20-04-2011, 01:00 PM
My_report.docx (Size: 352.97 KB / Downloads: 65)
Chapter 1
INTRODUCTION
“Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)" C. Kaufman, R. Perlman, and M. Speciner
User authentication involves issues of both usability and security. Too often, one or the other is ignored even though both are important and necessary. This problem is evident in knowledge-based authentication systems. For example, passwords are often either memorable-but-insecure or secure-but-difficult-to-remember when they should be memorable and secure. Graphical passwords are potentially more memorable and secure than traditional text passwords because they harness the human ability to easily recognize and recall images. In this thesis, we advance research in the area of knowledge-based authentication through usability and security evaluations of graphical password schemes, the creation of novel schemes that offer improved memorability and security, and the identification of some underlying design strategies to inform the design of other knowledge-based authentication schemes.
1.1 Text-Based Passwords
What are Text-Based Passwords?
Text-Based Password is a sequence of characters that one must input to gain access to a file, application, or computer system. Text passwords are easy and inexpensive to implement, and are familiar to most users.
Passwords allow users to authenticate themselves without violating their privacy, as biometrics could, since users can select passwords that do not contain personal information. These passwords are only secure if they are difficult for attackers to guess, yet are only usable if users can remember them.
Systems sometimes provide on-screen advice on how to create more secure passwords (e.g., select something memorable that would be difficult for others to guess), give feedback about password choice (e.g., with a password strength meter), or force users to create passwords that comply with specific system defined rules (e.g., the password must include both letters and numbers).
Difficulties in Text based Passwords:
• Easy to guess
• vulnerable to attacks
1.2 Graphical Passwords
Because human beings live and interact in an environment where the sense of sight is predominant for most activities, our brains are capable of processing and storing large amounts of graphical information with ease. While we may find it very hard to remember a string of fifty characters, we are able easily to remember faces of people, places we visited, and things we have seen. These graphical data represent millions of bytes of information and thus provide large password spaces. Thus, graphical password schemes provide a way of making more human-friendly passwords while increasing the level of security.
Other advantages of graphical passwords:
Dictionary attacks are infeasible, partly because of the large password space, but mainly because there are no pre-existing searchable dictionaries for graphical information. It is also difficult to devise automated attacks. Whereas we can recognize a person's face in less than a second, computers spend a considerable amount of time processing millions of bytes of information regardless of whether the image is a face, a landscape, or a meaningless shape.
A simple graphical password scheme
The following example, while very unsophisticated, illustrates how a simple graphical password matches the security of its alpha-numeric counterparts. To login, the user is required to click within the 4 circled red regions in this picture. The user chose these regions when he or she created the password. The choice for the four regions is arbitrary, but the user will pick places that he or she finds easy to remember. The user can introduce his/her own pictures for creating graphical passwords. Also, for stronger security, more than four click points could be chosen.
Chapter 2
AUTHENTICATION
1.1 Password Spaces
We distinguish that password systems have both theoretical and effective password spaces. The former space includes the set of all (theoretically) possible password. The vast majority of user choices tend to fall into a much smaller subset of the full theoretical password space, known as the effective password space
1.2 Overview of the Authentication Methods
Current authentication methods can be divided into three main areas:
• Token based authentication
• Biometric based authentication
• Knowledge based techniques
Token based techniques: This technique includes key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance security. For example, ATM cards are generally used together with a PIN number.
Biometric based authentication: Techniques, such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable.
However, this type of technique provides the highest level of security.
Knowledge based techniques: are the most widely used authentication techniques and include both text-based and picture-based passwords. The picture-based techniques can be further divided into two categories: recognition- based and recall-based graphical techniques. Using recognition-based techniques, a user is presented with a set of images and the user passes the authentication by recognizing and identifying the images he or she selected during the registration stage. Using recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage.
Chapter 3
GRAPHICAL PASSWORD AUTHENTICATION
3.1 Recognition Based Techniques
In recognition-based graphical password systems, users typically memorize a portfolio of images during password creation and then must recognize their images from among decoys to log in. Humans have exceptional ability to recognize images previously seen, even if those images were viewed very briefly. Several recognition-based graphical password schemes have been proposed in recent years
There are many graphical password authentication schemes which designed by using recognition-based techniques. We only introduce two typical schemes, they are
• PassFaces
• Pass-Object
3.1.1 PassFaces
In PassFaces (see Figure 2.4), users pre-select a set of images of human faces. During login, they are presented with a panel of candidate faces and have to select the face belonging to their set from among decoys. This process is repeated several times with different panels, and users must perform each round correctly in order to successfully authenticate themselves. In the test systems, a panel consisted of 9 images, one of which belonged to the user's portfolio, and a user completed 4 rounds to login.
In a study with 77 users, Valentine found that people could remember their PassFaces password over extended periods of time, with login success rates between 72% and 100%, by the third attempt for various intervals of time, up to 5 months. While users made fewer login errors (95% success rate for PassFaces), they tended to log in less frequently than users who had text passwords because the login process took too long (although no login times are reported). Davis conducted a large field study where students used one of two graphical password schemes to access class material. They implemented their own version of PassFaces, called Faces, for the study. They found that users selected predictable passwords that could be successfully guessed by attackers with little effort.