11-02-2013, 03:20 PM
Authentication Schemes for Session Passwords using Color and Images
[attachment=50525]
INTRODUCTION
The most common method used for authentication is textual password. The vulnerabilities of
this method like eves dropping, dictionary attack, social engineering and shoulder surfing are
well known. Random and lengthy passwords can make the system secure. But the main
problem is the difficulty of remembering those passwords. Studies have shown that users tend
to pick short passwords or passwords that are easy to remember. Unfortunately, these
passwords can be easily guessed or cracked. The alternative techniques are graphical passwords
and biometrics. But these two techniques have their own disadvantages. Biometrics, such as
finger prints, iris scan or facial recognition have been introduced but not yet widely adopted.
The major drawback of this approach is that such systems can be expensive and the
identification process can be slow. There are many graphical password schemes that are
proposed in the last decade. But most of them suffer from shoulder surfing which is becoming
quite a big problem. There are graphical passwords schemes that have been proposed which are
resistant to shoulder-surfing but they have their own drawbacks like usability issues or taking
more time for user to login or having tolerance levels. Personal Digital Assistants are being
used by the people to store their personal and confidential information like passwords and PIN
numbers. Authentication should be provided for the usage of these devices.
International Journal of Network Security & Its Applications (IJNSA), Vol.3,
In this paper, two new authentication schemes are proposed for PDAs. These schemes
authenticate the user by session passwords. Session passwords are passwords that are used only
once. Once the session is terminated, the session password is no longer useful. For every login
process, users input different passwords. The session passwords provide better security against
dictionary and brute force attacks as password changes for every session. The proposed
authentication schemes use text and colors for generating session passwords.
This paper is organized as follows: in section 2 related work is discussed; in section 3 the new
authentication schemes are introduced; security analysis is done in section 4; conclusion is
proposed in section 5.
RELATED WORK
Dhamija and Perrig[1] proposed a graphical authentication scheme where the user has
to identify the pre-defined images to prove user’s authenticity. In this system, the user selects a
certain number of images from a set of random pictures during registration. Later, during login
the user has to identify the pre selected images for authentication from a set of images as shown
in figure 1. This system is vulnerable to shoulder-surfing.
Figure 1: Random images used by Dhamija and Perrig
Passface [2] is a technique where the user sees a grid of nine faces and selects one face
previously chosen by the user as shown in figure 2. Here, the user chooses four images of
human faces as their password and the users have to select their pass image from eight other
decoy images. Since there are four user selected images it is done for four times.
Example of Passfaces
International Journal of Network Security & Its Applications (IJNSA), Vol.3,
Jermyn, et al. [3] proposed a new technique called “Draw- a-Secret” (DAS) as shown in figure
3 where the user is required to re-draw the pre-defined picture on a 2D grid. If the drawing
touches the same grids in the same sequence, then the user is authenticated. This authentication
scheme is vulnerable to shoulder surfing.
DAS technique by Jermyn
Syukri [4] developed a technique where authentication is done by drawing user
signature using a mouse as shown in figure 4. This technique included two stages, registration
and verification. At the time of registration stage the user draws his signature with a mouse,
after that the system extracts the signature area. In the verification stage it takes the user
signature as input and does the normalization and then extracts the parameters of the signature.
The disadvantage of this technique is the forgery of signatures. Drawing with mouse is not
familiar to many people, it is difficult to draw the signature in the same perimeters at the time
of registration.
Figure 4: Signature technique by Syukri
Blonder [5] designed a graphical password scheme where the user must click on the
approximate areas of pre-defined locations. Passlogix [6] extended this scheme by allowing the
user to click on various items in correct sequence to prove their authenticity.
International Journal of Network Security & Its Applications (IJNSA), Vol.3,
Haichang et al [7] proposed a new shoulder-surfing resistant scheme as shown in figure 5
where the user is required to draw a curve across their password images orderly rather than
clicking on them directly. This graphical scheme combines DAS and Story schemes to provide
authenticity to the user.
describes a graphical password entry scheme using convex hull method
towards Shoulder Surfing attacks as shown in figure 6. A user needs to recognize pass-objects
and click inside the convex hull formed by all the pass-objects. In order to make the password
hard to guess large number of objects can be used but it will make the display very crowded and
the objects almost indistinguishable, but using fewer objects may lead to a smaller password
space, since the resulting convex hull can be large.
[attachment=50525]
INTRODUCTION
The most common method used for authentication is textual password. The vulnerabilities of
this method like eves dropping, dictionary attack, social engineering and shoulder surfing are
well known. Random and lengthy passwords can make the system secure. But the main
problem is the difficulty of remembering those passwords. Studies have shown that users tend
to pick short passwords or passwords that are easy to remember. Unfortunately, these
passwords can be easily guessed or cracked. The alternative techniques are graphical passwords
and biometrics. But these two techniques have their own disadvantages. Biometrics, such as
finger prints, iris scan or facial recognition have been introduced but not yet widely adopted.
The major drawback of this approach is that such systems can be expensive and the
identification process can be slow. There are many graphical password schemes that are
proposed in the last decade. But most of them suffer from shoulder surfing which is becoming
quite a big problem. There are graphical passwords schemes that have been proposed which are
resistant to shoulder-surfing but they have their own drawbacks like usability issues or taking
more time for user to login or having tolerance levels. Personal Digital Assistants are being
used by the people to store their personal and confidential information like passwords and PIN
numbers. Authentication should be provided for the usage of these devices.
International Journal of Network Security & Its Applications (IJNSA), Vol.3,
In this paper, two new authentication schemes are proposed for PDAs. These schemes
authenticate the user by session passwords. Session passwords are passwords that are used only
once. Once the session is terminated, the session password is no longer useful. For every login
process, users input different passwords. The session passwords provide better security against
dictionary and brute force attacks as password changes for every session. The proposed
authentication schemes use text and colors for generating session passwords.
This paper is organized as follows: in section 2 related work is discussed; in section 3 the new
authentication schemes are introduced; security analysis is done in section 4; conclusion is
proposed in section 5.
RELATED WORK
Dhamija and Perrig[1] proposed a graphical authentication scheme where the user has
to identify the pre-defined images to prove user’s authenticity. In this system, the user selects a
certain number of images from a set of random pictures during registration. Later, during login
the user has to identify the pre selected images for authentication from a set of images as shown
in figure 1. This system is vulnerable to shoulder-surfing.
Figure 1: Random images used by Dhamija and Perrig
Passface [2] is a technique where the user sees a grid of nine faces and selects one face
previously chosen by the user as shown in figure 2. Here, the user chooses four images of
human faces as their password and the users have to select their pass image from eight other
decoy images. Since there are four user selected images it is done for four times.
Example of Passfaces
International Journal of Network Security & Its Applications (IJNSA), Vol.3,
Jermyn, et al. [3] proposed a new technique called “Draw- a-Secret” (DAS) as shown in figure
3 where the user is required to re-draw the pre-defined picture on a 2D grid. If the drawing
touches the same grids in the same sequence, then the user is authenticated. This authentication
scheme is vulnerable to shoulder surfing.
DAS technique by Jermyn
Syukri [4] developed a technique where authentication is done by drawing user
signature using a mouse as shown in figure 4. This technique included two stages, registration
and verification. At the time of registration stage the user draws his signature with a mouse,
after that the system extracts the signature area. In the verification stage it takes the user
signature as input and does the normalization and then extracts the parameters of the signature.
The disadvantage of this technique is the forgery of signatures. Drawing with mouse is not
familiar to many people, it is difficult to draw the signature in the same perimeters at the time
of registration.
Figure 4: Signature technique by Syukri
Blonder [5] designed a graphical password scheme where the user must click on the
approximate areas of pre-defined locations. Passlogix [6] extended this scheme by allowing the
user to click on various items in correct sequence to prove their authenticity.
International Journal of Network Security & Its Applications (IJNSA), Vol.3,
Haichang et al [7] proposed a new shoulder-surfing resistant scheme as shown in figure 5
where the user is required to draw a curve across their password images orderly rather than
clicking on them directly. This graphical scheme combines DAS and Story schemes to provide
authenticity to the user.
describes a graphical password entry scheme using convex hull method
towards Shoulder Surfing attacks as shown in figure 6. A user needs to recognize pass-objects
and click inside the convex hull formed by all the pass-objects. In order to make the password
hard to guess large number of objects can be used but it will make the display very crowded and
the objects almost indistinguishable, but using fewer objects may lead to a smaller password
space, since the resulting convex hull can be large.