Address for Correspondence 1 Associate Professor department o f Computer Engineering BVUCOE, Pune

Transcription

1 Research Article THREE DIMENSIONAL VIRTUAL ENVIRONMENT FOR SECURED AND RELIABLE AUTHENTICATION 1 Gauri Rao, 2 Dr. S.H. Patil Address for Correspondence 1 Associate Professor department o f Computer Engineering BVUCOE, Pune 2 Professor and Head department o f Computer Engineering Bharati Vidyapeeth University College of Engineering, Pune, India gaurirao14@gmail.com ABSTRACT: Present authentication systems have many weaknesses. Textual passwords are widely used. Users generally choose meaningful words from dictionaries, which make textual passwords easy to hack and vulnerable to dictionary or brute force attacks. Many available graphical passwords have a password space that is less than or equal to the textual password space.smart cards or tokens can be stolen. Many biometric authentications have been proposed; however, users tend to resist using biometrics because of their intrusiveness and the effect on their privacy. We have designed a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the user s 3-d password. This system can combine most existing authentication schemes into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the key space. 1.0 INTRODUCTION The dramatic increase of computer usage has given rise to many security concerns. One major security concerns authentication, which is the process of validating who you are to whom you claimed to be. In general, human authentication techniques can be classified as knowledge based), token based, and biometrics. Knowledge-based authentication can be further divided into two categories as follows: 1) Recall Based and 2) Recognition Based. Recall-based techniques require the user to reproduce a secret that the user created before. Recognition based techniques require the user to identify and recognize the secret, or part of it, that the user selected before. One of the most common recall-based authentication schemes used in the computer world is textual passwords. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess. Graphical passwords are based on the idea that users can recall and recognize pictures better than words. However, some of the graphical password schemes require a long time to be performed. Moreover, most of the graphical passwords are vulnerable to shoulder surfing attacks. Many biometric schemes such as fingerprints, face recognition, voice recognition, and retina recognition have been proposed. Each biometric recognition scheme has its advantages and disadvantages based on several factors such as consistency, uniqueness, and acceptability. Fig 1.0 Recognition based Authentication One of the main drawbacks of applying biometrics is its intrusiveness upon a user s personal characteristic. Our system is a multifactor authentication scheme. It can combine all existing authentication schemes into a single 3-D virtual environment. This 3-D virtual environment contains several objects or items with which the user can interact. The type of interaction varies from one item to another. The system is constructed by observing the actions and interactions of the user and by observing the sequences of such actions. It is the user s choice to select which type of authentication techniques will be part of their virtual environment. This is achieved through interacting only with the objects that acquire information that the user is comfortable in providing and ignoring the

2 objects that request information that the user prefers not to provide. For example, if an item requests an iris scan and the user is not comfortable in providing such information, the user simply avoids interacting with that item. Thus, it becomes much more difficult for the attacker to guess the user s virtual environment. 2.0 RELATED WORK Today we have many security schemes. Let us see the problems with all of them one by one. Textual Passwords 1. Weak and susceptible to numerous attacks. 2. Security depends on the users' ability to maintain the user ID and password secret. 3. Not fully reliable when used for making financial transactions remotely, such as fund transfers and bill payments through an Internet banking channel. 4. Cost of support increases with user ID and password complexity (i.e., help support or IT staff may need to spend extra time dealing with authentication problems, such as helping staff reset passwords that are locked after a certain number of failed entry attempts). Hardware Tokens 1. Involves additional costs, such as the cost of the token and any replacement fees. 2. Users always need to carry the token with them. 3. Users need multiple tokens for multiple Web sites and devices. 4. Does not protect fully from man-in-themiddle attacks (i.e., attacks where an intruder intercepts user's session and steals the user's credentials by acting as a proxy between the user and the authentication device without the user's knowledge). Software Tokens Requires some amount of user training. Deployment needs a controlled environment. Requires reinstallation and configuration in case there is an operating system corruption or problem. Needs a protected environment (e.g., should not be used from a public kiosk). Out-of-band Authentication - Recurring expense of SMS or telephone calls. Risk of unauthorized access and interception of messages. Limited coverage and low security. Susceptible to man-in-the-middle attacks. Digital Certificates on Smart Cards and USB Tokens- Requires users to carry an additional smart card reading device or USB so that they can log in. Involves additional cost, such as the certifying authority's subscription cost for issuing the digital certificates. Needs multiple certificates for different sites or devices. Requires user training for certificate generation and use. Biometrics - Involves additional hardware costs such as scanners. Involves cost for support and maintenance. High deployment costs. May not be suitable for mass-consumer deployment. Challenge Response - Low security against man-in-the-middle attacks. Higher customer support cost. Users need to remember multiple pieces of information, such as answers to multiple secret questions. 2.0 SYSTEM SCOPE The three dimensional password (3D password) is a new authentication methodology that combines recognition, recall, what you have (tokens), and what you are (biometrics) in one authentication system. The idea is simply outlined as follows. The user navigates through a three dimensional virtual environment. The combination and the sequence of the user s actions and interactions towards the objects in the three dimensional virtual environment constructs the user s 3D password. Therefore, the user can walk in the virtual environment and type

3 something on a computer that exist in (X1, Y1, Z1) position, then walk into a room that has a white board that exist in a position (x2, y2, z2) and draw something on the white board. The combination and the sequence of the previous two actions towards the specific objects construct the user s 3D password. Users can navigate through a three dimensional virtual environment that can contain any virtual object. Virtual objects can be of any type. We will list some possible objects to clarify the idea. An object can be: A computer that the user can type in A white board that a user can draw on A light that can be switched on/off Any biometric device Any Graphical password scheme Any real life object Moreover, in the virtual three-dimensional environment we can have two different computers in two different locations. Actions and interactions with the first computer are totally different than actions towards the second computer since each computer has a (x, y, z) position in the three-dimensional virtual environment. Each object in the virtual threedimensional environment has its own (x, y, z) coordinates, speed, weight and responses toward actions. 4.0 SYSTEM DESCRIPTION Fig. 2.0 System Architecture The whole project is divided into several modules. They are 1) Algorithm to Design Virtual Environment. 2) Algorithm to Implement Textual Password System. 3) Algorithm to Implement Face Recognition System. 4) Algorithm to Implement Graphical Password System. 4.1 Designing Virtual Reality Step 1 Prepare the FSEM (Full Screen Exclusive Mode) for the virtual environment. Step 2 Develop the Maze Plan. Step 3 Develop the Scenery Background. Step 4 Prepare the FOV (Field of Vision). Step 5 Enable the Navigating Option. 4.2 Three D Password Algorithm Step 1 Prepare the Textual Password Object in the environment. Step 2 Accept the Password from the object. Step 3 Retrieve the user information from the database. Step 4 Decode the information. Step 5 Authenticate the Log In Process. 4.3 Face Recognition Algorithm The face detection stage used in our system is:- 1. Skin 2. Detection 3. Region 4. Grouping 5. Region 6. Segmentation 7. Frame Detected 8. Faces The skin pixel detection is performed with a simple colormap, using the YCbCr color space. The second block corresponds to the segmentation algorithm which is performed in two stages, where the chrominance and luminance information is used consecutively. For each stage an algorithm which combines pixel and region based color segmentation techniques is used. After the segmentation, a set of connected homogenous skin-like regions is obtained. Then, potential face candidates (FC) are obtained by an iterative merging procedure using an adjacency criterion. Once the set of FC is built, it is necessary to remove the ones that do not match to any face. To

4 that end some constrains regarding shape, size and overlapping are used. Notice that the algorithm is able to produce good face candidates but also provides some candidates which do not correspond to any face Selection Based On Color Face areas are characterized to have a homogeneous chrominance component. Taking into account this fact, a new selection criterion has been designed in order to remove all the FC composed of regions whose average color differs substantially, as is the case when hair and face are included in the same candidate. The new criterion is based on the chrominance component of the regions that form the candidate face regions. Given a FC composed of regions R1, R2, R3 and whose average values of chrominance are C1= (cb1, cr1), C2= (cb2, cr2) and C3= (cb3, cr3) respectively, the distance between all the possible pairs of colors is obtained as follows: d (Ci, Cj) = ΣΣ (cbi-cbj) ² - (cri-crj) ² i j If the distance d (Ci, Cj) is greater than a certain threshold, the corresponding FC will be discarded. Using this very simple procedure, the results improve significantly and many erroneous FC are discarded Selection Based On Texture In many occasions the background has a color very similar to that of a human face. In this case, the face detection algorithm may fail. In order to better discriminate between colors like face and not face regions, a criterion based on texture has been introduced. The selection criterion is based on the detection of dark horizontal regions in the image (eyes, mouth, etc.). The objective is to remove all face candidates containing totally flat texture areas. The first step is to apply a morphological horizontal erosion of size 3 in order to remove the brightness associated to white regions (eyes, teeth, etc.). Then, a vertical close of size 15 is applied to eliminate the horizontal regions. The objective of this step is to obtain an image with horizontal zones. After applying a texture threshold, a binary open with a square structuring element of size 3 is performed to remove the spurious zones that still remain. Once the spurious zones are eliminated, the area of white pixels is calculated. If the area of each white spot is less than 3.5% of the total area of the FC or greater than 15%, the corresponding FC will be discarded. 4.4 Textual Password Step 1 Create a Frame for the Textual Password Module. Step 2 Add a password field in that field for the password input. Step 3 Attach various buttons such as Log In as well Cancel to the Frame. Step 4 Add respective functions to the buttons attached on the frame. Step 5 Accept the password from the user. Step 6 Retrieve the textual password from the Database. Step 7 Match the passwords. 5.0 RESULTS Step1- The User has to enter his username to log in. If he is new to the system then he has to create his username and the username will be added to the database with his face and finger print details. Fig. 3.0 Folder option screen Step2:- After Logging IN Mr. A is asked whether he wants to lock a folder or unlock it and on clicking on Lock a Folder, he is asked to enter the target folder path. Fig. 4.0 Folder locking screen

5 Now after specifying the target folder Mr. A is asked to set the passwords. If he leaves a field blank it means that the particular module is disabled. Step3- Now to unlock the folder Mr. A has to log in again and select Unlock a Folder. As soon as he does that, a list of the folders locked by him appears. He has to select the folder he wants to unlock and after he does that a 3D virtual environment appears on the screen. Mr. A interacts with the environment to create his password. Some screen shots of the 3D virtual environment is attached. Snapshots of some of the 3-D virtual environment are given below:- Fig 5.0 Snapshot 1 Fig 5.1 Snapshot 2 Fig 5.3 Snapshot 2 Step 4:- After interacting with different objects of the 3D virtual environment and giving appropriate passwords at the right places the user requests for unlocking the file. The system forms a set of passwords based on the interactions made by the user in the environment. Then the system queries the database about the set of passwords given by the user at the time of locking the folder. It then matches each element of the password in detail and if the password matches the folder is unlocked and the user is granted access 11.0 CONCLUSION Textual passwords and token-based passwords are the most common user authentication schemes. However, many different schemes have been used in specific fields. Other schemes are under study yet they have never been applied in the real world. The motivation of this work is to have a scheme that has a huge Password space while also being a combination of any existing, or upcoming, authentication schemes into one scheme. Our System gives the user the choice of modeling his 3D password to contain any authentication scheme that the user prefers. Users do not have to provide their fingerprints if they do not wish to. Users do not have to carry cards if they do not want to. Users have the choice to model their 3D password according to their needs and their preferences. The probable password space can be reflected by the design of the three-dimensional virtual environment, which is designed by the system administrator. The three-dimensional virtual environment can contain any objects that the administrator feels that the users are familiar with. For example, football players can use a three dimensional virtual environment of a stadium where they can navigate and interact with objects that they are familiar with. A study on a large number of people is required. We are looking at designing different three-dimensional virtual environments that contain objects of all possible authentication schemes. The main application domains of 3D Password are critical systems and resources. Critical systems such as military facilities, critical servers and highly classified areas can be protected by 3D Password system with large three dimensional virtual environments. Moreover, a small three dimensional virtual environment can be used to protect less critical systems such as handhelds, ATM's and operating system's logins. Acquiring the knowledge of the probable distribution of a

6 User s 3D password might show the practical strength of a 3D password. Moreover, finding a solution for shoulder surfing attacks on 3D passwords and other authentication schemes is also a field of study References 1. F. A. Alsulaiman and A. El Saddik, A novel 3D graphical password schema, in Proc. IEEE Int. Conf. Virtual Environ., Human-Comput. Interfaces, Meas. Syst., Jul D. V. Klein, Foiling the cracker: A survey of, and improvement to passwords security, in Proc. USENIX Security Workshop, 1990, pp G. E. Blonder, Graphical password, U.S. Patent , Sep. 24, R. Dhamija and A. Perrig, Déjà Vu: A user study using images for authentication, in Proc. 9th USINEX Security Symp., Denver, CO, Aug. 2000, pp D. Davis, F. Monrose, and M. K. Reiter, On user choice in graphical password schemes, in Proc.13th USENIX Security Symp., San Diego, CA, Aug. 2004, pp S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, Authentication using graphical passwords: Effects of tolerance and image choice, in Proc. Symp. Usable Privacy Security, Pittsburgh, PA, Jul. 2005, pp S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, PassPoints: Design and longitudinal evaluation of a graphical password system, Int. J. Human- Comput. Stud. (Special Issue on HCI Research in Privacy and Security), vol. 63, no. 1/2, pp , Jul J. Thorpe and P. C. van Oorschot, Graphical dictionaries and the memorable space of graphical passwords, in Proc. USENIX Security, San Diego, CA, Aug. 9 13, 2004, 9. Three Dimensional password for more secured authentication Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, Senior Member, IEEE; IEEE Transactions On Instrumentation And Measurement