08-02-2013, 10:01 AM
IPAS: Implicit Password Authentication System
1Implicit Password.pdf (Size: 245.66 KB / Downloads: 20)
Abstract
Authentication is the first line of defense against
compromising confidentiality and integrity. Though traditional
login/password based schemes are easy to implement, they
have been subjected to several attacks. As an alternative, token
and biometric based authentication systems were introduced.
However, they have not improved substantially to justify the
investment. Thus, a variation to the login/password scheme,
viz. graphical scheme was introduced. But it also suffered due
to shoulder-surfing and screen dump attacks. In this paper, we
introduce a framework of our proposed (IPAS) Implicit
Password Authentication System, which is immune to the
common attacks suffered by other authentication schemes.
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database. Most of the existing authentication
schemes require processing both at the client and the server
end. Thus, the acceptability of any authentication scheme
greatly depends on its robustness against attacks as well as
its resource requirement both at the client and at the server
end. The resource requirement has become a major factor
due to the proliferation of mobile and hand-held devices.
Nowadays with the use of mobile phones, users can access
any information including banking and corporate database.
Recall-Based Systems
In recall-based systems, the user is asked to reproduce
something that he/she created or selected earlier during the
registration phase. Recall based schemes can be broadly
classified into two groups, viz: pure recall-based technique
and cued recall-based technique.
Pure Recall-Based Techniques
In this group, users need to reproduce their passwords
without any help or reminder by the system. Draw-A-Secret
technique [8], Grid selection [9], and Passdoodle [10] are
common examples of pure recall-based techniques.
In 1999, Jermyn et al. [8] proposed DAS (Draw-ASecret)
scheme, in which the password is a shape drawn on
a two-dimensional grid of size G * G as in Figure 1. Each
cell in this grid is represented by distinct rectangular
coordinates (x, y). The values of touch grids are stored in
temporal order of the drawing. If exact coordinates are
crossed with the same registered sequence, then the user is
authenticated. As with other pure recall-based techniques,
DAS has many drawbacks.
IMPLICIT PASSWORD AUTHENTICATION SYSTEM
In this section, we propose our Implicit Password
Authentication System. IPAS is similar to the PassPoint
scheme with some finer differences. In every “what you
know type” authentication scheme we are aware of, the
server requests the user to reproduce the fact given to the
server at the time of registration. This is also true in
graphical passwords such as PassPoint. In IPAS, we
consider the password as a piece of information known to
the server at the time of registration and at the time of
authentication, the user give this information in an implicit
form that can be understood only by the server. We explain
this through a Mobile Banking case-study.
PROBLEMS WITH THE EXITING SCHEMES
Traditional alphanumeric passwords are always
vulnerable to guessing and dictionary attack. There may
even be a rogue program that may record the key strokes
and publish it on a remote website. In order to overcome the
key logger based attacks, newer systems may show a
graphical keyboard and the user has to press the correct
password using “mouse clicks”. This may also be defeated
if the attacker uses a screen capture mechanism, rather than
using a key logger. Since new video-codec is providing
higher compression ratio, an attacker may use a screen
capture program and record a short video clip and send it to
a remote server for publishing. So, as an alternative, a token
based authentication method may be used either as a standalone
authentication or used in addition to the traditional
alphanumeric password.
CONCLUSION AND FUTURE DIRECTIONS
In this paper, we have proposed a new Implicit Password
Authentication System where the authentication information
is implicitly presented to the user. If the user “clicks” the
same grid-of-interest compared with the server, the user is
implicitly authenticated. No password information is
exchanged between the client and the server in IPAS. Since
the authentication information is conveyed implicitly, IPAS
can tolerate shoulder-surfing and screen dump attack, which
none of the existing schemes can tolerate. The strength of
IPAS lies in creating a good authentication space with a
sufficiently large collection of images to avoid short
repeating cycles. Compared to other methods reviewed in
our paper, IPAS may require human-interaction and careful
selection of images and “click” regions.