwords

have a predetermined image that the sequence and the tap regions selected are interpreted as the graphical password. Since then, many other graphical password schemes have been proposed

.

The desirable quality associated with graphical passwords is that psychologically humans can remember graphical far better than text and hence is the best alternative being proposed. There is a rapid and growing interest in graphical passwords for they are more or infinite in numbers thus providing more resistance.

The major goal of this work is to reduce the network delay as well as the memory space required, especially for graphical passwords, since infinite passwords of the same kind have to be maintained in regard to pass point‘s scheme.

2. Taxonomy of Authentication

The following Figure 1: is the depiction of current authentication methods.

Biometric based authentication systems techniques are proved to be expensive, slow and unreliable and hence not preferred by many.

Token based authentication system is high security and usability and Accessibility compare then others. But this system employ knowledge based techniques to enhance security. But the current knowledge based techniques are still immature. For instance, ATM cards always go hand in hand with PIN number.

So the knowledge based techniques are the most wanted techniques to improve real high security since they encompass both texts based & graphical based passwords. Recognition based & recalls based are the two names by which graphical techniques could be classified.

.

Enhancing Security Using Graphical Patterns

(2)

303 Figure 1: Taxonomy of Password Authentication Techniques

3. Background on graphical Password Systems 3.1 Recognition Based Techniques:

Dhamija and Perrig [4] proposed a graphical authentication scheme based on the Hash Visualization technique. In their system Figure 2: the user is asked to select a certain number of images from a set of random pictures generated by a program later the user will be required to identify the pre selected images in order to be authenticated. A weakness of this system is that the server needs to store the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures from the picture database can be tedious and time consuming for the user

Akula and Devisetty‘s algorithm [5] is similar to the technique proposed by Dhamija and Perrig .the images will be converted into hashing code using SHA-1 techniques to give more secure and less memory. In this Technique produces a 20 byte output.

Both the above algorithms are prone to shoulder surfing attacks.

Figure 2. Random images used by Dhamija and Perrig

3.2 Mitigating Shoulder surfing problem:

(3)

Sobrado and Birget [6] developed a graphical password technique that deals with the shoulder surfing problem. To be authenticated, a user needs to recognize pass-objects and click inside the convex hull formed by all the pass-objects Figure 3: In order to make the password hard to guess, Sobrado and Birget suggested using 1000 objects, which makes the display very crowded and the objects almost indistinguishable, but using fewer objects may lead to a smaller password space, since the resulting convex hull can be large. The main drawback of this algorithm is that the log in process can be slow.

3.2.2 Hong’s Methods

Hong, et al.[7] proposed another shoulder-surfing resistant algorithm. In this approach to allow the user to assign their own codes to pass-object variants. Figure 4: shows the log-in screen of this graphical password scheme. However, this method still forces the user to memorize many text strings and therefore suffer from the many drawbacks of text-based passwords.

Figure 3: A shoulder-surfing resistant graphical password scheme

3.2.3 Man’sMethods

Man, et al. [9] proposed another shoulder-surfing resistant algorithm. In this algorithm, a user selects a number of pictures as pass-objects. Each pass-object has several variants and each variant is assigned a unique code. During authentication, the user is challenged with several scenes. Each scene contains several pass-objects (each in the form of a randomly chosen variant) and many decoy-objects. The user has to type in a string with the unique codes corresponding to the pass-object variants present in the scene as well as a code indicating the relative location of the pass objects in reference to a pair of eyes. The argument is that it is very hard to crack this kind of password even if the whole authentication process is recorded on video because there is no mouse click to give away the pass-object information. However, this method still requires users to memorize the alphanumeric code for each pass-object variant Scheme.

3.3 Recall based techniques:

In this section we discuss recent there types of click based graphical password techniques:

1. Pass Point(PP)

2. Cued Click Points(CCP)

3. Persuasive Cued Click- Points (PCCP)

Figure 4: Hong’s al’s Shoulder surfing resistant

3.3.1 Pass point (PP)

Based on Blonder‘s original idea [7], Pass Points (PP) [7] is a click-based graphical password system where a password consists of an ordered sequence of five click-points on a pixel-based image as shown in Figure.5. To log in, a user must click within some system-defined tolerance region for each click-point. The image acts as a cue to help users remember their password click-points.

Figure. 5 On Pass Points, a password consists of five ordered click-points on the image (the numbered labels do not appear in practice). Background image reprinted from [7].

3.3.2 Cued Click Points (CCP)

(4)

305 point per image for five images Figure.6:.The interface

displays only one image at a time; the image is replaced by the next image as soon as a user selects a click point. The system determines the next image to display based on the user‘s click-point on the current image. The next image displayed to users is based on a deterministic function of the point which is currently selected. This modified design has several security and usability benefits. It now presents a one to-one cued recall scenario where each image triggers the user‘s memory of the one click-point on that image. Secondly, if a user enters an incorrect click-point during login, the next image displayed will also be incorrect. Legitimate users who see an unrecognized image know that they made an error with their previous click-point. Conversely, this implicit feedback is not helpful to an attacker who does not know the expected sequence of images.

Figure 6: With CCP, users select one click-point per image. The next image displayed is determined by the current click-point.

3.3.3 Persuasive Cued Click- Points (PCCP)

To address the issue of hotspots, PCCP was proposed [7]. As with CCP, a password consists of five click-points, one on each of five images. During password creation, most of the image is dimmed except for a small view port area that is randomly positioned on the image as shown in Figure. 7. Users must select a click-point within the view port. If they are unable or unwilling to select a point in the current view port, they may press the Shuffle button to randomly reposition the view port. The view port guides users to select more random passwords that are less likely to include hotspots. A user who is determined to reach a certain click-point may still shuffle until the view port moves to the specific location, but this is a time consuming and more tedious process.

Figure. 7: the PCCP password creation interface. Users must select a click-point from the randomly positioned highlighted view port or press the Shuffle button to randomly reposition the view port.

4. Discussion:

“Will Graphical passwords circumvent Text based

passwords?”

Here we briefly exam some of the possible

techniques for breaking graphical passwords and try to do a comparison with text-based passwords.

Dictionary attacks

Since recognition based graphical passwords involve mouse input instead of keyboard input, it will be impractical to carry out dictionary attacks against this type of graphical passwords. For some recall based graphical passwords [11], it is possible to use a dictionary attack but an automated dictionary attack will be much more complex than a text based dictionary attack. More research is needed in this area Overall, we believe graphical passwords are less vulnerable to dictionary attacks than text-based passwords.

Guessing

Unfortunately, it seems that graphical passwords are often predictable, a serious problem typically associated with text-based passwords. More research efforts are needed to understand the nature of graphical passwords created by real world users.

Shoulder Surfing

(5)

only a few recognition-based techniques are designed to resist shoulder-surfing.

Spy ware

Except for a few exceptions, key logging or key listening spy ware can not be used to break graphical passwords. It is not clear whether ―mouse tracking‖ spy ware will be an effective tool against graphical passwords. However, mouse motion alone is not enough to break graphical passwords. Such information has to be correlated with application information, such as window position and size, as well as timing information.

Social engineering

Comparing to text based password, it is less convenient for a user to give away graphical passwords to another person. For example, it is very difficult to give away graphical passwords over the phone. Setting up a phasing web site to obtain Graphical passwords would be more time consuming.

“What are the issues to be taken into account for graphical passwords?”

Usability

One of the main arguments for graphical passwords is that pictures are easier to remember than text strings. Preliminary user studies presented in some research papers seem to support this. However, current user studies are still very limited, involving only a small number of users. We still do not have convincing evidence demonstrating that graphical passwords are easier to remember than text based passwords. A major complaint among the users of graphical passwords is that the password registration and log-in process take too long, especially in recognition-based approaches. For example, during the registration stage, a user has to pick images from a large set of selections. During authentication stage, a user has to scan many images to identify a few pass-images.

Users may find this process long and tedious. Because of this and also because most users are not familiar with the graphical passwords, they often find graphical passwords less convenient than text based passwords.

Reliability

The major design issue for recall-based methods is the reliability and accuracy of user input recognition. In this type of method, the error tolerances have to be set carefully – overly high tolerances may lead to many false positives while overly low tolerances may lead to many false negatives. In addition, the more error tolerant the program, the more vulnerable it is to attacks.

Storage and communication

Graphical passwords require much more storage space than text based passwords. Tens of thousands of pictures may have to be maintained in a centralized database. Network transfer delay is also a concern for graphical passwords, especially for recognition-based techniques in which a large number of pictures may need to be displayed for each round of verification.

5. Proposed System

Now-a-days, all business, government, and academic organizations are investing a lot of money, time and computer memory for the security of information. In this computer era, since damage can be easily imposed on vulnerable systems connected to the networks, Traditional methods of providing security do not suffice, especially in banking sectors, military services and university est. This project deals with brute force attacks, dictionary attacks.

This project proposes a click-based graphical password system where a password consists of an ordered sequence of five click-points on a pixel-based image rather than typing a long and complex alphanumeric password with the computer keyboard. During the time of registration a user may choose several areas (click points) on an image. In order to log in the user has to click close to the chosen click points, and after clicking on several places (pixels) the sequence is stored. Generally, users cannot click on the same points that are selected during registration. This tolerance allows a user to click on nearby locations. Thereby tolerance regions around the chosen several click points is calculated and a compressed version of click points graphical patterns are stored in the database instead of storing them as such. This proposed system also provides protection against key logger spy ware. Since, computer mouse is used rather than the keyboard to enter our graphical password; this protects the password from key loggers.

5.1 Proposed System Architectures

(6)

307

Figure 9: Account Login Session System Architecture

6. Conclusion and future work

A major advantage of PassPoints scheme is its large password space over alphanumeric passwords. But the security of PassPoints system is also an important issue. Truly speaking, there is a growing interest for Graphical passwords since they are far ore better than Text based passwords, although the main argument for graphical passwords is that people are better at memorizing graphical passwords than text-based passwords, On the whole, the current graphical password techniques are still immature. Much more research and user studies are needed for graphical password techniques to achieve higher levels of maturity and usefulness. The 2D images used in this scheme can be extended to use 3D images and graphics.

REFERENCES

[1] Sonia Chiasson, P.C. van Oorschot, and Robert Biddle, ―Graphical Password Authentication Using Cued Click Points‖ ESORICS , LNCS 4734, pp.359-374, Springer- Verlag Berlin Heidelberg 2007.

[2] Manu Kumar, Tal Garfinkel, Dan Boneh and Terry Winograd, ―Reducing Shoulder-surfing by Using Gaze-based Password Entry‖, Symposium On Usable Privacy and Security (SOUPS) , July 18-20, 2007, Pittsburgh, PA, USA.

[3] Zhi Li, Qibin Sun, Yong Lian, and D. D. Giusto, ‗An association-based graphical password design resistant to shouldersurfing attack‘, International Conference on Multimedia and Expo (ICME), IEEE.2005

[4] R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proceedings of 9th USENIX Security Symposium, 2000.

[5] S. Akula and V. Devisetty, "Image Based Registration and Authentication System," in Proceedings of Midwes Instruction and Computing Symposium, 2004. [6] L. Sobrado and J.-C. Birget, "Graphical passwords,"

The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4, 2002.

[7] Sonia Chiasson ,Alain Forget , Robert Biddle,

P. C. van Oorschot, ―User interface design affects

security: patterns in click-based graphical passwords‖, Springer-Verlag 2009.

[8] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The Design and Analysis of Graphical Passwords," in Proceedings of the 8th USENIX Security Symposium, 1999.

[9] S. Man, D. Hong, and M. Mathews, "A shouldersurfing resistant graphical password scheme," in Proceedings

of International conference on security and management. Las Vegas, NV, 2003.

[10] A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM, vol. 42, pp. 41-46, 1999.

[11] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A.D. Rubin, "The Design and Analysis of Graphical Passwords," in Proceedings of the 8th USENIX Security Symposium, 1999.

[12] Alain Forget, Sonia Chiasson, and Robert Biddle,‖Shoulder-Surfing Resistance with Eye-Gaze Entry inCued-Recall Graphical Passwords‖, ACM 978-1-60558-929-9/10/04, April 10 – 15, 2010.

[13] RealUser, "www.realuser.com," last accessed in June 2005.

[14] T. Valentine, "An evaluation of the Passface personal authentication system," Technical Report, Goldsmiths College, University of London 1998.

[15] T. Valentine, "Memory for Passfaces after a Long Delay," Technical Report, Goldsmiths College, University of London 1999.

[16] S. Brostoff and M. A. Sasse, "Are Passfaces more usable than passwords: a field trial investigation," in People and Computers XIV - Usability or Else: Proceedings of HCI. Sunderland, UK: Springer- Verlag,2000.

Figure

Figure 2. Random images used by Dhamija and  Perrig
Figure 3: A shoulder-surfing resistant graphical password scheme
Figure  6:  With  CCP,  users  select  one  click-point  per  image.  The  next  image displayed is determined by the current click-point
Figure 8: Account Creation Session System Architecture

References

Related documents

Fig. 2 a : Box plot analysis of sFLT1 expression in sera of breast cancer patients who survived. We identified significant enhanced sFLT1 release in the survived patient collective

Cells expressing chimeric proteins containing the BAH, linker, or winged helix domains of KlOrc1 were able to mate as ef fi - ciently as full-length ScSir3 (Figure 3C, constructs 5,

They also provide a warning that screens for second-site noncomplementers of null alleles are unlikely to iden- tify genes encoding proteins whose products interact functionally,

In the example shown in Scheme 2, addition of phenyl Grignard to the pyridinium salt formed between 4-methoxypyridine and the chloroformate of (-)TCC followed by acid hydrolysis

Background: The predictors of shunt dependency such as amount of subarachnoid blood, acute hydrocephalus (HC), mode of aneurysm repair, clinical grade at admission and cerebro

As further argued by Kilian (2006, 2008b), oil shocks would thus have been essentially demand shocks from the 1970s until today, and would have differed only in the nature of

To evaluate whether firms that are classified as conservative based on balance sheet strength (debt to cash flows as described above) do follow a conservative strategy by investing

To gain further insight into the association, we performed an expression quantitative trait locus (eQTL) analysis using mRNA expression data on CD138-purified plasma cells from 841