International Journal of Computer Science Engineering and Information Technology Research (IJCSEITR) ISSN 2249-6831 Vol. 3, Issue 2, Jun 2013, 395-402 TJPRC Pvt. Ltd. ENHANCEMENT OF SECURITY FEATURE IN GRAPHICAL PASSWORD AUTHENTICATION LOVEY RANA 1 & OM PAL 2 1 Student, SOIT, Centre for Development of Advanced Computing (CDAC), Uttar Pradesh, India 2 Senior Lecturer, SOIT, Centre for Development of Advanced Computing (CDAC), Uttar Pradesh, India ABSTRACT The notion of the paper is to provide an efficient and secure graphical password system with the use of colour images. The images will be the base for the password scheme for the users. The two main features of graphical passwords are usability and security while designing any graphical approach. Hence we need to maintain a balance between both the features. On the basis of the study of the previous algorithms we have analyzed the security features of the algorithms, we added the concept of graining (adding noise to the image) and processed the image using variation in the RGB colour scheme of the image along with rotation and resizing scheme used earlier[1]. Here the images will be concatenated along with the text to enhance the security feature of the approach and this concatenation of the text will serve against shoulder surfing attack. KEYWORDS: Graphical Password, Graining, RGB Colour Scheme, Recognition Based, Password Entropy INTRODUCTION Graphical password is a sub domain of multifactor authentication the concept of multifactor authentication coins the theory of using more than one authentication scheme for a password scenario. Graphical password is the way to get out of the boundary of remembering the long textual password which has no relevance to the user. The graphical scheme can provide an easy way for the user to reduce the effort to remember the password. The graphical password scheme provides enhanced security and usability. The graphical password is categorised into two schemes recognition based and recall based. In recognition based the user recognised the password pattern he has set. In recall based the user recalls the password by looking at any relevant object. Graphical Password is more secure than textual password but its security must be further enhanced preventing it from major attacks. There are many ways to implement the concept of graphical authentication system. Like in Passpoint [7] Algorithm one need to click specific area in a particular sequence to authenticate the system. Other way is in Passface [1] [4] algorithm user select images from an image gird in a sequence. RELATED WORK Since last one decade lots of research work has been done on the concept of graphical password the first password scheme was introduced by Blonder [4] [8]. The balance is maintained between the security and usability features and the attacks are resisted to the maximum.
396 Lovey Rana & Om Pal Graphical Password scheme are categorized as follows:- Recall Based Graphical Password Scheme User has to recall the password he/she has selected earlier. Recall based can be further classified into Pure Recall Based In this scheme user is not provided any clue to recall the password scheme. The following works have been done under this scheme. Draw a secret(das) [5] Passdoodle Grid selection Syukri Qualitative DAS Cued Recall Based In this scheme user is provided the clue to recall the password registered earlier. Cued based provides more hints to user to memorize the passwords and hence easier than pure recall based scheme. The following works have been done under this scheme. Blonder Passpoint Pass-Go Passlogix v-go Background DAS Recognition Based Graphical Password Scheme User needs to recognise the correct images that will serve as password from the set of image. During authenticating themselves user needs to recognise the pictures that they have selected earlier. The following works have been done under this scheme. Dhamija and Perrig algorithm. Sobrado and Birget algorithm. Passface algorithm. Man, et al. algorithm. Arash Habibi Lashkari et al., [1,7] proposed a Graphical password scheme where the work has been done in accordance to the entropy and password space of the algorithm to increase security of graphical Authentication System (GUA).The password algorithm comprises of black and white images and alphanumeric text.
Enhancement of Security Feature in Graphical Password Authentication 397 The Proposed algorithm (GUABRR)[1] the concept of resizing and rotation of black and white images and along with random text embedded to the images. GUABRR is combination of both recognition based and cued recall based graphical password scheme. In accordance to this algorithm during the registration phase the user selects a combination of images from a grid of 25 black and white images. During the login phase the images in grid is a combination of some rotated and resized images and the positions of the rotated and resized images are randomly changed. Also three length texts are attached to each images which is a concatenation of alphabets, special characters and numerals. This algorithm resisted shoulder surfing attack to great extent. Comparative Study of Different Graphical Password Algorithms on Basis of Password Entropy Algorithm Formula Entropy(Bits) Textual (with 6 characters length include capital and small alphabets) Textual (with 6 characters length include capital and small alphabets and numbers) Image selection similar to Passface (4 runs, 9 pictures) 6 * Log2 (52) 34.32 6 * Log2 (62) 35.70 4 * Log2 (9) 12.74 Click based algorithm similar to Passpoint (4 loci and assuming 30 salient points) GUABRR (Graphical User Authentication By Rotation and Resizing) 4 * Log2 (30) 19.69 5 * Log2 (25*12*2) 46.37 Password Entropy is the measure of the effectiveness of a password in resisting guessing the password. The password entropy of graphical password can be calculated as follows:-[2] Entropy = N log 2 ( L O C ) Where, N is the length or number of runs, L is locus alphabet as the set of all Loci, O is an object alphabet and C is color of the alphabet now. This concluded that GUABRR has the highest Password Entropy and hence it is the most secure algorithm till PROPOSED APPROACH The approach works with colour images and using the attribute of the colour image the images has been chosen in such a manner that they are similar to each other in some attribute. Image processing has been applied to the image to change their appearance but keeping in mind the change should not make the processed image look very different from the original. The difference should be minimal so that user could identify them easily. In this approach four image processing scheme has been applied to make the images differ from the original image, these schemes are
398 Lovey Rana & Om Pal Rotation Resizing Graining (Embedding Noise to Image) Noise in digital photos consists of any undesirable flecks of random colour in a portion of an image that should consist of smooth colour. It is somewhat similar to the "snowy" appearance of a bad TV signal. Purpose of adding noise to image in proposed approach is just to change its appearance keeping its originality intact. Variation in Colour Scheme (RGB) Original Image Image after Graining The RGB colour scheme can produce different colours by the variation of Red(R),Green(G),Blue(B) intensity values between the range of 0-255 where 0 signifies black and 255 signifies white. We have selected eight different colours by the variation of RGB values. The selected colours intensity is kept nominal and also at most 8 colours are choosen so that the usability should not get hampered. Following is the colours scheme with its Hex Colour Code:- Red Green Blue HEX Equivalent 255 255 150 #FFFF96 255 200 255 #FFC8FF 100 100 255 #6464FF 200 100 255 #C864FF 200 200 50 #C8C832 255 150 10 #FF960A 190 100 100 #BE6464 255 255 170 #FFFFAA Proposed Algorithm The complete password scheme will comprise of two steps: Registration Login
Enhancement of Security Feature in Graphical Password Authentication 399 Registration Phase In registration Phase the user needs to provide all his details and then he needs to choose from the grid of picture which will be his password for future. Once the registration is completed the following work will be done The user name will be embedded with an User ID (UID) That will be unique for every user. Image grid of 25 images will be presented before the user. The images that user has selected will be named as PID (picture ID). 4. Select PID = (from(25^3)). PID will be provided to the 3 selected images out of 25 images The user s information and his chosen images will be associated with his ID and will be stored in the database. The registration phase will capture the details of the user provided by the user and then individual ids will be created to the images chosen by the user this will complete the complete information needed for the user during the login phase. Login Phase In the login phase the user will be provided with a login interface where the user needs to enter his login id and user need to recognize the picture he has selected during the registration phase. All pictures in the picture grid will be concatenated with three random characters which user needs to enter as his password. Once this is done the user will be logged on to his profile else a failure note will be shown. The picture grid will contain images that are rotated, resized, grained and colour variant along with images that are not processed at all. The login phase will run as follows. The user provides his user id (UID). Based on his UID the images which user has selected (PID) along with other images (A grid of rotated, resized, grained and RGB varied colour images will be presented to user.) are made into a matrix and is presented to the user to choose his password from. With every image a set of character will be generated below the image which user will be able to see. Store character set (from ((26*2+14)^3) into an array.3 character set is selected from 26 small alphabets and 26 capital alphabets plus 14 special characters. This set of text will be concatenated with each image at the time of Login phase. Randomdecoy(PID). Random decoy is the function that will produce the image randomly every time the user will login to the system. Newimage_ID= imageprocess(pid).image process helps in applying rotation, resizing and graining function, RGB color variant to the images. Once the user recognizes the images he selected at registration phase and writes down the character below those image in the password space.
400 Lovey Rana & Om Pal The user id (UID) and the image id (PID) are verified from the database. Once the verification is done the user gets the result as success/failure(output). COMPARATIVE ANALYSIS OF PASSWORD ENTROPY Calculated Entropy of Proposed Scheme Entropy of the password scheme can be calculated as Entropy= 5*Log 2 (25*12*2*2*8) = 66.144 Where 5 images are selected form grid of 25 images in which 12 images are rotated through different angles, 2 are resized, 2 are grained and 8 different RGB colours are used. Password entropy is a parameter to analyse the security feature. Our proposed approach has improved entropy value which in turn has positive impact on security. Comparison of Entropy with Other Schemes Algorithm Formula Entropy(Bits) Textual (with 6 characters length include capital and small alphabets) Textual (with 6 characters length include capital and small alphabets and numbers) Image selection similar to Passface (4 runs, 9 pictures) Click based algorithm similar to Passpoint (4 loci and assuming 30 salient points) GUABRR (Graphical User Authentication By Rotation and Resizing) Proposed Approach(Select 5 images 25 images and 12 degrees rotated and 2 resizing and 2 grained and 8 different colour patterns) 6 * Log 2 (52) 34.32 6 * Log 2 (62) 35.70 4 * Log 2 (9) 12.74 4 * Log 2 (30) 19.69 5 * Log 2 (25*12*2) 46.37 5* Log 2 (25*12*2*2*8) 66.144 The entropy calculated by the proposed approach is higher than the previous algorithm and hence proving a better result for the proposed algorithm than the previous algorithms CONCLUSIONS Pictures can be recognized better than text. Hence the concept of Graphical Password came into light. But security should be enhanced of Graphical Password scheme to make it more reliable. In this paper we have enhanced the security feature on the basis of previous algorithms already implemented. We took colour images into consideration as colour images are most commonly used. Earlier the researches on black and white images are done. The mathematical analysis of security parameter i.e. Password Entropy is done and positive results are found. Also proposed algorithm is resistant to shoulder surfing attack. REFERENCES 1. Arash Habibi Lashkari, Azizah Abdul Manaf, Maslin Masrom, A Secure Recognition Based Graphical Password by Watermarking in 11th IEEE International Conference on Computer and Information Technology 2011.
Enhancement of Security Feature in Graphical Password Authentication 401 2. A.H. Lashkari, A survey on usability and security features in graphical user authentication algorithms International Journal of Computer Science and Network Security (IJCSNS), 2009, Korea 3. Komanduri, S. and D.R. Hutchings, Order and Entropy in Picture Passwords, in Canadian Information Processing Society. 2008. 4. Ali Mohamed E (2008). Study and Develop a New Graphical Password System, University Technology Malaysia, Master Dissertation. 5. Hu, W., X. Wu, and G. Wei, The Security Analysis of Graphical Passwords, in International Conference on Communications and Intelligence Information Security. 2010. 6. Muhammad DH, Abdul HA, Norafida IT, Hazinah KM (2008). Towards Identifying Usability and Security Features of Graphical Password in Knowledge Based Authentication Technique; IEEE Explore, 2008 7. Lashkari A.H., S.F., Omar Bin Zakaria and Rosli Saleh, Shoulder Surfing attack in graphical password authentication.2009, International Journal of Computer Science and Information Security (IJCSIS). 8. Ahmet Emir Dirik, Nasir Memon, Jean-Camille Birget, Modeling user choice in the PassPoints graphical password scheme, in Symposium On Usable Privacy and Security (SOUPS) 2007. 9. BLONDER, G. 1996. Graphical passwords. United States Patent 5559961. 10. DHAMIJA, R. AND PERRIG, A. 2000. Déjà Vu: A User Study Using Images for Authentication. In Proceedings of the 9 th USENIX Security Symposium 11. Chiasson, S., et al., Multiple Password Interference in Text Passwords and Click-Based Graphical Passwords. ACM, 2009. 12. Mohammed Misbahuddin, P. Premchand, A. Govardhan, A User Friendly Password Authenticated Key Agreement for Multi Server Environment, in International Conference on Advances in Computing, Communication and Control (ICAC3 09)