I present a new security primitive based on hard AI problems, namely, a novel family of graph-ical password systems built on top of Captcha technology, which we call Captcha as graphical passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical password systems, such as PassPoints, that often leads to weak password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.
2. Password
What is PASSWORD?
PASSWORD is a secret word or string of characters that is used for user
authentication to prove his identity and gain access to resources.
What is AUTHENTICATION?
Authentication is a process of confirmation of a persons identity.
Text Password:
Text password is a string of characters that is used for user authentication to
prove his identity and gain access to resources.
Graphical Password:
A graphical password is an authentication system that works by having the user
select from images, in a specific order, presented in a graphical user interface
(GUI).
For this reason, the graphical-password approach is sometimes called Graphical
user authentication (GUA).
3. Types of
Graphical
passwords
Recall BasedTechniques
A user is asked to reproduce something that he created or selected
earlier during the registration stage
Recognition BasedTechniques
A user is presented with a set of images and the user passes the
authentication by recognizing and identifying the images he selected
during the registration stage.
Cued-recallTechnique
An extra cue is provided to users to remember and target specific
locations within a presented image.
4. Draw-A-Secret (DAS) Scheme
Recall BasedTechniques:
Signature scheme Pass Point Scheme
Recognition BasedTechniques
Dhamija and Perrig Scheme Sobrado and Birget Scheme Pass face scheme
5. CAPTCHA
CAPTCHA – Completely Automated Public Turing test to tell Computers &
Humans Apart.
• Invented at CMU by Luis von Ahn, Manuel Blum, et.al.
• It is a program, which acts as a challenge response to test to separate humans from
computer programs.
Generic CAPTCHAs distortletters&numbers-
Distorted characters are presented to the user.
User has to recognize the distorted letters.
If the guessed letters are correct, the user is inferred to be a human &
allowed access.
Humans can read the distorted & noisy text.
Current OCRs(OpticalCharacter Recognition) cannot read them.
6. Background
TuringTest
“Standard Interpretation"
player C, the interrogator,is tasked with
trying to determine which player A or B
is a computer and which is a human.
ReverseTuringTest
It is administered by a machine
and targeted to a human.
7. Types of
CAPTCHAs
Text CAPTCHA
Gimpy CAPTCHA
EZ Gimpy
MSN CAPTCHA
GraphicCAPTCHA
Bongo
PIX
Audio CAPTCHA
8. TextCAPTCHA
1.Text Based-
Simple, normal questions :-
What is the sum of five & ninty-five ?
If today is Monday, what is day before yesterday ?
Which of mango, table & water is a fruit ?
Very effective, needs a large question bank.
Congnitively challenged users find it hard.
9. Gimpy
CAPTCHA
Gimpy-
Designed byYahoo & CMU(Carnegie Mellon University)
Picks up 10 random words from dictionary & distorts, fills with noise.
User has to recognize at least 3 words.
If the user is correct, then he is admitted.
10. EZGimpy
EZ-Gimpy-
A modified version of Gimpy.
Yahoo used this version in Messenger.
Has only 1 random string of characters.
Not a dictionary word, so not prone to dictionary attack.
Not a good implementation , already broken by OCRs(Optical
Character Recognition).
11. MSN
CAPTCHA
MSNs passport serviceCAPATCHAs-
Provided for Microsoft’s MSN services.
Use of 8 characters.
Warping is used to distort.
Very strong implementation, hasn’t been broken.
It is segmentation-resistant.
12. Graphic
CAPTCHA
2.Graphic basedCAPTCHAs-
1. BONGO-
User has to solve a pattern recognition problem.
Has to tell the distinct characteristic between two sets of
figures.
Then tell to which set a given figure belongs to.
13. Graphic
CAPTCHA
2. PIX-
Uses a large database of labelled images.
It shows a set of images, user has to recognize
the common feature among those.
Eg :- pick the common characteristic among the
following
4 pictures =“aeroplane”.
14. Audio
CAPTCHA
3.AudioCAPTCHAs-
Consists of downloadable audio clip.
User listens & enters the spoken word.
Helps visually disabled users.
Below is the Google’s audio enabled CAPTCHA-
15. reCAPTCHA
reCAPTCHA (2007)
reCAPTCHA is a free service to protect your website from spam and
abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive
CAPTCHAs to keep automated software from engaging in abusive
activities on your site.
New form of CAPTCHA that also helps digitize books;
The words displayed to the user come directly from old books that are
being digitized;
Words that OCR could not identify;
16. Old text that needs to
be digitalized(correctly!)
OCRTranscript reCAPTCHATranscript
18. CAPTCHA as
Graphical
Password
Scheme
(CaRP)
CaRP: An Overview
• Captcha is now a standard Internet security technique to protect online
email and other services from being abused by bots.
• A new security primitive based on hard AI problems, namely, a novel
family of graphical password systems integrating Captcha technology,
called as CaRP.
• CaRP is click-based graphical passwords, where a sequence of clicks on
an image is used to derive a password
• In CaRP, a new image is generated for every login attempt.
• CaRP uses an alphabet of visual objects
(e.g., alphanumerical characters, similar animals) to generate CaRP
image
• CaRP schemes are clicked-based graphical passwords.
20. Recognition
basedCaRP
1.ClickText
ClickText is a recognition-basedCaRP scheme built on top of text Captcha.
A ClickText password is a sequence of characters in the alphabet, e.g.ρ
=“AB#9CD87”, which is similar to a text password.
Click-Text image with 33 characters
21. Recognition
basedCaRP
2.Click Animal
ClickAnimal is a recognition-basedCaRP scheme built on top of
Captcha Zoo ,with an alphabet of similar animals such as dog,
horse, cat, etc.
Its password is a sequence of animal names such as
ρ = “Turkey, Cat, Horse, Dog,….”
Captcha Zoo with horses circled red. A Click Animal image
22. Recognition
basedCaRP
3.Animal Grid
AnimalGrid is a combination of Click Animal and CAS.
Click-A-Secret (CAS) wherein a user clicks the grid cells in his password.
To enter a password, a ClickAnimal image is displayed first.
After an animal is selected, an image of n × n grid appears, with the grid-
cell size equaling the bounding rectangle of the selected animal.
A ClickAnimal image 6 × 6 grid
23. Applications
Applications
CaRP can be applied on touch-screen devices .
Many e-banking systems uses Captchas in user logins that
requires solving a Captcha challenge for every online login
attempt.
CaRP increases spammer’s operating cost and thus helps
reduce spam emails.
If CaRP is combined with a policy to throttle the number of
emails sent to new recipients per login session, leads to
reduced outbound spam traffic.
24. Conclusions
CaRP is both a Captcha and a graphical password scheme.
A desired security property that other graphical password schemes lack.
CaRP is also resistant to Captcha relay attacks, and, if combined with dual-
view technologies shoulder-surfing attacks.
CaRP can also help to reduce spam emails sent from aWeb email service
More efforts will be attracted by CaRP than ordinary Captcha.
CaRP does not rely on any specific Captcha scheme.
Editor's Notes
Token based authentication
key cards, band cards, smart card, …
Biometric based authentication
Fingerprints, iris scan, facial recognition, …
Knowledge based authentication
text-based passwords, picture-based passwords, …
most widely used authentication techniques
Difficulty of remembering passwords
easy to remember -> easy to guess
hard to guess -> hard to remember
An example of a graphical password uses an image on the screen and lets the user choose a few click points; these click points are the "password", and the user has to click closely to these points again in order to log in.
a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
Let me put in a live example: when I entered the campus..i saw a person receiving us. So now I will recall I saw a person can I remember his face?-recall
If i met him again I will recognize him as tht person-recognition
If he says u saw me at so and so place-cued
User draws a simple picture on a 2D grid, the coordinates of the grids occupied by the picture are stored in the order of drawing
Redrawing has to touch the same grids in the same sequence in authentication.
User studies showed the drawing sequences is hard to remember.
Here authentication is conducted by having the user drawing their signature using a
mouse.
User click on any place on an image to create a password. A tolerance around each chosen pixel is calculated. In order to be authenticated, user must click within the tolerances in the correct sequence
Pick several pictures out of many choices, identify them later in authentication
System display a number of pass-objects (pre-selected by user) among many other objects, user click inside the convex hull bounded by pass-objects
advatages
Graphical password schemes provide a way of making more
human-friendly passwords while increasing the level of security.
Here the security of the system is very high.
Dictionary attacks and brute force search are infeasible.
disadvantages
Password registration and log-in process take too long.
Require much more storage space than text based passwords.
Shoulder Surfing .
CAPTCHA employs a Reverse Turing Test.
Why CAPTCHA was needed ?
Sabotage of Online Polls.
Spam e-mails.
Abusing free Online accounts.
Tampering with rankings on recommendation systems (like Ebay, Amazon)
Judge = CAPTCHA program, participant = user
If the user passes CAPTCHA, he is human otherwise it is a machine.
The authentication server AS stores a salt s and a hash value H(ρ,s) for each user ID .
Upon receiving a login request, AS generates a CaRP image.
The coordinates of the clicked points are recorded and sent to AS along with the user ID.
AS maps the received coordinates onto the CaRP image, and recovers a sequence of visual object IDs .
Then AS retrieves salt s of the account, calculates the hash value of ρ with the salt.
Authentication succeeds only if the two hash values match.