Defenses against large scale online password guessing attacks by using persuasive click points.bak


Published on

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Defenses against large scale online password guessing attacks by using persuasive click points.bak

  1. 1. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012 DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS BY USING PERSUASIVE CLICK POINTS Chippy.T R.Nagendran Dhanalakshmi Srinivasan Engineering Dhanalakshmi Srinivasan Engineering College CollegeAbstract Usable security has unique usability challenges because the need for security often means thatstandard human-computer-interaction approaches cannot be directly applied. An important usability goalfor authentication systems is to support users in selecting better passwords. Users often create memorablepasswords that are easy for attackers to guess, but strong system-assigned passwords are difficult for usersto remember. So researchers of modern days have gone for alternative methods wherein graphicalpictures are used as passwords. Graphical passwords essentially use images or representation of images aspasswords. Human brain is good in remembering picture than textual character. There are variousgraphical password schemes or graphical password software in the market. However, very little researchhas been done to analyze graphical passwords that are still immature. There for, this project work mergespersuasive cued click points and password guessing resistant protocol. The major goal of this work is to http://ieeexploreprojects.blogspot.comreduce the guessing attacks as well as encouraging users to select more random, and difficult passwordsto guess. Well known security threats like brute force attacks and dictionary attacks can be successfullyabolished using this method.Index Terms: - Authentication, graphical passwords, guessing attacks, computer security. INTRODUCTION about how attackers tend to attacks.There has been a great deal of hype for graphical Unfortunately, these passwords are brokenpasswords since two decade due to the fact that mercilessly by intruders by several simpleprimitive‟s methods suffered from an means such as masquerading, Eaves droppinginnumerable number of attacks which could be and other rude means say dictionary attacks,imposed easily. Here we will progress down the shoulder surfing attacks, social engineering attacks [10][1].To mitigate the problems withtaxonomy of authentication methods. To startwith we focus on the most common computer traditional methods, advanced methods haveauthentication method that makes use of text been proposed using graphical as passwords.passwords. Despite the vulnerabilities, it‟s the The idea of graphical passwordsuser natural tendency of the users that they will firstdescribedby Greg Blonder (1996). Foralways prefer to go for short passwords for ease Blonder, graphical passwordshave aof remembrance [10] and also lack of awareness predetermined image that the sequence and the tapregions selected are interpreted as the graphical password. Since then, many other Page 119
  2. 2. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012graphical password schemes havebeen The following Figure 1: is theproposed. The desirable quality associated depiction of currentauthentication methodswith graphicalpasswords is that Biometric based authenticationpsychologically humans can systems techniquesare proved to beremembergraphical far better than text and expensive, slow and unreliable and hencenothence is the bestalternative being proposed. preferred by many. Token basedThere is a rapid and growinginterest in authentication system is high securityandgraphical passwords for they are more or usability and Accessibility compare theninfinitein numbers thus providing more others. Butthis system employ knowledgeresistance. based techniques to enhancesecurity. But the The major goal of this work is to current knowledge based techniques arestillreduce the guessing attacks as well as immature. For instance, ATM cards alwaysencouraging users to select more random, go hand inhand with PIN number.and difficult passwords to guess.2. Taxonomy of Authentication Figure 1: Taxonomy of Password Authentication TechniquesSo the knowledge based techniques are the are the two names by which graphicalmostwanted techniques to improve real high techniques could be based & recalls based Page 120
  3. 3. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012 3. Background on graphical Akula and Devisetty‟s algorithm [5] is Password Systems similar to thetechnique proposed by Dhamija and Perrig .the images willbe converted into hashing code using SHA-1 Graphical passwords were firstdescribed by Blonder. Since then, many other techniques togive more secure and lessgraphical password schemes have been memory. In this Techniqueproduces a 20proposed. Graphical password systems can be byte output.Both the above algorithms areclassified as either recognition-based (image prone to shouldersurfing attacks.based scheme, cued recall-based (image basedscheme) or pure recall-based (grid based 3.2.2 Hong’s Methodsscheme. Hong, et al. [7] proposed another 3.1 Recognition Based shoulder-surfing resistant algorithm. In this Techniques:3.1.1Dhamija and Perrig approach to allow the user to assign their own codes to pass-object variants. Figure 3: shows Dhamija and Perrig [4] proposed a the log-in screen of this graphical passwordgraphical authentication scheme based on the scheme. However, this method still forces theHash Visualization technique. In their system user to memorize many text strings and thereforeFigure 2: the user is asked to select a certain suffer from the many drawbacks of text-basednumber of images from a set of random pictures passwords.generated by a program later the user will berequired to identify the pre selected images inorder to be authenticated. A weakness of thissystem is that the server needs to store the seeds http://ieeexploreprojects.blogspot.comof the portfolio images of each user in plain text.Also, the process of selecting a set of picturesfrom the picture database can be tedious andtime consuming for the user. F i g u re 3: H o n g ’s al ’s S h o u l der surfin g resista nt 3.3 Recall based techniques: In this section we discuss recent there types of click based graphical password techniques: 1. Pass Points (PP) 2. Cued Click Points (CCP) 3. Persuasive Cued Click- Points (PCCP)F i g u re 2: R a n d o m i m a g es 3.3.1 Pass point (PP)use d b y D h a m ija an d P erri g Based on Blonder‟s original idea [7], Pass Points (PP) [7] is a click-based graphical Page 121
  4. 4. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012password system where a password consists ofan ordered sequence of five click-points on apixel-based image as shown inFigure.4 To login, a user must click within some system-definedtolerance region for each click-point. The imageacts as a cue to help users remember theirpassword click-points. Figure 5:-Cued Click point. 3.3.3 Persuasive Cued Click- Points (PCCP)Figure: 4 Pass Points To address the issue of hotspots, 3.3.2 Cued Click Points (CCP) PCCP was proposed [7]. As with CCP, a password consists of five clickpoints, one on CCP [1] was developed as an alternative each of five images. During passwordclick based graphical password scheme where creation, most of the image is dimmedusers select one point per image for five imagesFigure.5: The interface displays only one image except for a small view port area that is randomly positioned on the image as shown http://ieeexploreprojects.blogspot.comat a time; the image is replaced by the nextimage as soon as a user selects a click point. The in Figure. 6. Users must select a click-pointsystem determines the next image to display within the view port. If they are unable orbased on the user‟s click-point on the current unwilling to select a point in the currentimage. The next image displayed to users is view port, they may press the Shuffle buttonbased on a deterministic function of the point to randomly reposition the view port. Thewhich is currently selected. It now presents a view port guides users to select moreone to-one cued recall scenario where each random passwords that are less likely toimage triggers the user‟s memory of the one include hotspots. A user who is determinedclick-point on that image. Secondly, if a user to reach a certain click-point may stillenters an incorrect click-point during login, thenext image displayed will also be incorrect. shuffle until the view port moves to theLegitimate users who see an unrecognized specific location, but this is a timeimage know that they made an error with their consuming and moreprevious click-point. Conversely, this implicit tedious is not helpful to an attacker who doesnot know the expected sequence of images. Page 122
  5. 5. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012 • Shoulder Surfing Like text based passwords, most of the graphical passwords are vulnerable to shoulder surfing. At this point, only a few recognition- based techniques are designed to resist shoulder-surfing. • Spy ware Except for a few exceptions, key Figure 6: the PCCP password creation logging or key listening spy ware cannot be used interface to break graphical passwords. It is not clear whether “mouse tracking” spy ware will be an4. Discussion: effective tool against graphical passwords. However, mouse motion alone is not enough to“Will Graphical passwords circumvent break graphical passwords. Such informationText basedpasswords?” has to be correlated with application information, such as window position and size, Here we briefly exam some of the as well as timing information.possible techniques for breaking graphicalpasswords and try to do a comparison with text- • Social engineeringbased passwords. Comparing to text based password, it is• Dictionary attacks a user to give away graphical less convenient for passwords to another person. For example, it is Since recognition based graphical very difficult to give away graphical passwordspasswords involve mouse input instead of over the phone. Setting up a phasing web site tokeyboard input, it will be impractical to carry obtain Graphical passwords would be more timeout dictionary attacks against this type of consuming.graphical passwords. For some recall basedgraphical passwords [11], it is possible to use a 5. Proposed Systemdictionary attack but an automated dictionaryattack will be much more complex than a text Now-a-days, all business, government,based dictionary attack. More research is needed and academic organizations are investing a lot ofin this area Overall; we believe graphical money, time and computer memory for thepasswords are less vulnerable to dictionary security of information. Online passwordattacks than text-based passwords. guessing attacks have been known since the early days of the Internet, there is little academic• Guessing literature on prevention techniques. This project deals with guessing attacks like brute force Unfortunately, it seems that graphical attacks and dictionary attacks.passwords are often predictable, a seriousproblem typically associated with text-based This project proposes a click-basedpasswords. More research efforts are needed to graphical password system. During passwordunderstand the nature of graphical passwords creation, there is a small view port area that iscreated by real world users. randomly positioned on the image. Users must Page 123
  6. 6. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012select a click-point within the view port. If they upon revisiting prior proposals designed toare unable or unwilling to select a point in the restrict such attacks. While PGRP limits the totalcurrent view port, they may press the Shuffle number of login attempts from unknown remotebutton to randomly reposition the view port. The hosts, legitimate users in most cases (e.g., whenview port guides users to select more random attempts are made from known, frequently-usedpasswords that are less likely to include machines) can make several failed loginhotspots. Therefore this works encouraging attempts before being challenged with an ATT.users to select more random, and difficultpasswords to guess. This proposed system also provides Brute force and dictionary attacks on protection against key logger spy ware. Since,password-only remote login services are now computer mouse isused rather than the keyboardwidespread and ever increasing. Enabling to enter our graphicalpassword;this protects theconvenient login for legitimate users while password from key loggers.preventing such attacks is a difficult problem.Automated Turing Tests (ATTs) continue to be 5.1 Proposed System Architecturean effective, easy-to-deploy approach to identifyautomated malicious login attempts withreasonable cost of inconvenience to users. This project proposes a new PasswordGuessing Resistant Protocol (PGRP), derived Figure: 7System Architecture Page 124
  7. 7. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012 6. Conclusion and future work [3] Zhi Li, Qibin Sun, Yong Lian, and D. D. Giusto, „An association-based graphical A major advantage of Persuasive cued password design resistant to shoulder surfingclick point scheme is its large password space attack‟, International Conference on Multimediaover alphanumeric passwords. There is a and Expo (ICME), IEEE.2005growing interest for Graphical passwords sincethey are better than Text based passwords, [4] R. Dhamija and A. Perrig, "Deja Vu: A Useralthough the main argument for graphical Study Using Images for Authentication," inpasswords is Proceedings of9th USENIX Security Symposium, 2000.that people are better at memorizing graphicalpasswords than text-based passwords. Online [5] S. Akula and V. Devisetty, "Image Basedpassword guessing attacks on password-only Registration and Authentication System," insystems have been observed for decade‟s Proceedings ofMidwes Instruction and.Present-day attackers targeting such systems are Computing Symposium, 2004.empowered by having control of thousand tomillion node botnets. In previous ATT-based [6] L. Sobrado and J.-C. Birget, "Graphicallogin protocols, there exists a security-usability passwords," The Rutgers Scholar, An Electronictrade-off with respect to the number of free Bulletin forUndergraduate Research, vol. 4,failed login attempts (i.e., with no ATTs) 2002.versus user login convenience (e.g., less [7] Sonia Chiasson, Alain Forget , RobertATTs and other requirements). In contrast, Biddle, P. C. van Oorschot, “User interfacePGRP is more restrictive against brute force and design affects security: patterns in click-baseddictionary attacks while safely allowing a large graphical passwords”, Springer-Verlag 2009.number of free failed attempts for legitimate [8] I. Jermyn, A. Mayer, F. Monrose, M. K.users. PGRP is apparently more effective in Reiter, and A.D. Rubin, "The Design andpreventing password guessing attacks (without Analysis of Graphical Passwords," inanswering ATT challenges), it also offers more Proceedings of the 8th USENIXSecurityconvenient login experience, e.g., fewer ATT Symposium, 1999.challenges for legitimate users. PGRP appearssuitable for organizations of both small and large [9] S. Man, D. Hong, and M. Mathews, "Anumber of user accounts. shoulder surfing resistant graphical password scheme," in Proceedingsof International conference on security andmanagement. Las REFERENCES Vegas, NV, 2003.[1] Sonia Chiasson, P.C. van Oorschot, and [10] A. Adams and M. A. Sasse, "Users are notRobert Biddle, “Graphical Password the enemy: why users compromise computerAuthentication Using Cued Click Points” security mechanisms and how to take remedialESORICS , LNCS 4734, pp.359-374,Springer- measures," Communicationsof the ACM, vol. 42,Verlag Berlin Heidelberg 2007. pp. 41-46, 1999.[2] Manu Kumar, Tal Garfinkel, Dan Boneh and [11] I. Jermyn, A. Mayer, F. Monrose, M. K.Terry Winograd, “Reducing Shoulder-surfing by Reiter, and A.D. Rubin, "The Design andUsing Gazebased Password Entry”, Symposium Analysis of Graphical Passwords," inOn Usable Privacy and Security (SOUPS) , July Proceedings of the 8th USENIXSecurity18-20, 2007, Pittsburgh,PA, USA. Symposium, 1999. Page 125
  8. 8. International Journal of Communications and Engineering Volume 03– No.3, Issue: 01 March2012[12] Alain Forget, Sonia Chiasson, and RobertBiddle,”Shoulder-Surfing Resistance with Eye-Gaze Entry in Cued-Recall GraphicalPasswords”, ACM 978- 1-60558-929-9/10/04,April 10 – 15, 2010. Page 126