31-07-2012, 10:22 AM
IPAS: Implicit Password Authentication System
IPAS.pdf (Size: 245.66 KB / Downloads: 22)
Abstract
Authentication is the first line of defense against
compromising confidentiality and integrity. Though traditional
login/password based schemes are easy to implement, they
have been subjected to several attacks. As an alternative, token
and biometric based authentication systems were introduced.
However, they have not improved substantially to justify the
investment. Thus, a variation to the login/password scheme,
viz. graphical scheme was introduced. But it also suffered due
to shoulder-surfing and screen dump attacks. In this paper, we
introduce a framework of our proposed (IPAS) Implicit
Password Authentication System.
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database. Most of the existing authentication
schemes require processing both at the client and the server
end. Thus, the acceptability of any authentication scheme
greatly depends on its robustness against attacks as well as
its resource requirement both at the client and at the server
end. The resource requirement has become a major factor
due to the proliferation of mobile and hand-held devices.
Pure Recall-Based Techniques
In this group, users need to reproduce their passwords
without any help or reminder by the system. Draw-A-Secret
technique [8], Grid selection [9], and Passdoodle [10] are
common examples of pure recall-based techniques.
In 1999, Jermyn et al. [8] proposed DAS (Draw-ASecret)
scheme, in which the password is a shape drawn on
a two-dimensional grid of size G * G as in Figure 1. Each
cell in this grid is represented by distinct rectangular
coordinates (x, y). The values of touch grids are stored in
temporal order of the drawing. If exact coordinates are
crossed with the same registered sequence, then the user is
authenticated. As with other pure recall-based techniques,
DAS has many drawbacks. In 2002, Goldberg [11]
conducted a survey which concluded that most users forget
their stroke order and they can remember text passwords
easier than DAS. Also, the password chosen by users are
vulnerable to graphical dictionary attacks and replay attack.
IMPLICIT PASSWORD AUTHENTICATION SYSTEM
In this section, we propose our Implicit Password
Authentication System. IPAS is similar to the PassPoint
scheme with some finer differences. In every “what you
know type” authentication scheme we are aware of, the
server requests the user to reproduce the fact given to the
server at the time of registration. This is also true in
graphical passwords such as PassPoint. In IPAS, we
consider the password as a piece of information known to
the server at the time of registration and at the time of
authentication, the user give this information in an implicit
form that can be understood only by the server. We explain
this through a Mobile Banking case-study.
Study Case of IPAS (Mobile Banking)
In our case study, we consider mobile banking as our
domain. However, our proposed (IPAS) may also be
implemented in any client-server environment, where we
need to authenticate a human as a client (IPAS will not work
in machine-to-machine authentication). We also assume that
the server has enough hardware resources like RAM and
CPU. This is not un-realistic as high-end servers are
becoming cheaper day-by-day. The bank may have a
database of 100 to 200 standard questions. During the time
of registration, a user should pick 10-20 questions from the
database (depending upon the level of security required) and
provide answers to the selected questions.
CONCLUSION AND FUTURE DIRECTIONS
In this paper, we have proposed a new Implicit Password
Authentication System where the authentication information
is implicitly presented to the user. If the user “clicks” the
same grid-of-interest compared with the server, the user is
implicitly authenticated. No password information is
exchanged between the client and the server in IPAS. Since
the authentication information is conveyed implicitly, IPAS
can tolerate shoulder-surfing and screen dump attack, which
none of the existing schemes can tolerate. The strength of
IPAS lies in creating a good authentication space with a
sufficiently large collection of images to avoid short
repeating cycles. Compared to other methods reviewed in
our paper, IPAS may require human-interaction and careful
selection of images and “click” regions. IPAS may also
need user training.
IPAS.pdf (Size: 245.66 KB / Downloads: 22)
Abstract
Authentication is the first line of defense against
compromising confidentiality and integrity. Though traditional
login/password based schemes are easy to implement, they
have been subjected to several attacks. As an alternative, token
and biometric based authentication systems were introduced.
However, they have not improved substantially to justify the
investment. Thus, a variation to the login/password scheme,
viz. graphical scheme was introduced. But it also suffered due
to shoulder-surfing and screen dump attacks. In this paper, we
introduce a framework of our proposed (IPAS) Implicit
Password Authentication System.
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database. Most of the existing authentication
schemes require processing both at the client and the server
end. Thus, the acceptability of any authentication scheme
greatly depends on its robustness against attacks as well as
its resource requirement both at the client and at the server
end. The resource requirement has become a major factor
due to the proliferation of mobile and hand-held devices.
Pure Recall-Based Techniques
In this group, users need to reproduce their passwords
without any help or reminder by the system. Draw-A-Secret
technique [8], Grid selection [9], and Passdoodle [10] are
common examples of pure recall-based techniques.
In 1999, Jermyn et al. [8] proposed DAS (Draw-ASecret)
scheme, in which the password is a shape drawn on
a two-dimensional grid of size G * G as in Figure 1. Each
cell in this grid is represented by distinct rectangular
coordinates (x, y). The values of touch grids are stored in
temporal order of the drawing. If exact coordinates are
crossed with the same registered sequence, then the user is
authenticated. As with other pure recall-based techniques,
DAS has many drawbacks. In 2002, Goldberg [11]
conducted a survey which concluded that most users forget
their stroke order and they can remember text passwords
easier than DAS. Also, the password chosen by users are
vulnerable to graphical dictionary attacks and replay attack.
IMPLICIT PASSWORD AUTHENTICATION SYSTEM
In this section, we propose our Implicit Password
Authentication System. IPAS is similar to the PassPoint
scheme with some finer differences. In every “what you
know type” authentication scheme we are aware of, the
server requests the user to reproduce the fact given to the
server at the time of registration. This is also true in
graphical passwords such as PassPoint. In IPAS, we
consider the password as a piece of information known to
the server at the time of registration and at the time of
authentication, the user give this information in an implicit
form that can be understood only by the server. We explain
this through a Mobile Banking case-study.
Study Case of IPAS (Mobile Banking)
In our case study, we consider mobile banking as our
domain. However, our proposed (IPAS) may also be
implemented in any client-server environment, where we
need to authenticate a human as a client (IPAS will not work
in machine-to-machine authentication). We also assume that
the server has enough hardware resources like RAM and
CPU. This is not un-realistic as high-end servers are
becoming cheaper day-by-day. The bank may have a
database of 100 to 200 standard questions. During the time
of registration, a user should pick 10-20 questions from the
database (depending upon the level of security required) and
provide answers to the selected questions.
CONCLUSION AND FUTURE DIRECTIONS
In this paper, we have proposed a new Implicit Password
Authentication System where the authentication information
is implicitly presented to the user. If the user “clicks” the
same grid-of-interest compared with the server, the user is
implicitly authenticated. No password information is
exchanged between the client and the server in IPAS. Since
the authentication information is conveyed implicitly, IPAS
can tolerate shoulder-surfing and screen dump attack, which
none of the existing schemes can tolerate. The strength of
IPAS lies in creating a good authentication space with a
sufficiently large collection of images to avoid short
repeating cycles. Compared to other methods reviewed in
our paper, IPAS may require human-interaction and careful
selection of images and “click” regions. IPAS may also
need user training.