23-05-2012, 11:05 AM
IPAS: Implicit Password Authentication System
[attachment=22805]
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database. Most of the existing authentication
schemes require processing both at the client and the server
end. Thus, the acceptability of any authentication scheme
greatly depends on its robustness against attacks as well as
its resource requirement both at the client and at the server
end. The resource requirement has become a major factor
due to the proliferation of mobile and hand-held devices.
Recall-Based Systems
In recall-based systems, the user is asked to reproduce
something that he/she created or selected earlier during the
registration phase. Recall based schemes can be broadly
classified into two groups, viz: pure recall-based technique
and cued recall-based technique.
Pure Recall-Based Techniques
In this group, users need to reproduce their passwords
without any help or reminder by the system. Draw-A-Secret
technique [8], Grid selection [9], and Passdoodle [10] are
common examples of pure recall-based techniques.
In 1999, Jermyn et al. [8] proposed DAS (Draw-ASecret)
scheme, in which the password is a shape drawn on
a two-dimensional grid of size G * G as in Figure 1. Each
cell in this grid is represented by distinct rectangular
coordinates (x, y). The values of touch grids are stored in
temporal order of the drawing.
Cued Recall-Based Techniques
In this technique, the system gives some hints which
help users to reproduce their passwords with high accuracy.
These hints will be presented as hot spots (regions) within
an image. The user has to choose some of these regions to
register as their password and they have to choose the same
region following the same order to log into the system. The
user must remember the “chosen click spots” and keep them
secret. There are many implementations, such as Blonder
algorithm [12] and PassPoint scheme [13].
PROBLEMS WITH THE EXITING SCHEMES
Traditional alphanumeric passwords are always
vulnerable to guessing and dictionary attack. There may
even be a rogue program that may record the key strokes
and publish it on a remote website. In order to overcome the
key logger based attacks, newer systems may show a
graphical keyboard and the user has to press the correct
password using “mouse clicks”. This may also be defeated
if the attacker uses a screen capture mechanism, rather than
using a key logger. Since new video-codec is providing
higher compression ratio, an attacker may use a screen
capture program and record a short video clip and send it to
a remote server for publishing.
IPAS Implementation Framework
The bank will have a set of 100 to 200 questions. Every
user selects a set of 10 to 20 questions at the time of
registration and provides their individual answer. For each
question, the system then either creates an authentication
space (the space that represents implicit answers for the
questions using images) if it is not available or add the new
user’s answer to the existing authentication space. Once the
authentication space is created, the system is ready for
authenticating a user.
[attachment=22805]
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database. Most of the existing authentication
schemes require processing both at the client and the server
end. Thus, the acceptability of any authentication scheme
greatly depends on its robustness against attacks as well as
its resource requirement both at the client and at the server
end. The resource requirement has become a major factor
due to the proliferation of mobile and hand-held devices.
Recall-Based Systems
In recall-based systems, the user is asked to reproduce
something that he/she created or selected earlier during the
registration phase. Recall based schemes can be broadly
classified into two groups, viz: pure recall-based technique
and cued recall-based technique.
Pure Recall-Based Techniques
In this group, users need to reproduce their passwords
without any help or reminder by the system. Draw-A-Secret
technique [8], Grid selection [9], and Passdoodle [10] are
common examples of pure recall-based techniques.
In 1999, Jermyn et al. [8] proposed DAS (Draw-ASecret)
scheme, in which the password is a shape drawn on
a two-dimensional grid of size G * G as in Figure 1. Each
cell in this grid is represented by distinct rectangular
coordinates (x, y). The values of touch grids are stored in
temporal order of the drawing.
Cued Recall-Based Techniques
In this technique, the system gives some hints which
help users to reproduce their passwords with high accuracy.
These hints will be presented as hot spots (regions) within
an image. The user has to choose some of these regions to
register as their password and they have to choose the same
region following the same order to log into the system. The
user must remember the “chosen click spots” and keep them
secret. There are many implementations, such as Blonder
algorithm [12] and PassPoint scheme [13].
PROBLEMS WITH THE EXITING SCHEMES
Traditional alphanumeric passwords are always
vulnerable to guessing and dictionary attack. There may
even be a rogue program that may record the key strokes
and publish it on a remote website. In order to overcome the
key logger based attacks, newer systems may show a
graphical keyboard and the user has to press the correct
password using “mouse clicks”. This may also be defeated
if the attacker uses a screen capture mechanism, rather than
using a key logger. Since new video-codec is providing
higher compression ratio, an attacker may use a screen
capture program and record a short video clip and send it to
a remote server for publishing.
IPAS Implementation Framework
The bank will have a set of 100 to 200 questions. Every
user selects a set of 10 to 20 questions at the time of
registration and provides their individual answer. For each
question, the system then either creates an authentication
space (the space that represents implicit answers for the
questions using images) if it is not available or add the new
user’s answer to the existing authentication space. Once the
authentication space is created, the system is ready for
authenticating a user.