10-11-2012, 05:22 PM
AUTHENTICATION SCHEMES FOR SESSION PASSWORDS USING COLOR AND GRAY-SCALE IMAGES
AUTHENTICATION SCHEMES.pdf (Size: 330.91 KB / Downloads: 76)
Introduction
The most common method used for authentication is textual password.
The vulnerabilities of this method like eves dropping, dictionary
attack, social engineering and shoulder surfing are well
known. Random and lengthy passwords can make the system
secure. But the main problem is the difficulty of remembering
those passwords. Studies have shown that users tend to pick
short passwords or passwords that are easy to remember. Unfortunately,
these passwords can be easily guessed or cracked. The
alternative techniques are graphical passwords and biometrics.
But these two techniques have their own disadvantages. Biometrics,
such as finger prints, iris scan or facial recognition have been
introduced but not yet widely adopted.
The major drawback of this approach is that such systems can be
expensive and the identification process can be slow. There are
many graphical password schemes that are proposed in the last
decade. But most of them suffer from shoulder surfing which is
becoming quite a big problem. There are graphical passwords
schemes that have been proposed which are resistant to shoulder
-surfing but they have their own drawbacks like usability issues or
taking more time for user to login or having tolerance levels. Personal
Digital Assistants are being used by the people to store their
personal and confidential information like passwords and PIN
numbers. Authentication should be provided for the usage of these
devices.
In this paper, two new authentication schemes are proposed .
These schemes authenticate the user by session passwords
which are used only once. Once the session is terminated, the
session password is no longer useful. For every loginprocess,
users input different passwords. The session passwords provide
better security against dictionary and brute force attacks as password
changes for every session. The proposed authentication
schemes use text and colors for generating session passwords.
This paper is organized as follows: In section II related methods
Results and Discussion
There are six main security features that are used on existing graphical password schemes. The features are shown in Table 2. The possible attack method is not classified as the security fea-ture, it is only for the guidance and supporting reason of why the security features is needed. The possible attack method is divided into six types of attacks which are brute force, dictionary, guess-ing, spyware, shoulder-surfing and social engineering. These are the current active attack methods in graphical authentication envi-ronment.
From Table 2, it can be concluded that all of the existing schemes are vulnerable to brute force, guessing and shoulder-surfing at-tack. As we can see, the Draw-A-Secret (DAS) scheme is the only scheme that is capable of defending against brute force attack. This is because DAS provides the largest password space com-pared to other schemes [23]. The Pict-OLock scheme has a strong resistance to guessing.This scheme used the image varia-tion where a same imageis displayed in different colors. Overall, the existing schemes have strong security mechanisms to counter dictionary, spyware and social engineering attacks. In order to protect against brute force and guessing, the scheme needs to provide a large password space. The larger the password space, the harder for brute force and guessing to succeed.
As depicted in Table 2, seven schemes provide a large size of password space to their scheme. To increase the security of graphical authentication, seven schemes used randomly assigned image and decoy images features. The purpose of using these features is mainly to defend against shouldersurfing attacks. As we can see, almost all of the schemes using these features are less susceptible to shoulder-surfing attacks. A total of four schemes used the hash visualization function. In order to strength-en the security of the selected password, some of these schemes combined hash and salt functions. Among all of these recognition and recall based security features, we will select the large pass-word space, hash function and decoy images features to protect against the possible attack methods in graphical authentication environment. The repeat verifications, randomly assign images and image variation will not be used in the development of our scheme. As we can see, by repeating the process of verification it will make the authentication process slower which will affect scheme usability.
We conducted the user study of the proposed techniques with 10 participants for each technique. As the techniques are new, first the participants were briefed about the techniques. They were
given demonstrations for better understanding purpose. Then each user was requested to login. After that, the usability study was conducted with the students in two sessions. The sessions were conducted in time frame of one week.
Conclusion
In this paper, two authentication techniques based on text and colors are proposed for PDAs. These techniques generate ses-sion passwords and are resistant to dictionary attack, brute force
attack and shoulder-surfing. Both the techniques use grid for ses-sion passwords generation. Pair based technique requires no special type of registration, during login time based on the grid displayed a session password is generated. For hybrid textual scheme, ratings should be given to colors, based on these ratings and the grid displayed during login, session passwords are gener-ated. However these schemes are completely new to the users and the proposed authentication techniques should be verified extensively for usability and effectiveness.