International Journal of Informative & Futuristic Research ISSN (Online):

Transcription

1 Research Paper Volume 2 Issue 3 November 2014 International Journal of Informative & Futuristic Research ISSN (Online): Providing More Security Using Graphical Password- CaRP Paper ID IJIFR/ V2/ E3/ 063 Page No Subject Area Computer Engineering Key Words Click Based Graphical Passwords, Authentication, Persuasive Technology, Usable Security, CaRP, Captcha, Artificial Intelligence Ganesh B. Gadekar 1 M.Tech. Scholar, Department of Computer Engineering, Sanjivini Rural Education Societies - College of Engineering, Kopargaon,Maharashtra, India Prof. N. G. Pardeshi 2 Professor, Department of Computer Engineering, Sanjivini Rural Education Societies - College of Engineering, Kopargaon,Maharashtra, India Abstract A fundamental task in security is to create cryptographic primitives based on hard mathematical problems that are computationally intractable. Using hard AI (Artificial Intelligence) problems for security is an exciting new paradigm. Under this paradigm, the most notable primitive invented is Captcha, which distinguishes human users from computers by presenting a challenge, i.e., a puzzle, beyond the capability of computers but easy for humans. To create new security primitive based on hard AI problems is a challenging and interesting open problem. Here new idea is introduced, a new security primitive based on hard AI problems, namely, a novel family of graphical password systems integrating Captcha technology, which is called CaRp (Captcha as graphical Passwords). CaRp is click-based graphical passwords, where a sequence of clicks on an image is used to derive a password. Unlike other click-based graphical passwords, images used in CaRp are Captcha challenges. 1. Introduction 1.1 Why Graphical Passwords? Access to computer systems is most often based on the use of alphanumeric passwords. Though, users have difficulty remembering a password that is long and random-appearing. Instead, they create short, simple, and insecure passwords. Using a graphical password, users click on images rather than type Copyright IJIFR

2 alphanumeric characters. Graphical passwords have been designed to try to make passwords more memorable and easier for people to use and, therefore, more secure. CAPTCHA- Completely Automated Public Turing test to tell Computers and Humans Apart Figure 1.1: Some CAPTCHA Styles 1.2 Captcha As Graphical Passwords (CaRP). A typical way to apply CaRP schemes in explained in Flowchart, The authentication server AS stores a salt s and a hash value H( p,s) for each user ID, where is the password of the account and not stored. A CaRP password is a sequence of visual object IDs or clickable-points of visual objects that the user selects. Upon receiving a login request, AS generates a CaRP image, records the locations of the objects in the image, and sends the image to the user to click her password. The coordinates of the clicked points are recorded and sent to AS along with the user ID. AS maps the received coordinates onto the CaRP image, and recovers a sequence of visual object IDs or clickable points of visual objects, that the user clicked on the image. Then AS retrieves salt s of the account, calculates the hash value of with the salt, and compares the result with the hash value stored for the account. Authentication succeeds only if the two hash values match. Figure 1.2: Flowchart of Basic CaRP Authentication 785

3 To recover a password successfully, each user-clicked point must belong to a single object or a clickable-point of an object. Objects in a CaRP image may overlap slightly with neighboring objects to resist segmentation. Users should not click inside an overlapping region to avoid ambiguity in identifying the clicked object. This is not a usability concern in practice since overlapping areas generally take a tiny portion of an object. 1.3 Typical application scenarios for CaRP include: i. CaRP can be applied on touch-screen devices whereon typing passwords is cumbersome, esp. for secure Internet applications such as e-banks. Many e-banking systems have applied Captchas in user logins. For example, ICBC ( the largest bank in the world, requires solving a Captcha challenge for every online login attempt. ii. CaRP increases spammers operating cost and thus helps reduce spam s. For an service provider that deploys CaRP, a spam bot cannot log into an account even if it knows the password. Instead, human involvement is compulsory to access an account. Figure 1.3: Working structure of CaRP 786

4 2 Scope And Objective I. The proposed system will: Work as both a Captcha and a graphical password scheme and it pro-vides reasonable security. Be clicked-based graphical passwords which have large password space. Does not reply on any specific Captcha scheme. When one Captcha scheme is broken, a new and more secure one may appear and be converted to a CaRP scheme. II. Objectives: Reasonable security and usability and appears to t well with some practical applications for improving online security. Protection against online guessing attacks, relay attacks, dictionary attacks etc. To provide large password space than any existing security system. 3 Time Complexity The total time complexity (T) can be calculated by summing the separate time complexities of all four processes i.e. q1, q2, q3,q4 T = i=1 T(qi) T = T(q1) + T(q2) + T(q3) + T(q4) T = O(n 2 ) + O(n) + O(n) + O(1) Therefore, the total time complexity is, T = O(n 2 ) Here, Process q1 contained nested for loops, q2 & q3 contains a single for loop which excutes for n times and q4 is simple comparison. Therefore, final time complexity is O(n 2 ): Implementation Steps (Algorithm/Code) 1.Take user name. 2.Take the user's password. 3.Generatee the CaRP image having user password and other non-password characters. Code : public class DiscretizedCentralization f public static int[ ] applydiscretizedcentralization(int x, int y,int radius) f int [ ] dcarray=new int[4]; dcarray[0] = (x - radius) / (2 * radius); dcarray[1] = (y - radius) / (2 * radius); dcarray[2] = Math.abs((x - radius)) % (2 * radius); dcarray[3] = Math.abs((y - radius)) % (2 * radius); return dcarray; public static int[ ] applyinversedc(int x, int y,int radius,int xo_set,int yo_set) f int [ ] inversedcarray=new int[2]; inversedcarray[0] = (x - xo_set) / (2 * radius); inversedcarray[1] = (y - (yo_set)) / (2 * radius); 787

5 return inversedcarray; public void getalphabet(string alphabet) f jpasswordfield1.settext(new String(jPasswordField1.getPassword()) + alphabet); public char[ ] generaterandomalphabets() Random r = new Random(); char[ ] ch = new char[26]; int temp; boolean ag; for (int i = 0; i < ch.length; i++) f while (true) f temp = r.nextint(26) + 65; ag = true; for (int j = 0; j < i; j++) f if (ch[j] == temp) f ag = false; break; if (ag) f ch[i] = (char) temp; break; return ch; public void GeneratePasswordCaptchaImage(char[ ] data) f String[ ] type = f"arial Black", "Serif", "Arial Black", "Vijaya", "SansSerif", "Kristen ITC", "Andalus", "SansSerif"g; int[ ] styles = ffont.bold + Font.ITALIC, Font.ITALIC, Font.BOLD, Font.ITALIC + Font.BOLD, Font.PLAIN + Font.ITALIC, Font.ITALIC, Font.BOLD, Font.ITALIC + Font.BOLDg; Color[ ] colours = fcolor.black, Color.BLUE, Color.YELLOW, Color.GREEN, Color.MAGENTA, Color.ORANGE, Color.PINK, Color.RED g; try f bu_eredimage = new Bu_eredImage(200, 200, Bu_eredImage.TYPEINTRGB); Graphics graphics = bu_eredimage.getgraphics(); graphics.setcolor(color.white); graphics._llrect(0, 0, 200, 200); graphics.setcolor(color.blue); Random rfont = new Random(); Random rstyle = new Random(); Random rtype = new Random(); Random rcolors = new Random(); int row = 1; int col = 1; char[ ] pass = selectedpassword.tochararray(); for (int i = 0; i <data.length; i++) f 788

6 if (col == 6) f col = 1; row++; g graphics.setcolor(colours[rcolors.nextint(8)]); graphics.setfont(new Font(type[rType.nextInt(7)], styles[rstyle.nextint(7)], 30 + rfont.nextint(10))); graphics.drawstring(string.valueof(data[i]), (col * 28), row * 25); col++; ImageIcon ico = new ImageIcon(bu_eredImage); jlabelcharimg.seticon(ico); catch (Exception e) f printstacktrace(); 5 Testing & Result (Analysis) In the module to generate a CaRP image, User will give his/her username and will select password from the generated CaRP image if user already have signed up or he/she can sign up by giving username and password. Table 5.1 shows the analysis of designed module. Table5.1: Result Analysis Sr. No. Task Performed 1. SignUp Yes 2. CaRP Image Generation Yes 3. Authentication No 6 Conclusion In this Article, I am implementing Captcha as Graphical Passwords which will be a new security primitive relying on unsolved hard AI problems. CaRP is both a Captcha and a graphical password scheme. The notion of CaRP introduces a new family of graphical passwords, which adopts a new approach to counter online guessing attacks: a new CaRP image, which is also a Captcha challenge. CaRP forces adversaries to resort to significantly less efficient and much more costly human-based attacks. In addition to offering protection from online guessing attacks, CaRP is also resistant to Captcha relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. CaRP can also help reduce spam s sent from a Web service. In the implemented module a CaRP image for particular user will get generated. User can sign up by giving his/her username and password. Password is displayed in CaRP image which is combination of password characters and non-password characters. References [1] R. Biddle, S. Chiasson, and P. C. van Oorschot, Graphical passwords:learning from the first twelve years, ACM Comput. Surveys, vol. 44,no. 4, [2] (2012, Feb.). The Science Behind Passfaces [Online]. Available: [3] H. Tao and C. Adams, Pass-Go: A proposal to improve the usability of graphical passwords, Int. J. Netw. Security, vol. 7, no. 2, pp ,

7 [4] P. C. van Oorschot and J. Thorpe, On predictive models and userdrawngraphical passwords, ACM Trans. Inf. Syst. Security, vol. 10,no. 4, pp. 1 33, [5] P. C. van Oorschot and S. Stubblebine, On countering online dictionaryattacks with login histories and humans-in-the-loop, ACM Trans. Inf.Syst. Security, vol. 9, no. 3, pp , [6] S. Chiasson, P. C. van Oorschot, and R. Biddle, Graphical passwordauthentication using cued click points, in Proc. ESORICS, 2007, [7] S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot, Influencing users towards better passwords: Persuasive cued click-points, in Proc.Brit. HCI Group Annu. Conf. People Comput., Culture, Creativity,Interaction, vol , pp [8] J. Elson, J. R. Douceur, J. Howell, and J. Saul, Asirra: A CAPTCHAthat exploits interest-aligned manual image categorization, in Proc.ACM CCS, 2007, pp [9] Smart Captcha". Protect Web Form.COM Retrieved [10] Summers, Nick. "Vicarious claims its AI software can crack up to 90% of CAPTCHAs offered by Google, Yahoo and PayPal". TNW [11] Hof, Robert. "AI Startup Vicarious Claims Milestone In Quest To Build A Brain: Cracking CAPTCHA". Forbes. [12] The difference between artificial and intelligence". Know Captcha. Retrieved [13] Hire People To Solve CAPTCHA Challenges". Petmail Design Retrieved [14] Doctorow, Cory ( ). "Solving and creating captchas with free porn". Boing Boing. Retrieved [15] Yeend, Howard (2005). "Breaking CAPTCHAs Without Using OCR". (puremango.co.uk). Retrieved [16] See for instance: Chellapilla, Kumar; Larson, Kevin; Simard, Patrice; Czerwinski, Mary (2005). "Computers beat Humans at Single Character Recognition in Reading based Human Interaction Proofs (HIPs)". Microsoft Research. Retrieved 27 November [17] Engber, Daniel (January 17, 2014). "Who Made That Captcha?". nytimes.com. NYT. Retrieved 17 January [18] Disabled Australian starts petition to kill CAPTCHA, an article by Tim Schiesser (August 5, 2013, 9:30 AM) [19] Ahn, Luis von; Blum, Manuel; Hopper, Nicholas J.; Langford, John (2003). "CAPTCHA: Using Hard AI Problems for Security". "Advances in Cryptology EUROCRYPT 2003". Lecture Notes in Computer Science pp doi: / _18. ISBN edit [20] U.S. Patent 6,195,698. Method for selectively restricting access to computer systems. Filed on Apr 13, 1998 and granted on Feb 27, Available at [21] Chellapilla, Kumar; Larson, Kevin; Simard, Patrice; Czerwinski, Mary. "Designing Human Friendly Human Interaction Proofs (HIPs)". Microsoft Research. [22] Bursztein, Elie; Martin, Matthieu; Mitchell, John C. (2011). "Text-based CAPTCHA Strengths and Weaknesses". ACM Computer and Communication Security 2011 (ACM Conference CSS'2011). Stanford University. [23] The W3C paper Inaccessibility of CAPTCHA outlined some of the accessibility problems with CAPTCHAs. [24] The article Proposal for an accessible Captcha describes how audio and visual test can be combined to increase accessibility in a Captcha. 790