3-D Graphical Password Used For Authentication

Transcription

1 3-D Graphical Password Used For Authentication Mrs. Vidya Mhaske-Dhamdhere, Lecturer. Bhakti Pawar, Pallavi Ghodke, Pratibha Yadav,Student G.H.Raisoni College of Engg. & Management, Pune. Abstract- In today s world, security is important aspect in day to day life.so, everyone used various ways for security purpose. People use passwords for their security.generally, everyone uses textual password. Textual password is combination of alphabets and numbers. People keep textual password as name of their favorite things, actors or actress, dish and meaningful word from dictionary. But the person who is very close to that person can easily guess the password. Graphical password is advanced version of password. Graphical passwords have received considerable attention lately as Potential alternatives to text-based passwords. Graphical password is composed of images, parts of images, or sketches[4]- [7]. These passwords are very easy to use and remember. Biometric password is an extended feature of graphical passwords. Biometric password is consisting of face recognition, thumb impression, eye retina and heartbeats pulses[10]. In this paper, we present and evaluate our contribution, i.e., the 3-D password. The 3-D password is a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3- D environment constructs the user s 3-D password. The 3-D password can combine most existing authentication schemes such as textual passwords, graphical passwords, and various types of biometrics into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space[10]. Keywords-Cryptography, encryption and decryption algorithms Authentication Biometrics, graphical passwords, multifactor, textual passwords, 3- Dpasswords, 3- virtual environment. Introduction Normally the authentication scheme the user undergoes is particularly very lenient or very strict. Throughout the years authentication has been a very interesting approach. With all the means of technology developing, it can be very easy for 'others' to fabricate or to steal identity or to hack someone password. Therefore many algorithms have come up each with an interesting approach toward calculation of a secret key. The algorithms are such based to pick a random number in the range of 10 6 and therefore the possibilities of the same number coming are rare. Users nowadays are provided with major password stereotypes such as textual passwords, biometric scanning, tokens or cards (such as an ATM) etc.mostly textual passwords follow an encryption algorithm as mentioned above. Biometric scanning is your "natural" signature and Cards or Tokens prove your validity. But some people hate the fact to carry around their 510

2 cards, some refuse to undergo strong IR exposure to their retinas(biometric scanning)[10].mostly textual passwords, nowadays, are kept very simple say a word from the dictionary or their pet games,grilfriends etc.ten years back Klein performed such tests and he could crack passwords per day[2]. Literature Survey Now with the technology change, fast processors and many tools on the Internet this has become a Child s Play. Therefore we preset our idea, the 3D passwords which are more customizable, and very interesting way of authentication. The dramatic increase of computer usage has given rise to many security concerns. One major security concern is authentication, which is the process of validating who you are to whom you claimed to be. In general, human authentication techniques can be classified as knowledge based (what you know), token based (what you have), and biometrics. Knowledge-based authentication can be further divided into two categories as follows: 1) Recall based and 2) Recognition based Recall-based techniques require the user to repeat or reproduce a secret that the user created before. Recognition based techniques require the user to identify and recognize the secret, or part of it, that the user selected before. One of the most common recall-based authentication schemes used in the computer world is textual passwords. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess[6]. Many biometric schemes have been proposed; fingerprints, palm prints, hand geometry, face recognition, voice recognition, iris recognition, and retina recognition are all different biometric schemes. Each biometric recognition scheme has its advantages and disadvantages based on several factors such as consistency, uniqueness, and acceptability. One of the main drawbacks of applying biometrics is its intrusiveness upon a user s personal characteristic. Moreover, retina biometrical recognition schemes require the user to willingly subject their eyes to a low-intensity infrared light. In addition, most biometric systems require a special scanning device to authenticate users, which is not applicable for remote and Internet users. The 3-D password is a multifactor authentication scheme. It can combine all existing authentication schemes into a single 3-D virtual environment. This 3-D virtual environment contains several objects or items with which the user can interact. The type of interaction varies from one item to another. The 3-D password is constructed by observing the actions and interactions of the user and by observing the sequences of such actions. Beginning around 1999, numerous graphical password schemes have been proposed, motivated by the promise of improved password memorability and thus usability, while at the same time improving strength against guessing attacks. Like text passwords, graphical passwords are knowledge-based authentication mechanisms where users enter a shared secret as evidence of their identity. However, where text passwords involve alphanumeric and/or special keyboard characters, the idea behind graphical passwords is to leverage human memory for visual information, with the shared secret being related to or composed of images, parts of images, or sketches. Despite the large number of options for authentication, text passwords remain the most common choice for several reasons. For example, they are easy and inexpensive to implement; are familiar to essentially all users; allow users to authenticate themselves while avoiding privacy issues that have been raised about biometrics; and have the 511

3 advantage of portability without, for example, having to carry physical tokens. However, text passwords also suffer from both security and usability disadvantages for example, passwords are typically difficult to remember, and are predictable if user choice is allowed. When text password users adopt unsafe coping strategies such as reusing passwords across accounts to help with memorability, the resulting decrease in security cannot be successfully addressed by simply strengthening, in isolation, the underlying technical security aspects of a system. Usability issues often significantly impact the real-world security of the system[9]. Graphical passwords can be divided into two categories as follows: 1) Recognition based 2) Recall based 1) Recognition based: Recognition based techniques require the user to identify and recognize the secret, or part of it, that the user selected before. Although there is currently no evidence of this happening with graphical passwords, it remains a plausible coping strategy if users can revise a way of relating a recall based Graphical password to a corresponding account name. A number of security vulnerabilities are common to most recall-based systems, as these systems share similar features. These systems are generally susceptible to shoulder surfing to the extent that in many cases, the entire drawing is visible on the screen as it is being entered, and thus an attacker need accurately observe or record only one login for the entire password to be revealed[6]. 2) Recall based: Recall is the procedure of the human nature to remember what was done or what was the event. Ours is an experience-based nature and hence we like to try and remember different things accordingly. Scientifically, Recall can be defined as a temporary failure to retrieve information from memory is known as the tip-of-the-tongue phenomenon. Various means, including met cognitive strategies, priming, and measures of retention may be employed to make the best use of memory. Recollection often requires prompting (as in stimulus or clues) to assist the mind in retrieving the information sought. There are three types of recall: 1. Free recall: when no clues are given to assist retrieval. 2. Serial recall: when items are recalled in a particular order. 3. Cued recall: when some clues are given to assist retrieval[6]. Now the passwords are based on the fact of Human memory. Generally simple passwords are set so as to quickly recall them. The human memory, in our scheme has to undergo the facts of Recognition, Recalling, Biometrics or Token based authentication. Once implemented and you log in to a secure site, the 3D password GUI opens up. This is an additional textual password which the user can simply put. Once he goes through the first authentication, a 3D virtual room will open on the screen. In our case, lets say a virtual garage.now in a day to day garage one will find all sorts of tools, equipments, etc.each of them having unique properties. The user will then interact with these properties accordingly. Each object in the 3D space, can be moved around in an (x, y, z) plane.thats the moving attribute of each object. This property is common to all the objects in the space. Suppose a user logs in and enters the garage. He sees and picks a screw-driver (initial position in xyz coordinates (5, 5, 5)) and moves it 5 places to his right (in XY plane i.e. (10, 5, 5).That can be identified as an authentication. Only the true user understands and recognizes the object which he has to choose among many. This is the Recall and Recognition part of human memory coming into play.interestingly, a password can be set as approaching a radio and setting its frequency 512

4 to number only the user knows. Security can be enhanced by the fact of including Cards and Biometric scanner as input. There can be levels of authentication a user can undergo. More the confidentiality more the complexity. In that scenario a virtual environment can be developed as a globe, a city or simply a garage. In cryptography, the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government. The standard comprises three block ciphers, AES-128, AES-192 and AES-256, adopted from a larger collection originally published as Rijndael. Each of these ciphers has a 128- bit block size, with key sizes of 128, 192 and 256 bits, respectively. The AES ciphers have been analyzed extensively and are now used worldwide, as was the case with its predecessor, the Data Encryption Standard (DES). AES was announced by National Institute of Standards and Technology (NIST) as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001 after a five-year standardization process in which fifteen competing designs were presented and evaluated before Rijndael was selected as the most suitable (see Advanced Encryption Standard process for more details). It became effective as a Federal government standard on May 26, 2002 after approval by the Secretary of Commerce. It is available in many different encryption packages. AES is the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information (see Security of AES, below). Existing System Drawback- 1. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess. 2. The biggest drawback of current graphical password is the Shoulder Surfing problem. 3. The main drawbacks of applying biometrics is its intrusiveness upon a user s personal characteristic. 4. Biometrics is an expensive security solution. Proposed System 1) Environment 3-D Cube In this dissertation the second environment is a cube. Fig. shows the snapshot of environment-cube. Fig.1.Enviornment 3-D cube Whenever user is selecting the environment then the cube is at initial position which is already settled at (400, 240, and 0) co-ordinates with respect to X, Y, Z axis(refer fig.1). And one more point that settled in this environment in the form of camera position. This camera position is set at co-ordinates (400, 240,-500) on X, Y, Z axis and acts as a reference point and from this point user can observe the action and interaction that are performed on the cube. This environment has four main actions; each main action has six sub actions and also having the one particular Input action as 513

5 load image on each side of cube. The detail of the four main actions is as follows: Move Cube: This particular main move cube action having the six different sub actions that are- Left, Right, Up, Down, In, Out. Whenever the user is single click on these buttons then the cube moves by 45 coordinates with respective to which button is click. The maximum click on each button is six. When a user is clicked on any particular button at seventh time then he/she got the error message as you have reached the maximum limit. Rotate Cube: The next main action is rotate cube with sub actions that are rotate cube x-direction, y-direction, z-direction and x -direction, -y-direction, -z-direction Whenever the user single clicks on these buttons then the cube rotate in 45 direction with respective to which button is click. The maximum click on each button is six. When a user is clicked on any particular button at seventh time then he/she got the error message as you have reached the maximum limit. Move Camera: Move camera action also having different sub action that is - Left, Right, Up, Down, In, Out. When the user is single click on these buttons then the camera or reference point moves 45 coordinates with respective to which button is click. The maximum click on each button is six. When a user is clicked on any particular button at seventh time then he/she got the error message as you have reached the maximum limit. Turn Camera: Turn camera action with different sub action as to rotate camera Left, Right, Up, Down, CW (Clockwise), CCW (Counter clock-wise) direction. Single click on these buttons then the camera rotate by 45 in direction with respective to which button is click. The maximum click on each button is six. When a user is clicked on any particular button at seventh time then he/she got the error message as you have reached the maximum limit. Load Image: This action is used to load image on each side of cube. This will make user 3D password stronger. User can perform any number of action and interaction on the cube and at the end for to save these action and interaction as a 3-D password, user is require clicking on Close button [1]. We are implementing this application using Data Encryption Standard [DES] algorithm. The Data Encryption Standard (DES) is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric key algorithm that uses a 56-bit key. The algorithm was initially controversial because of classified design elements, a relatively short key length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic scrutiny which motivated the modern understanding of block ciphers and their cryptanalysis. 1. Expansion: The 32-bit half-block is expanded to 48 bits using the expansion permutation, denoted E in the diagram, by duplicating half of the bits. The output consists of eight 6-bit(8*6=48bits) pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately Adjacent bit from each of the input pieces to either side. 2. Key mixing: The result is combined with a sub key using an XOR operation bit sub keys one for each round are derived from the main key using the key schedule (described below). 3. Substitution: After mixing in the sub key, the block is divided into eight 6-bit pieces before processing by the S-boxes or substitution boxes. Each of the eight S- boxes replaces its six input bits with four 514

6 Fig.2 the Feistel function (F function) of DES. output bits according to a non-linear transformation, provided in the form of a lookup table. The S-boxes provide the core of the security of DES without them; the cipher would be linear, and trivially breakable. 4. Permutation: Finally, the 32 outputs from the Boxes are rearranged according to a fixed permutation, the P-box. This is designed so that, after expansion, each S box's output bits are spread across 6 different S boxes in the next round. The alternation of substitution from the S-boxes, and permutation of bits from the P-box and E-expansion provides so-called "confusion and diffusion" respectively. Fig. 3 illustrates the key schedule for encryption. The algorithm which generates the sub keys. Initially, 56 bits of the key are selected from the initial 64 by Permuted Choice 1 (PC-1) the remaining eight bits are either discarded or used as parity check bits. Fig. 3 The key-schedule of DES The 56 bits are then divided into two 28-bit halves; each half is thereafter treated separately. In successive rounds, both halves are rotated left by one and two bits (specified for each round), and then 48 sub key bits are selected by Permuted Choice 2 (PC-2) 24 bits from the left half, and 24 from the right. The rotations (denoted by "<<<" in the diagram) mean that a different set of bits is used in each sub key; each bit is used in approximately 14 out of the 16 subkeys.the key schedule for decryption is similar the sub keys are in reverse order compared to Encryption. Apart from that change, the process is the same as for encryption. The same 28 bits are passed to all rotation boxes. 515

7 2) System Overview Following are the steps for authentication(refer fig.2): 1) User will connect to the server for system login. 2) After successful client-server connection, registration form will be filled up. 3) User will enter into system login form. It is divided into two parts- A) Textual password B) Graphical Password If textual password is successfully logged in it will enter into the graphical password window else it will go back to the Log in form. On the other hand, if graphical password is successfully logged in various services will be performed..otherwise user has to login again. 4) Services include Upload (),Save (), Delete (), Open (). 5) Finally, user will logged out from the existing system. Fig.2 System Overview 3) Innovative Component In this concept we present Multifactor authentication scheme that combines the benefits of various authentication schemes. We attempted to satisfy the following requirements: 1) The new scheme should not be either recall based or recognition based only. Instead, the scheme should be a combination of recall, recognition, biometrics, and Token-based authentication scheme. 516

8 2) Users ought to have the freedom to select whether the 3-D password will be solely recall-, biometrics, recognition, or tokenbased, or a combination of two schemes or more. This freedom of selection is necessary because users are different and they have different requirements. Some users do not like to carry cards. Some users do not like to provide biometrical data, and some users have poor memories. Therefore, to ensure high user acceptability, the user s freedom of selection is important. 3) The new scheme should provide secrets that are easy to remember and very difficult for intruders to guess. 4) The new scheme should provide secrets that are not easy to write down on paper. Moreover, the scheme secrets should be difficult to share with others. 5) The new scheme should provide secrets that can be easily revoked or changed. Based on the aforementioned requirements, we propose our contribution, i.e., the 3-D password authentication scheme. 4)3-D Password Space Size (Ex. Cube) In environment proposed scheme create password by moving, rotating, zooming the cube. For creating password there are four different actions i.e. moving cube, rotating cube, moving camera, rotating camera along the x, y, z axis. And for each action user can perform the six different interactions. The terms to calculate password space for environment are: G (G G G) number of actions, interactions and inputs. Actions 4 (.moving cube, rotating cube, moving camera, rotating camera), Interactions 6 Input- 6 (Placing an image on each side of cube) So, G = G G G = = 144 M. All possible actions, interactions towards all existing objects in environment. For Proposed scheme environment is, for each action we have total 36 interactions so total possible interactions are m = Lmax(Maximum length of password), for this environment by taking the input i.e. the images on each side of cube having the name six characters wide then the value for Lmax is 111. g (AC)Count of total number actions and interactions towards virtual environment. For this environment it is 24 (6 4) Now, the password space for this environment is n=lmax П (Lmax, G) = Σ (m + g (AC)) n. n=1 After placing the values n=111 П (111, 144) = Σ ( ) n n=1. The value of equation 4 gives the total number of space (in byte) required to store passwords for environment-cube. Cube without any image input Now we are calculating the password space without taking the input. Therefore, G(G G G) number of actions, interactions and inputs. Actions 4 (.moving cube, rotating cube, moving camera, rotating camera) Interactions 6. Input- Nil So, G = G G = 4 6 = 24 M -> All possible actions, interactions towards all existing objects in environment. For our environment is, for each action we have total 36 interactions so total possible interactions are, m = Lmax maximum length of password, for this environment, Lmax is 8 g (AC)count of total number actions and interactions towards virtual environment. For this environment it is 24 (6 4). Now, the password space for this environment is n=lmax П (Lmax, G) = Σ (m + g (AC))n n=1 After placing the values n=8 П (8, 24) = Σ ( ) n. n=1 = The above value gives the total number of space (in byte) required to store the 3D password for cube without input. 517

9 Fig 4.3 Fig 4.3 shows snapshot of the mighty mountain tops, there is a tiny miner settlement and dark caves. Visit this place if you dare walk on a wooden bridge over a deep gorge. Application 1. Critical server: Many large organizations have critical Servers that are usually protected by a textual password. A 3-D password authentication proposes a sound replacement for a textual password. Moreover, entrances to such locations are usually protected by access cards and sometimes PIN numbers. Therefore, a 3-D password can be used to protect the entrance To such locations and protect the usage of such servers. 2. Nuclear and military facilities: Such facilities should be protected by the most powerful authentication systems. The 3- D password has a very large probable password space, and since it can contain token, biometrics, recognition, and Knowledge-based authentications in a single authentication system, it is a sound choice for high-level security locations. 3. Airplanes and jetfighters: Because of the possible threat of misusing airplanes and jetfighters for religion-political agendas, usage of such airplanes should be protected by a powerful authentication system. The 3-D password is recommended for these systems. In addition, 3-D passwords can be used in less critical systems because the 3-D virtual environment can be designed to fit any system s needs. A small 3-D virtual environment can be used in many systems, including the following: 1) ATMs 2) Personal digital Assistants 3) Desktop computers and laptop logins 4) Web authentication Conclusion and Future Work The 3D password is a multi factor authentication scheme that combines the various authentication schemes into a single 3D virtual environment. The virtual environment can contain any existing authentication scheme or even any upcoming authentication scheme or even any upcoming authentication schemes by adding it as a response to actions performed on an object. Therefore the resulting password space becomes very large compared to any existing authentication schemes. The design of the 3D virtual environment the selection of objects inside the environment and the object's type reflect the resulted password space. It is the task of the system administrator to design the environment and to select the appropriate object that reflects the protected system requirements. Designing a simple and easy to use 3D virtual environment is a factor that leads to a higher user acceptability of a 3D password system. The choice of what authentication scheme will be part of user's 3Dpassword reflects the user's preferences and requirements. 518

10 The 3-D password is still in its early stages. Designing various kinds of 3-D virtual environments, deciding on password spaces, and interpreting user feedback and experiences from such environments will result in enhancing and improving the user experience of the 3-D password. Moreover, gathering attackers from different backgrounds to break the system is one of the future works that will lead to system improvement and prove the complexity of breaking a 3-D password. Moreover, it will demonstrate how the attackers will acquire the knowledge of the most probable 3-D passwords to launch their attacks. Shoulder surfing attacks are still possible and effective against 3-D passwords. Therefore, a proper solution is a field of research. References [1] Alsulaiman, F.A.; El Saddik, A., "Threefor Secure,"IEEE Transactions on Instrumentation and Measurement, vol.57, no.9, pp Sept [2] D. V. Klein, Foiling the cracker: A survey of, and to Passwords security, in Proc. USENIX Security, pp. 14 [3] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A.D. Rubin, The design and analysis of graphical passwords, in Proc. 8th USENIX Security Symp, Washington DC, Aug.1999, pp Vienna, Austria: ACM, 2004, pp [6] L. Sobrado and J.-C. Birget, "Graphical passwords," The Rutgers Scholar, an Electronic Bulletin for Undergraduate Research, vol. 4, [7] D. Hong, S. Man, B. Hawes, and M. Mathews, "A Password scheme strongly resistant to spyware," in Proceedings of International conference on security and management. Las Vergas, NV, [8] S. Man, D. Hong, and M. Mathews, "A shoulder surfing Resistant graphical password scheme," in Proceedings of International conference on security and management. Las Vegas, NV, [9] Two Factor Authentication for the Enterprise, [10]Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, Three- Dimensional Password for More Secure Authentication, IEEE, http: //ieeexplore.ieee.org. Last Updated 6 Feb [4] X. Suo, Y. Zhu, and G. S. Owen, Graphical passwords: A survey, in Proc. 21st Annual. Computer Security Appl. Conf., Dec. 5 9, 2005, pp [5] D. Weinshall and S. Kirkpatrick, "Passwords You ll Never Forget, but Can t Recall," in Proceedings of Conference on Human Factors in Computing Systems (CHI). 519