INTERNATIONAL JOURNAL OF ELECTRICAL, ELECTRONICS AND COMPUTER SYSTEMS (IJEECS), Volume 1, Issue 2, April 2011. ISSN: 2221-7258(Print) ISSN: 2221-7266 (Online) www.ijeecs.org

Modified schemes for authentication based on shape and text M. SREELATHA and M. SHASHI Abstract— Textual passwords are more vulnerable to attacks like eves dropping, dictionary attacks, shoulder surf-

ing and hidden cameras. Simple graphical authentication schemes which are alternative to textual-based schemes are also vulnerable. Authentication schemes using both graphical and textual passwords are preferable than graphical schemes alone or textual schemes alone. The hybrid password authentication schemes are resistant to eves dropping, shoulder surfing and secret cameras. Some advanced schemes are proposed for hybrid authentication scheme which is based on shape and text to make it more secure.

Index Terms— Hybrid password authentication scheme , Shape and text, Shape based authentication, Textual

Passwords shape and text,

1 INTRODUCTION The user authentication is the first step of the security. Textual passwords are first choice for authentication by humans. Generally, users select short length passwords to remember easily. But, it is very easy to crack those passwords. Text-based strong passwords can be selected but, it is difficult to remember those passwords. Graphical authentication schemes are considered as alternatives to text-based passwords by considering the fact that humans remember images better than text. Graphical schemes use either images or shapes for authentication. But, simple graphical authentication schemes are vulnerable to shoulder surfing and secret cameras. User authentication schemes based on both images and text are resistant to those attacks. Users have to remember the shapes and strokes which is easier than remembering the text. Zheng et al proposed a hybrid password authentication scheme based on shape and text. The basic idea is to map shape to text with strokes of the shape and a grid with text. Users select some shapes and its strokes as their origin password and enter characters in the grid as the password for authentication. This paper discusses the authentication scheme proposed by Zheng et al[13] and proposes some advanced schemes for this authentication scheme to make the scheme more secure.

————————————————

 M Sreelatha is with the Department of Computer Science and Engineering ,RVR & JC College of Engineering, Guntur, A.P. E-mail: lathamoturi@ rediffmail.com M Sashi. is with the Department of Computer Science and System Engineering, Andhra University College of Engineering, Visakhapatnam, A.P. E-mail: [email protected]

This paper is organized as follows: Related work is discussed in section 2. in section 3, the authentication scheme based on shape and text is discussed. Advanced schemes are explored in section 4. in section 5, conclusion and future work are discussed.

2 RELATED WORK Graphical password schemes have been proposed as a possible alternative to text-based schemes, motivated partially by the fact that humans can remember pictures better than text. There exist various approaches that focus on graphical authentication schemes. Blonder [1] designed a graphical password scheme in which a password is created by having the user click on several locations on an image. During authentication, the user must click on the approximate areas of the locations. Dhamija and perrig [2] proposed a graphical authentication scheme in which the user selects a certain number of images from a set of random pictures. Later user has to identify the preselected images for authentication. Jansen [4], [5] proposed a graphical password scheme for mobile devices. During password creation, a user selects a theme consisting of photos in thumbnail size and set a sequence of pictures as a password. During authentication, user must recognize the images in the correct order. Each thumb nail image is assigned a numerical value, thus the sequence of the chosen images will create a numerical password. As the no. of images is limited to 30, the password space of this scheme is not large. Weinshall and Kirkpatrick [10] proposed several authentication schemes such as picture recognition, object recognition and pseudo word recognition and conducted user studies on these. The results declared that pictures are most effective than

the other two proposed schemes. Goldberg [3] designed a technique known as “passdoodle”. This is a graphical password authentication scheme using handwritten design or text usually drawn with a stylus onto a touch sensitive screen. Jermyn et al [6] proposed a technique called “ Draw A Secret”(DAS) where a user draws the password on a 2D grid. The coordinates of this drawing on the grid are stored in order. During authentication user must redraw the picture. The user is authenticated if the drawing touches the grid in the same order. All these graphical authentication schemes are vulnerable to shoulder surfing. To overcome the shoulder-surfing problem, many techniques were proposed. Zhao and Li [12] proposed a shoulder shoulder-surfing resistant scheme “S3PAS”. The main idea of the scheme is as follows. In the login stage, they must find their original text passwords in the login image and click inside the invisible triangle region. The system integrates both graphical and textual password scheme and has high level security. Man, et al, [8] proposed another shoulder-surfing resistant technique. In this scheme, a user chooses many images as the passobjects. The pass-objects have variants and each of them is assigned to a unique code. In the authentication stage, the user must type the unique codes of the pass-objects variants in the scenes provided by the system. Although the scheme shows perfect results in resisting hidden camera, it requires the user to remember code with the passobject variants. Luca, et al. [7] proposed a stroke based shape password for ATMs. They argued that using shapes will allow more complex and more secure authentication with a lower cognition load. More graphical password schemes have been summarized in a recent survey paper [9]. Zheng et al [13] designed a hybrid password scheme based on shape text. The basic concept is mapping shape to text with strokes of the shape and a grid with text. The user has to select a shape which can be a number, character, geometric shape or a random shape. But selecting simple and common shapes makes the process easy for the intruder. Though the random and arbitrary shapes are strong, it is difficult for the user to remember them. Naturally, users remember their native language passwords better than any other standard language. This paper focuses on authentication based on native language passwords.

2.3 Hybrid authentication scheme based on shape and text The authentication scheme consists of two steps: password creation step and the login step. Password creation : In the first step, the user creates a password for his authentication. User selects a shape S as his own original password. After

selection of the password shape, the user should click on the interface grid following the shape’s stroke sequence as in fig:1. The system stores the sequence of the cells as the shape of the user’s password.

Fig 1: password set interface

login step : During login, a grid is displayed on the

interface. The grid is displayed with some symbols such as {0,1} in each cell.

Fig 2: Interface grid For authentication, user has to enter the password. User follows the order of cells chosen for password and enters the symbols as password. Suppose the user enters {1100110110011} as password. The system checks whether the password entered matches with the symbols of the cells of the password selected. If the password is correct, the user is authenticated. For example, the interface grid is displayed as in fig:2. user has chosen character N as his shape for the password. Then, user has to enter {1100110110011} as his password. The shape S of the original password can be of different types. Users can select any type the geometric shape, the number shape or any arbitrary shape as password.

fig 5. Table 1 shows the list of grid cells for the possible strokes.

F ig 3 : original stroke on the interface

4 ADVANCED SCHEMES Instead of entering the password directly, we can make few modifications and we can make the authentication system more secure.

4.1 Inverted password Every bit of the password is inverted to misguide the intruder. For the actual password {1111} (fig:4) which consists of two strokes a & b , user enters {0000} after inverting every bit. . Some of the possible strokes are given in fig:5 (three possibilities i,ii and iii are shown). The authentication system converts the password to {1111} and then verifies the password.

Fig 5: possible strokes for password {0000} Sno

First stroke

Second stroke

1

(1,3),(1,2)

(2,1),(3,1)

2

(1,3),(2,4)

(3,4),(3,5)

3

(3,3),(4,3)

(5,3),(5,4)

Table 1: list of strokes for possible passwords

4.2 Alternate redundant bits: Redundant bits in

the password gives wrong information to the intruder which makes his efforts fail. In order to increase the password length, user can add a redundant bit after every bit in the password. For the actual password {1111}, user can enter {1010101} which increases the password space and which makes cracking the password difficult. Two possible shapes are given in fig:6 and fig:7

Fig 4 : strokes for password {1111} Suppose, the actual password for the user for this login interface is {1111}, and the grid sequence is {(1,1),(2,2),(4,2),(5,1)}. If the user enters the password as {1111}, then the intruder tries all possible combinations which includes the actual password. If the user inverts the password, then the password is {0000}. For this, the intruder verifies all possible combinations which do not contain the actual password. For the inverted password {0000}, many strokes are possible , some of the possible passwords are shown in

Fig 6 : A possible shape with {1010101} There are three strokes and the sequence of the strokes is { { (1,1),(1,2)}, {(2,5),(3,5),(4,5)}, {(5,2),(5,1)} }.

Fig 7:another possible shape with {1010101}

In this example, password consists of three strokes and the list of grid cells of these three strokes shown in fig 7 is { { (1,4),(24)}, {(2,3),(2,4),(2,5)}, {(3,4),(4,4)} }. Two other possibilities are listed in table 2.

Fig 9: Another possible shape for {1111001} for the password {1111} are given in fig 11. Without repetition of cells, the maximum length of the password is 25. But, with repetition of cells there is no limit on the length of the password.

S no

First Second Third stroke stroke stroke 1 (1,1),(1,2) (2,3),(3,4),(4,5) (5,2),(5,1) 2 (5,1),(5,2) (4,5),(3,5),(2,5) (1,2),(1,1) 3 (5,5),(5,4) (4,4),(3,3),(2,2) (1,2),(1,1) Table 2 : some other possible shapes

4.3 padding : user can increase the password length by adding redundant bits at the beginning or at the end. For the actual password {1111}, suppose {001} is added making the password as {1111001}. Two possible shapes are given in fig:8 and fig:9. Fig 10: Strokes for password {110010}

Fig 8 : : one possible shape for {1111001} The password in fig 8 consists of two strokes and the sequence is { {(1,1),(2,2),(2,3),(1,4)}, {(5,3),(5,4),(5,5)} }. The shape shown in fig 9 consists of three strokes and the sequence may be {{(4,1),(4,2)}, {(4,5),(4,4)},{(4,3),(3,3),(2,3)}} or {{(4,5),(4,4)}, {(4,1),(4,2)}, {(4,3),(3,3),(2,3)}}. 4.1 Repetition of cells : Cells can be repeated to represent a required shape, which complicates the detection of the password by increasing the password space. For the password {110010} the cell(2,2) occurred twice (fig:10). The possible shapes

Fig 11: Strokes for password {1111} The list of grid cells for the two possible shapes is given in table 3.

Sno 1 2

First stroke (3,2),(4,1)

Second stroke (4,1),(4,2)

(1,4),(1,5)

(1,5),(2,5)

Table 3: strokes for password {1111}

4.4 Fip-flops : If the shape of the character contains two strokes, then data of one stroke can be entered same as in the login interface grid and data of second stroke can be inverted to make the authentication scheme more secure. For the password {1111} , in fig:12 first stroke is inverted and in fig:13 second stroke is inverted. If intruder has information about inversion, he has no idea which part is inverted and he has to verify all the possibilities.

4.4 Column-wise/row-wise : Instead of following the shape of the character, bits in the password can be entered row-wise or column-wise which makes intruders activity difficult. For the password {0011}, the actual sequence of grid cells is { (5,3), (4,3), (4,2), (4,1) }(fig:16). But, with rowwise representation the sequence becomes { (4,1), (4,2), (4,3), (5,3) }. For the password {1100} (fig :17 ), the actual sequence of grid cells is { (2,2),(2,3), (1,3), (1,2) } But with column-wise representation, the sequence becomes { (1,2), (2,2), (1,3), (2,3) }.

Fig 12: Some of the possible strokes for {0011} The possible strokes for the password in fig 12 is shown in table 4 & for fig 13 is shown in table 5.

Sno 1 2 3 4

First stroke (1,3),(2,4) (2,4),(3,5) (3,3),(3,4) (5,3),(5,4)

Fig 16: password shape with {0011}

Second stroke

(4,2),(5,1) (4,2),(5,1) (4,2),(5,1) (4,2),(5,1)

Table 4 : possible strokes for {0011}

Fig 16: password shape with {0011}

Fig 13: Some of the possible strokes for {1100} S First Second no stroke stroke

1 2 3 4

(1,1),(2,2) (1,1),(2,2) (1,1),(2,2) (1,1),(2,2)

(1.2),(1,3) (2,4),(3,4) (4,3),(5.2) (5,3),(5,4)

Table 5 : possible strokes for {1100}

SERVER OPTIONS : The authentication server can provide these options to user for selection of the password. User can select one of the above discussed techniques for password creation. An internal intruder is having the complete knowledge of options, but he has no idea which option is selected by the user. Then he has to explore every option in order to break the system, which is a tedious job. An external may not be having an idea of options for password creation. Even if he has an idea of options, it is not easy to break the system.

4. Conclusion and future work : In this paper, for a hybrid authentication scheme which is based on shape and text, modifications are proposed. Modified schemes include inverting the bits in the password, padding or adding alternate redundant bits. The modified schemes are more secure than the original hybrid authentication scheme. The user may not be able to remember random and arbitrary shapes. So, authentication schemes should be developed for passwords where user can easily remember them

REFERENCES [1] G. E. Blonder, “Graphical Passwords,” in Lucent Technologies, Inc., Murray Hill, NJ, U. S. Patent, Ed.United States, 1996. [2] R. Dhamija and A Perrig, "Deja Vu: A User Study using Images For Authentication", 9th USENIX Security Symposium, 2000. [3] J. Goldberg, J. Hagman, V. Sazawal, "Doodling Our Way To Better Authentication", CHI '02 extended abstracts on Human Factors in Computer Systems, 2002. [4] W. Jansen, "Authenticating Mobile Device User through Image Selection," in Data Security, 2004. [5] W. Jansen, "Authenticating Users on Handheld Devices “in Proceedings of Canadian Information Technology Security Symposium, 2003. [6] Jermyn, I., Mayer A., Monrose, F., Reiter, M., and Rubin., “The design and analysis of graphical passwords” in Proceedings of USENIX Security Symposium, August 1999. [7] A. D. Luca, R. Weiss, and H. Hussmann, "PassShape:stroke based shape passwords," in Proceedings of the conference of the computer-human interaction special interest group (CHISIG) of Australia on Computer-human interaction: design: activities, artifacts and environments. 28-30 November 2007, Adelaide, Australia, pp. 239-240. [8] S.Man, D. Hong, and M.Mathews, "A shouldersurfing resistant graphical password scheme," in Proceedings of International conference on security and management. LasVergas, NV, 2003 [9] X. Suo, Y. Zhu, and G. S. Owen, "Graphical passwords: A survey," 21st Annual Computer Security Applications Conference (ASCSAC 2005). Tucson, 2005. [10] D. Weinshall and S. Kirkpatrick, “Passwords You’ll Never Forget, but Can’t Recall,” in Proceedings of Conference on Hman Factors in Computing Systems (CHI), Vienna, Austria: ACM, 2004. [11] William Stallings “Cryptography and Network Secu-

rity”, 4th Edition. Publisher – Pearson Education Inc. [12] H. Zhao and X. Li, "S3PAS: A Scalable ShoulderSurfing Resistant Textual-Graphical Password Authentication Scheme," in 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW 07), vol. 2. Canada, 2007, pp. 467-472. [13] Z. Zheng, X. Liu, L. Yin, Z. Liu “A Hybrid password authentication scheme based on shape and text” Journal of Computers, vol.5, no.5 May 2010

Transactions Template

INTERNATIONAL JOURNAL OF ELECTRICAL, ELECTRONICS AND COMPUTER SYSTEMS (IJEECS),. Volume 1, Issue 2, April 2011. .... system integrates both graphical and textual password scheme and has high level security. .... and the list of grid cells of these three strokes shown in fig 7 is { { (1,4),(24)}, {(2,3),(2,4),(2 ...

456KB Sizes 0 Downloads 293 Views

Recommend Documents

Transactions Template
Published results show that these strategies effectively improve both the data rate and .... ed estimates to the decoder for error correction. Unlike the Viterbi decoding .... Error Probability for Data Services in a Terrestrial DAB Single Fre-.

Transactions Template - IJEECS
INTERNATIONAL JOURNAL OF ELECTRICAL, ELECTRONICS AND COMPUTER SYSTEMS (IJEECS),. Volume ... ployed to validate the present theory for various .... Journal of Radio and Space Physics, vol. 35, pp. 293-. 296, 2006.(Journal).

Transactions Template
In this paper we evolve a signature based intrusion detection system based on Neural ... Training and testing data we obtain from the real network traffic by using ...

Transactions Template
using sensors, 3G cell phone network and social media to be applied to the design of small ..... Systems, Computer Networks acting on the following themes:.

Transactions Template
http://sites.google.com/site/journaloftelecommunications/. Model for remote data ... analysis of these sensors can be acquired and transmitted remotely through the 3G network, directly to an operations room, or also be made available on the .... (pre

Transactions Template
overcome this problem is to have a good management and control of signal traffic lights. For this ... programmable logic controller and wireless sensors for a real time implementation. ... interested in managing urban traffic areas and road net-.

Transactions Template
tion of Internet Banking, as it reduces the customer‖s re- quirements to just a .... Taiwan launched a trial on over 5000 Visa payWave stores, in mid-2008.

Transactions Template
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 1, JULY 2010. 32 ... Arjan Singh is with the Baba Banda Singh Bahadur College of Engi- neering ... ranking of the V-N collocations based on their relative.

Transactions Template
dresses to the honeypot template (bind 10.3.0.2 Linux & bind 10.3.0.3 Linux). .... service, email platform, etc. the impact would be high and the image of the ...

Transactions Template
sit fleet by way of internet-enabled mobile devices. WAP- ... transit region is sent to the user mobile phone. From the ... converting the plate number into text file, and finally (4) running the .... If number at the free box is uncompleted or wrong

Transactions Template
puters are in the data processing classrooms and its use continues being ... Habib M. Fardoun is with the Institute of Computer Science Research. Institute of Albacete and .... which we can specify and use educational activities to allow work ...

Transactions Template
an Intranet and Internet, servers and workstations for operations, ... tion of new business models, and changes in the bounda- .... optical fibre or radio.

Transactions Template
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 4, ISSUE 1, NOVEMBER ... audio and video data separately, this research presents a.

Transactions Template
Abstract— The Semantic Web presents new opportunities for enabling modeling, sharing and reasoning with knowledge available on the web. These are made possible through the formal representation of the knowledge domain with ontologies. Ontology is a

Transactions Template
fined by the distance to the nearest training pattern. ... set cs(yj) j=1…m , cs(yj) ϵ { 0 1 ….9} which defines .... B.E. degree in 2007 from Rajasthan University.

Transactions Template - arXiv
registered with respect to the centre of the fingerprint image. The dimensionality of .... tions are then normalized into the domain from 0 to , and the certain values ...

Transactions Template
and integrating multiple telecommunication services into single device. The typical sierpinski gasket antenna has been introduced by [3]. Recently various ...

Transactions Template
by analyzing both audio and visual data. ... As tools and systems for producing and disseminating action data improve significantly, the amount of human action.

Transactions Template
We focused on intersections as a traffic scene to be covered by the system. At some blind ...... C. Sugimoto received the B.S. degree in Engineering, and the M.S..

Transactions Template
models and propose QoS in WSNs considering the packet to be small in size so that it can travel faster through the network by avoiding collision. In this way we ...

Transactions Template - IJEECS
ISSN: 2221-7258(Print) ISSN: 2221-7266 (Online) www.ijeecs.org. Modified ..... vanced Information Networking and Applications Workshops. (AINAW 07), vol. 2.

Transactions Template
present, there are no proper measures for software main- tainability[1]. ..... AT&T Bell Labs at Columbus, Ohio, USA and has also worked as a consultant in the ...

Transactions Template
The MANETs are also suitable when network setup is difficult, costly and required to be done quickly ... hop fashion without any centralized administration [1]. Significant examples of ..... Aircraft Ad-hoc networks, Network Security & VLSI Design.

Transactions Template - IJEECS
client server model doesn't support the slicing over the object oriented programs on ... slicing, Slice, Distributed System, Finite State Machine, Java Programming.