A Survey on Graphical Passwords in Providing Security

Transcription

1 A Survey on Graphical Passwords in Providing Security Mrs. Anuradha. V #, Mr.M.Nagesh *, Mr.N. Vijaya sunder sagar # # M.Tech., Dept. of CSE, Ashoka Institute of Engineering & Technology, JNTU Hyderabad *Asst.Professor, Dept. of CSE, Ashoka Institute of Engineering & Technology, JNTU Hyderabad # Head, CSE Department, Ashoka Institute of Engineering & Technology, JNTU Hyderabad 1 anuradha184@gmail.com 2 nageshmathew@gmail.com 3 vijaysundern@gmail.com Abstract-Cyber security is an important issue to tackle. Various user authentication methods are used for this purpose. It helps to avoid misuse or illegal use of highly sensitive data. Text and graphical passwords are mainly used for authentication purpose. But due to various flaws, they are not reliable for data security. Text passwords are insecure for reasons and graphical are more secured in comparison but are vulnerable to shoulder surfing attacks. Hence by using graphical password system and CAPTCHA technology a new security primitive is proposed. We call it as CAPTCHA as graphical Password (CaRP). CaRP is a combination of both a CAPTCHA and a graphical password scheme. In this paper we conduct a comprehensive survey of existing CaRP techniques namely ClickText, ClickAnimal and AnimalGrid. We discuss the strengths and limitations of each method and point out research direction in this area. We also try to answer Are CaRP as secured as graphical passwords and text based passwords? and Is CARP protective to relay attack?" I. INTRODUCTION Security awareness is an important factor in an information security program. While organizations and institutes expand their use of advanced security technology and continuously train their security professionals, fraction of it is used to increase the security awareness among the normal users. As a result, today, organized cyber criminals are trying hard towards research and development of advanced hacking methods that can be used to steal money and secured information from the general public. Password authentication is one of the most common building blocks in implementing access control. Each user has a relatively short sequence of characters commonly referred to as a password. To gain access, providing right password is essential

2 Common attack for breaking password authenticated systems is dictionary attack [2]. Graphical password is an option for alphanumeric password as text password is slightly hard to remember text password. When any application is provided with user friendly authentication it becomes easy to break and use that application. Cloud security can also be given by alphanumeric password but thing matter is that use of alphanumeric is not that much of secure and easy to remember. Any individual examining the password can memorize it which may lead to its misuse. Graphical password schemes are more reliable and more resilient to dictionary attacks than textual passwords, but more vulnerable to shoulder surfing attacks [3]. CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) is a program that generates and grades tests that are human solvable, but current computer programs do not have the ability to solve them. The robustness of CAPTCHA is found in its strength in resisting automatic adversarial attacks, and it has many applications for practical security, including free services, online polls, search engine bots, preventing dictionary attacks, worms and spam [4]. II. GRAPHICAL TECHNIQUES: 2.1. Thwart Password Guessing: PassPoints [1] is a well-studied graphical password scheme, where a user clicks on an image and the ordered sequence of her click-points is used to derive a password. PassPoints has an inherent security weakness: it is easy for an attacker to automatically identify all salient points in an image using standard image processing methods. Then running through random combinations of salient points will lead to a brute force attack on passwords. To make things worse, when given an image, people tend to prefer some image points (e.g. eye-catching ones) over others when creating passwords. These more popular points are hot spots of the image, as shown in Figure 1, and an attacker can exploit them for an effective dictionary attack, significantly reducing the security of PassPoints [2,3]. To address the above problems, we have pondered a new approach to mitigating password guessing attacks. Password guessing, on text or graphical passwords, online or offline, is typically a deterministic elimination process. Each guess reduces the remaining search space, and a next guess has a higher chance for success. While more and more password candidates get eliminated,

3 the probability of a current guess being correct increases, and this probability finally approaches 1. Naturally, a classic defense is to increase the password space. But, how about thwarting the deterministic elimination process? What if previous guesses do not contribute to reducing the password space, and thus a next guess is just like starting from scratch? Is this possible? Salient points in PassPoints harm security but help memorability, as these points are often structural and they facilitate users to remember their clickpoints. It is impractical to force users to choose non-salient points, as these will be hard to remember. If we do not want to increase the image size to boost the password space, the only option remaining seems to make it hard for computers to exploit salient points. If the points a user clicks to login in a session cannot be correlated to the points she clicks in other sessions, then it is likely that a previous guess is not correlated with the next. One way of achieving this is the following: a different image is used for each session, and in each of the images, a user s password points appear in different forms, different locations, etc. This way, each automated guess will not reduce the password search space any more. 2.2 CaRP: Captcha as graphical Passwords: A. CAPTCHA is a program that can generate and grade tests that: (A) most humans can pass, but (B) current computer programs cannot pass. Such a program can be used to differentiate humans from computers [5]. There are two types of visual CAPTCHA: text CAPTCHA and ImageRecognition CAPTCHA (IRC).CAPTCHA can be circumvented through relay attacks whereby CAPTCHA challenges are relayed to human solvers [1]. B. Graphical password Graphical password schemes have been proposed as a possible alternative to alphanumeric schemes, motivated partially by the fact that humans can remember images easily than text; psychological studies supports such assumption [8]. Images are generally easier to be remembered than text. In addition, if the number of possible images is enough large, the possible password space of a graphical password scheme may exceed that of text-based schemes and thus presumably offer better resistance to dictionary attacks. Because of these (presumed) advantages, there is a increasing interest in graphical password

4 C. ClickText ClickText is a CaRP scheme built on top of text Captcha. Unlike normal text Captchas, a CaRP image should contain all the alphabet to allow a user to form any allowed password. Figure 2 shows a ClickText image with an alphabet of 33 characters. In ClickText images, characters can be arranged randomly on 2D space. This is another major difference from traditional text Captchas in which characters are typically ordered from left to right. Using ordinary text Captcha is not suitable in this context, as it is hard to arrange all the characters one dimensionally in a reasonably small space. Also, there is no order among characters in a CaRP image whereas the order is needed for characters in a normal Captcha image so that users can type them in. Therefore, we propose a new problem, 2D text segmentation, as the underlying hard AI problem for ClickText. Figure 2: A Click text Image with 33 Characters A ClickText password is a sequence of characters in the alphabet, e.g. ρ = AB#9CD87, which is similar to a text password. To enter a password, the user clicks on the image the characters in her password in the order, A, B, #, 9, C, D, 8, and then 7. When a CaRP image is generated, each character s location is tracked to produce a ground truth. The authentication server relies on the ground truth to identify the characters corresponding to user-clicked points. The server does not store passwords in the clear, but their cryptographic hashes. ClickText does not use visually-confusing characters. For example, letter O and digit 0 may cause confusion in a CaRP image, and thus one of the characters should be excluded from the alphabet

5 D. Click Animal: ClickAnimal is also a recognition-based CaRP scheme. It has an alphabet of similar animals such as dog, horse, pig, etc. The password in this scheme is a sequence of animal names such as ρ = Cat, Dog, Horse, Turkey,.. One or more models are built for every animal. The CAPTCHA generation process wherein 3D models are used to get 2D models by applying different views, colors, lightning effects, textures, and optionally distortions are used for generating the ClickAnimal image. The resulting 2D animals are then arranged on a cluttered background like grasslands. Some animals may be overlapped by other animals in the image, but their core parts are not overlapped in order for humans to identify each of them. The number of similar animals is much less than the number of available characters. ClickAnimal has a smaller alphabet, and thus a smaller password space, than ClickText [1]. Figure 3: Click Animal method. E. Animal Grid: In order to resist human guessing attacks, a sufficiently large effective password space should be present for CaRP schemes. If the ClickAnimal scheme be combined with grid based graphical passwords, its password space can be increased. The grid can be made depending on the size of the selected animal. For authentication process, a ClickAnimal image is displayed first. After an animal is selected, an image of n n grid appears, with the grid-cell size equaling the bounding rectangle of the selected animal. Each grid-cell is labeled to help users identify. It has the advantage that a correct animal should be clicked in order for the clicked grid-cell(s) on the followup grid to be correct. If a wrong animal is clicked, the follow-up grid is wrong. A click on the correctly labeled grid-cell of the wrong grid would likely produce a wrong grid-cell at the authentication server side when the correct grid is used [1]

6 III. CONCLUSION: Figure 4: A Click Animal Method. The paper conducts a comprehensive survey of CAPTCHA as Graphical Password schemes. CaRP is a combination of both a CAPTCHA and a graphical password scheme. CaRP schemes are classified as Recognition-Based CaRP and Recognition-Recall CaRP. We have discussed RecognitionBased CaRP which include ClickText, ClickAnimal and AnimalGrid techniques in this paper. Current graphical password techniques are an alternative to text password but are still not fully secure. As a framework, CaRP does not rely on any specific CAPTCHA scheme. When one CAPTCHA scheme is broken, a new and more secure one may appear and be converted to a CaRP scheme. Due to reasonable security and usability and practical applications, CaRP has good potential for refinements. The usability of CaRP can be further improved by using images of different levels of difficulty based on the login history of the user and the machine used to log in. REFERENCES: [1] Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu, CAPTCHA as Graphical Passwords A New Security Primitive Based on Hard AI Problems, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 9, NO. 6, JUNE 2014 [2] Matthew Dailey, Chanathip Namprempre, A Text-Graphics Character CAPTCHA for Password Authentication [3] T. S. Ravi Kiran, Y. Rama Krishna, Combining CAPTCHA and graphical passwords for user authentication, International Journal of Research in IT & Management, Volume 2, Issue 4 (April 2012) (ISSN ) [4] Liming Wang, Xiuling Chang, Zhongjie Ren, Haichang Gao, Xiyang Liu, Uwe Aickelin, Against Spyware Using CAPTCHA in Graphical Password Scheme [5] Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford, CAPTCHA: Using Hard AI Problems For Security [6] Xiaoyuan Suo, Ying Zhu, G. Scott. Owen, Graphical Passwords: A Survey, Department of Computer Science Georgia State University