3LAS (Three Level Authentication Scheme)

Similar documents
A Hybrid Password Authentication Scheme Based on Shape and Text

NETWORK SECURITY - OVERCOME PASSWORD HACKING THROUGH GRAPHICAL PASSWORD AUTHENTICATION

Minimizing Shoulder Surfing Attack using Text and Color Based Graphical Password Scheme

Authentication schemes for session password using color and special characters

Graphical User Authentication System An Overview P. Baby Maruthi 1, Dr. K. Sandhya Rani 2

Simple Text Based Colour Shuffling Graphical Password Scheme

Graphical Password Authentication: Methods and Schemes

SHOULDER SURFING ATTACK PREVENTION USING COLOR PASS METHOD

Usable Privacy and Security, Fall 2011 Nov. 10, 2011

A Multi-Grid Graphical Password Scheme

USING EMOJI PICTURES TO STRENGTHEN THE IMMUNITY OF PASSWORDS AGAINST ATTACKERS

Innovative Graphical Passwords using Sequencing and Shuffling Together

MULTIPLE GRID BASED GRAPHICAL TEXT PASSWORD AUTHENTICATION

USER AUTHENTICATION USING NATIVE LANGUAGE PASSWORDS

Recall Based Authentication System- An Overview

A Secure Graphical Password Authentication System

A New Graphical Password: Combination of Recall & Recognition Based Approach

SHOULDER SURFING RESISTANT GRAPHICAL PASSWORD

Novel Shoulder-Surfing Resistant Authentication Schemes using Text-Graphical Passwords

ENHANCEMENT OF SECURITY FEATURE IN GRAPHICAL PASSWORD AUTHENTICATION

A STUDY OF GRAPHICAL PASSWORDS AND VARIOUS GRAPHICAL PASSWORD AUTHENTICATION SCHEMES

Defenses against Large Scale Online Password Guessing by Using Persuasive Cued Click Points

Graphical password authentication using Pass faces

An image edge based approach for image password encryption

Towards Identifying Usability and Security Features of Graphical Password in Knowledge Based Authentication Technique

Cued Click Point Technique for Graphical Password Authentication

3D PASSWORD AUTHENTICATION FOR WEB SECURITY

Graphical User Authentication Using Random Codes

Pixel Value Graphical Password Scheme-Graphical Password Scheme Literature Review

Authentication Using Grid-Based Authentication Scheme and Graphical Password

AN IMPROVED MAP BASED GRAPHICAL ANDROID AUTHENTICATION SYSTEM

MULTI-FACTOR AUTHENTICATION USING GRAPHICAL PASSWORDS THROUGH HANDHELD DEVICE

A New Hybrid Graphical User Authentication Technique based on Drag and Drop Method

Graphical Password to Increase the Capacity of Alphanumeric Password

Graphical Password or Graphical User Authentication as Effective Password Provider

DESIGN, IMPLEMENTATION AND EVALUATION OF A KNOWLEDGE BASED AUTHENTICATION SCHEME UPON COMPELLING PLAIT CLICKS

Divide and Conquer Approach for Solving Security and Usability Conflict in User Authentication

International Journal of Advances in Engineering Research

Graphical Authentication System

Image Password Based Authentication in an Android System

A Text based Authentication Scheme for Improving Security of Textual Passwords

Address for Correspondence 1 Associate Professor department o f Computer Engineering BVUCOE, Pune

Securing Web Accounts Using Graphical Password Authentication through MD5 Algorithm

Graphical User Authentication

COMPARATIVE STUDY OF GRAPHICAL USER AUTHENTICATION APPROACHES

New Era of authentication: 3-D Password

International Journal of Pure and Applied Sciences and Technology

A Graphical PIN Authentication Mechanism for Smart Cards and Low-Cost Devices

DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS BY USING PERSUASIVE CLICK POINTS

Pixel Value Graphical Password Scheme: Fake Passpix Attempt on Hexadecimal Password Style

MODULE NO.28: Password Cracking

A GRAPHICAL PASSWORD BASED AUTHENTICATION BASED SYSTEM FOR MOBILE DEVICES

A Survey on Different Graphical Password Authentication Techniques

DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS BY USING PERSUASIVE CLICK POINTS

Design & Implementation of Online Security Using Graphical Password Systems Using Captcha Technique

M.Ashwini 1,K.C.Sreedhar 2

The Design and Implementation of Background Pass-Go Scheme Towards Security Threats

A Model to Restrict Online Password Guessing Attacks

A Novel Approach for Software Implementation of Graphical Authentication Methodology

CARP: CAPTCHA as A Graphical Password Based Authentication Scheme

A Survey On Resisting Shoulder Surfing Attack Using Graphical. password

KNOWLEDGE BASED AUTHENTICATION SYSTEM DESIGN BASED ON PERSUASIVE CUED CLICK POINTS

Implementing a Secure Authentication System

Implementation of Color based Android Shuffling Pattern Lock

FORTIFICATION AGAINST PASSWORD GUESSING ATTACKS IN ONLINE SYSTEM

Keywords security model, online banking, authentication, biometric, variable tokens

International Journal of Emerging Technology in Computer Science & Electronics (IJETCSE) ISSN: Volume 14 Issue 2 APRIL 2015

Randomized Image Passwords and A QR Code based Circumnavigation Mechanism for Secure Authentication

Issues, Threats and Future Trend for GSP

An Ancient Indian Board Game as a Tool for Authentication

A Survey on Graphical Passwords in Providing Security

Enhancing CAPTCHA based Image Authentication for ID and Password

ChoCD: Usable and Secure Graphical Password Authentication Scheme

Secure Usable Authentication Using Strong Pass text Passwords

A Password Authentication Method Tolerant to Video-recording Attacks analyzing Multiple Authentication Operations

Summary

ColorDots: An Intersection Analysis Resistant Graphical Password Scheme for the Prevention of Shoulder-surfing Attack

ISSN: (Online) Volume 2, Issue 10, October 2014 International Journal of Advance Research in Computer Science and Management Studies

A Survey on Recall-Based Graphical User Authentications Algorithms

Enhanced Textual Password Scheme for Better Security and Memorability

A PIN Entry Scheme Resistant to Recording-based Shoulder-Surfing

Presented By: Miss Samya Ashraf Want Student ID

Computer security experts often tell us not to choose an easy to guess word as a password. For example, the user name or date of birth.

HumanAUT Secure Human Identification Protocols

A SURVEY ON IMPROVEMENT OF A PIN- ENTRYMETHOD RESILIENT TO SHOULDER- SURFING ANDRECORDING ATTACKS

International Journal of Scientific & Engineering Research, Volume 4, Issue 12, December ISSN

SECURED PASSWORD MANAGEMENT TECHNIQUE USING ONE-TIME PASSWORD PROTOCOL IN SMARTPHONE

MIBA: Multitouch Image-Based Authentication on Smartphones

A Tabular Steganography Scheme for Graphical Password Authentication

Sumy State University Department of Computer Science

Novel Security Method Using Captcha as Graphical Password

Network Security Issues and Cryptography

Algorithm To Ensure And Enforce Brute-Force Attack-Resilient Password In Routers

Captcha as Textual Passwords with Click Points to Protect Information

Graphical Password Authentication using Images Sequence

User Authentication. Daniel Halperin Tadayoshi Kohno

CARP-A NEW SECURITY PRIMITIVE BASED ON HARD AI PROBLEMS

5-899 / Usable Privacy and Security Text Passwords Lecture by Sasha Romanosky Scribe notes by Ponnurangam K March 30, 2006

Security server using CAPTCHA. Introduction to CAPTCHA

Available Online through

Transcription:

3LAS (Three Level Authentication Scheme) Kunal Mulwani 1, Saurabh Naik 2, Navinkumar Gurnani 3, Dr. Nupur Giri 4, Prof. Sharmila Sengupta 5 1, 2,3,4,5 Vivekanand Education Society's Institute of Technology, Computer Engineering, University of Mumbai, Maharashtra, India Abstract Textual passwords are more commonly used in day to day life. They tend to be more vulnerable as far as security is concerned. Users tend to pick short password that are easy to remember which makes the password vulnerable for attackers to break. Furthermore, textual password is vulnerable to hidden camera,shouldersurfing,key loggers, spyware and brute force attack. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder surfing and key loggers. Keywords-- Graphical password, Textual password, Password, Security I. INTRODUCTION In our day to day life, we happen to surf hundred of websites on internet. But website security and user privacy on internet has been a great concern. Every website we visit, normally the user logins by providing login credentials. But there are certain security concerns: 1. Someone standing behind or besides you can intentionally see the credentials (The Shoulder Surfing Problem). 2. There may be a key logger installed in the system, on which the login credentials are typed. The vulnerabilities of the textual password have been well known. Users tend to pick short password that are easy to remember which makes the password vulnerable for attackers to break. Furthermore, textual password is vulnerable to shoulder-surfing, hidden camera,spyware,key loggers and brute force attack. Graphical password schemes have been proposed as a possible alternative to text-based scheme. However, they are mostly vulnerable to shoulder surfing and key loggers.there is a need for solving the above stated problem.in this paper, we propose a Three Phase Textual-Graphical Password Authentication scheme. This technique seamlessly integrates both graphical and textual password schemes and provides nearly perfect resistant to shoulder-surfing, hidden-camera, spyware attacks, key loggers and brute force attack. It can replace or coexist with conventional textual password systems without changing existing user password profiles. The Scheme shows significant potential bridging the gap between conventional textual password and graphical password. The proposed scheme has an extremely wide scope as it can be used for banking application, ATM services and other such application where user interaction with private data is controlled by means of password authentication. II. LITERATURE REVIEW Textual passwords exist since 1960. From then, they have been a common mechanism to authenticate users. Applications that we use in our day to day life use textual passwords to authenticate users. The main motivation behind the graphical password is the fact that human can easily remember graphical password as compared to textual[1]. Graphical passwords tend to be more secure as compared to textual passwords. A system is designed by Blonder, where the system asks the user to click on different graphic in an image used for authentication [2].When creating a password, the user is asked to choose four images of human faces from a face database as their own password. In the authentication stage, users must click on the approximate areas of those locations. This method is considered as a more convenient password scheme than textual scheme, for the image can help users to recall their own passwords. Wiedenbeck, et al. [3] extended the approach and proposed a system called PassPoint. It allows users to click on any locations on the image to create the passwords. The system will calculate a tolerance around each pixel which has been chosen. The users must click within the tolerance of the chosen pixels. Instead of using alphanumeric password, the user chooses geometric art images out of a series of images. The user creates a portfolio of images by selecting p images out of a set of images given to him. While authenticating a user is presented with a challenge set of n images which contains m images out of the portfolio. The remaining n- m images are called as decoy images. The users have to identify the images of his portfolio as selected earlier [3]. Jansen [3-5] proposed a scheme of graphical password. In the scheme, a user will be requested to choose a theme which contains a set of pictures. The user needs to select some of the pictures from the ones that are available in that theme. He needs to choose the images in a particular sequence which will act as his password i.e. images in that sequence will authenticate the user. 103

Sobrado and Birget [6] developed a graphical password technique. In their scheme, the system first displays a number of 3 pass-objects (pre-selected by a user) among many other objects. To be authenticated, a user needs to recognize pass-objects and click inside the triangle formed by the 3 pass-objects. Huanyu Zhao and Xiaolin Li [7] designed an authentication system based on textual-graphical password scheme. In the proposed system user will be presented a screen of characters. His password will be presented in a form of invisible triangle i.e. the first three characters will form the corners of a invisible triangle, then starting from second character another invisible triangle is formed and so on. In each of the triangle user either has to click or has to use, the central character of the triangle, as session password. In this screen, Jack has to search for his password in the form of 3 x 3 matrices. First four password characters in this case myda, will appear as corners of Invisible Square. He will click on the chosen character. It is assumed that he chose center and left. So in first instance he will click on the central character ( _). After clicking on central character, Jack will successfully go to next instance which is represented as shown in Fig.2. III. 3LAS SYSTEM 3LAS extends the basic working of S3PAS [7]. There are minor differences. Instead of using triangle, 3LAS uses square. S3PAS had password appearing in single instance, whereas 3PAS has multiple instances. As the name suggests, 3LAS has three levels of authentication which can be used as per the needs of security level. The three levels are as follows: A. LEVEL 1: Random Character in Grid This is the first level of 3LAS. In this level, a screen with random characters will appear in front of user. This screen will also contain user s password as a part of random characters. User s password will be broken down into pieces; each piece will contain four characters of the user password. First instance will contain the first four characters as corners of 3 x 3 matrices (Invisible Square). Second instance will contain next four characters and so on. In order to go for next instance user will click on any of the possible characters within the square viz. north, south, east, west, or center. User cannot click on the corners of square as it represents his password characters, which will make this scheme to be more vulnerable. At the time of registration, user will be asked to define a pattern of clicking a character at different instance. In first instance user can click on central character, in next instance he can click on left character and so on as per the user s choice. These characters will form a session password, similar to S3PAS [7]. In this scheme, the 3 x 3 matrix will appear at random position at different instance. Moreover the screen of random characters will be different every time i.e. the character position will change at every instance. Also the characters appearing within the invisible square will be different at every instance. Consider an e.g. Jack wants to login. His password is mydad123. He ll first enter his id and then he ll get the following screen as shown in Fig.1. 1.Level 1 First Instance. Now, Jack has to search for next four characters of his password i.e. d123 in the screen following the same procedure as explained. 2. Level 1 Second Instance. After he clicks on western character, he is successfully logged in. If Jack clicks on any other character, he has to try again on new screen. In this case, session password _., Will authenticate Jack. This scheme is shoulder surfing resistant as the hacker won t be able to determine what the password is. 104

It is because, the square is appearing at different positions in the screen and the characters of session password are different at every instance. B. Level 2: Random Character in Grid with Session password Although Level -1 is shoulder surfing resistant, it is still vulnerable. A snap shot feature of key logger can be used to determine the password. Attacker will have multiple sessions snapshots, which if compared will lead to actual recognition of password and possibly the scheme too. In order to overcome the above vulnerability, another scheme can be used. This scheme proposes that, instead of clicking on the characters of session password, user will remember those characters, and at the end the user has to enter the session password which will lead to its authentication. Every time the user tries to log in, he will get a different session password. Thus the key logger snapshot won t be able to help the attacker in cracking the password. Considering same e.g. Jack with password mydad123 will follow the same procedure as that of Level 1. But now instead of clicking on the characters, Jack will now memorize those characters and after successfully completing the last instance he will be asked to enter the session password. The screen will appear as shown in Fig.3. After memorizing his session password character he ll click on the next button. Then he gets the next instance as shown in Fig. 4. 3. Level 2 First Instance. User will be authorized with the help of session password, which will be generated from the actual password, keeping actual password intact. Here Jack has to enter the session password i.e. _K And thus he ll be authenticated. 4. Level 2 Second Instance. C. Level 3: Random Character in Grid with Session password and grid variations Level 2 is highly secured. It is difficult to crack the user s password. If more secured environment is required then the next proposed scheme is highly suitable. It is similar to Level 2. Till now the size of grid was constant as 3 x 3. But in order to make it more complex, we can introduce a change in size of grid. At one instance, grid may be of size 3x3, in other it can be of 5 x 5 and so on. Even though the size of grid varies, the possible candidates for session password within the square will be 5 viz. north, south, east, west, or center. Considering the above e.g. Jack using his password mydad123, wants to log in. Following the same procedure of finding first four characters in the corners of Invisible Square continues, with the difference of variation in grid size. At first instance he gets the screen as shown in Fig. 5. He searches for his password characters in the screen and gets it in 5 x 5 grid. He memorizes the central character and clicks on next button. After that he get the next screen as shown in Fig 7. Here, Jack will search for next four password characters. He ll find it in 3 x 3 grid. And now he ll enter the session password and thus will be authenticated on correct entrance of session password. 105

PV: Position count which defines the different possible positions where the password can be present GV: Grid variations of various combinations N: Number of chances allowed to the user to enter the password. Probability of retrieving the password using brute force attack, Dictionary attack and Random Click Level -1: Random Character in Grid Probability of breaking password (P) is given by, 5. Level 3 First Instance. This scheme is highly secured to security attacks like shoulder surfing and key loggers. Level -2: Random Character in Grid with Session password Probability of breaking password (P) is given by, Level -3: Random Character in Grid with Session password and grid variations Probability of breaking password (P) is given by, P= 6. Level 3 Second Instance. IV. ANALYSIS AND DISCUSSION A. Shoulder Surfing Resistant Textual & Graphical passwords are vulnerable to shoulder surfing. But 3LAS system is shoulder surfing resistant as the attacker won't be able to guess what user is typing or clicking. And Level -3 makes it more complicated for attacker to crack the password. B. Random clicks, Brute force, & Dictionary attack resistant. Notations Used G: Grid corner positions L: Length of the password in letters. I: Instance number defined by I=L/G M: Matrix defined by m * n For example, Worst case checking of Level 3where password size is 8 characters is given by, Let M=8 * 10 (Grid size) PV=5 (LEFT, RIGHT, TOP,BOTTOM,CENTER) L=8(minimum length of password) G=4 (Grid corner positions possible in a square matrix) I=8/4=2 GV= 3 (3 X 3, 5 X 5, 7 x 7 matrix allowed for user to select) = 3.08641e-9 Best case checking of Level 3 where password size is 16 characters is given by, Let M=8 * 10 (Grid size) PV=5 (LEFT,RIGHT,TOP,BOTTOM,CENTER) L=16(maximum length of password) G=4 (Grid corner positions possible in a square matrix) I=16/4=4 GV=3 (3 X 3, 5 X 5, 7 x 7 matrix allowed for user to select) 106

V. CONCLUSION = 3.716891e-27 We proposed a three level authentication system.3las demonstrates desirable features of a secure authentication system being immune to shoulder surfing, hidden camera and spyware attacks. According to the system requirement, desired level of security can be achieved by using three proposed levels of authentication. REFERENCES [1] R. N. Shepard. Recognition memory for words, sentences and pictures. Journal of Verbal Learning and Verbal Behavior, 6:156 163, 1967. [2] G. E. Blonder, "Graphical passwords," in United States Patent, vol.5559961, 1996. [3] W. Jansen, "Authenticating Mobile Device User Through Image Selection," in Data Security, 2004. [4] W. Jansen, "Authenticating Users on Handheld Devices," in Proceedings of Canadian Information Technology Security Symposium, 2003. [5] W. Jansen, S. Gavrila, and V. Korolev, "A Visual Login Technique for Mobile Devices," in National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003. [6] L. Sobrado and J. C. Birget. Graphical passwords. The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research,4, 2002. [7] Huanyu Zhao and Xiaolin Li,"S3PAS:A Scalable Shoulder- Surfing Resistant Textual-Graphical Password Authentication Scheme,"in 21st International Conference Advanced Information Networking and Application Workshop, 2007 107

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback