ipas implicit password authentication system ieee 2011


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ipas implicit password authentication system ieee 2011

  1. 1. 2011 Workshops of International Conference on Advanced Information Networking and Applications IPAS: Implicit Password Authentication System Sadiq Almuairfi Parakash Veeraraghavan and Naveen Chilamkurti Dept. of Computer Science and Computer Engineering Dept. of Computer Science and Computer Engineering La Trobe University, 3086, Melbourne, Australia La Trobe University, 3086, Melbourne, Australia sadiqjafar@students.latrobe.edu.au {p.veera, n.chilamkurti}@latrobe.edu.au Abstract— Authentication is the first line of defense against present our proposal and discuss its strengths and compromising confidentiality and integrity. Though traditional weaknesses compared with the existing schemes. Section 5 login/password based schemes are easy to implement, they deals with conclusion and future directions. have been subjected to several attacks. As an alternative, token and biometric based authentication systems were introduced. II. VARIOUS AUTHENTICATION SCHEMES However, they have not improved substantially to justify the investment. Thus, a variation to the login/password scheme, There are several authentication schemes available in the viz. graphical scheme was introduced. But it also suffered due literature. They can be broadly classified as follows: to shoulder-surfing and screen dump attacks. In this paper, we introduce a framework of our proposed (IPAS) Implicit x What you know Password Authentication System, which is immune to the x What you have and common attacks suffered by other authentication schemes. x What you are Keywords-Authentication; Graphical Password; Security; The traditional username/password or PIN based Mobile Banking. authentication scheme is an example of the “what you know type”. Smartcards or electronic tokens are examples of I. INTRODUCTION “what you have type of authentication” and finally Authentication is a process of determining whether a biometric based authentication schemes are examples of the particular individual or a device should be allowed to access “what you are” type of authentication. Some authentication a system or an application or merely an object running in a systems may use a combination of the above schemes. In device. This is an important process which assures the basic this paper, we focus only on “what you know” types of security goals, viz. confidentiality and integrity. Also, authentication. adequate authentication is the first line of defense for Although traditional alphanumeric passwords are used protecting any resource. It is important that the same widely, they have problems such as being hard to remember, authentication technique may not be used in every scenario. vulnerable to guessing, dictionary attack, key-logger, For example, a less sophisticated approach may be used for shoulder-surfing and social engineering [1]. In addition to accessing a “chat server” compared to accessing a these types of attacks, a user may tend to choose a weak corporate database. Most of the existing authentication password or record his password. This may further weaken schemes require processing both at the client and the server the authentication schemes. As an alternative to the end. Thus, the acceptability of any authentication scheme traditional password based scheme, the biometric system greatly depends on its robustness against attacks as well as was introduced. This relies upon unique features unchanged its resource requirement both at the client and at the server during the life time of a human, such as finger prints, iris end. The resource requirement has become a major factor etc. The major problem of biometric as an authentication due to the proliferation of mobile and hand-held devices. scheme is the high cost of additional devices needed for Nowadays with the use of mobile phones, users can access identification process [2]. The false-positive and false- any information including banking and corporate database. negative rate may also be high if the devices are not robust. In this paper, we specifically target the mobile banking Biometric systems are vulnerable to replay attack (by the domain and propose a new and intelligent authentication use of sticky residue left by finger on the devices), which scheme. However, our proposal can also be used in other reduces the security and usability levels. Thus, recent domains where confidentiality and integrity are the major developments have attempted to overcome biometric security requirements. shortcomings by introducing token-based authentication The rest of the paper is organized as follows: Section 2 schemes. deals with various authentication schemes, and their Token based systems rely on the use of a physical device advantages and disadvantages. In section 3, we mention the such as smartcards or electronic-key for authentication main problems of the existing schemes. In Section 4, we purpose. This may also be used in conjunction with the978-0-7695-4338-3/11 $26.00 © 2011 IEEE 430DOI 10.1109/WAINA.2011.36
  2. 2. traditional password based system. Token based systems are not completely secure. It needs several rounds of imagevulnerable to man-in-the middle attacks where an intruder recognition for authentication to provide a reasonably largeintercepts the user’s session and records the credentials by password space, which is tedious [7]. Also, it is obvious thatacting as a proxy between the user and the authentication recognition based systems are vulnerable to replay attackdevice without the knowledge of the user [3]. Thus as an and mouse tracking because of the use of a fixed image as aalternative, graphical based passwords are introduced to password. Thus, we consider these drawbacks in ourresolve security and usability limitations mentioned in the proposed system, which overcomes the problems of recallabove schemes. based schemes too. Graphical-based password techniques have been B. Recall-Based Systemsproposed as a potential alternative to text-based techniques,supported partially by the fact that humans can remember In recall-based systems, the user is asked to reproduceimages better than text [4]. Psychologists have confirmed something that he/she created or selected earlier during thethat in both recognition and recall scenarios, images are registration phase. Recall based schemes can be broadlymore memorable than text [2]. Therefore, graphical-based classified into two groups, viz: pure recall-based techniqueauthentication schemes have higher usability than other and cued recall-based technique.authentication techniques. On the other hand, it is alsodifficult to break graphical passwords using normal attacks 1) Pure Recall-Based Techniquessuch as dictionary attack, brute force and spyware which In this group, users need to reproduce their passwordshave been affecting text-based and token-based without any help or reminder by the system. Draw-A-Secretauthentication [5]. Thus, the security level of graphical- technique [8], Grid selection [9], and Passdoodle [10] arebased authentication schemes is higher than other common examples of pure recall-based techniques.authentication techniques. In 1999, Jermyn et al. [8] proposed DAS (Draw-A- In general, the graphical password techniques can be Secret) scheme, in which the password is a shape drawn onclassified into two categories: recognition-based and recall- a two-dimensional grid of size G * G as in Figure 1. Eachbased graphical techniques [4]. cell in this grid is represented by distinct rectangular coordinates (x, y). The values of touch grids are stored in temporal order of the drawing. If exact coordinates areA. Reconition-Based Systems crossed with the same registered sequence, then the user is In recognition-based systems, a group of images are authenticated. As with other pure recall-based techniques,displayed to the user and an accepted authentication requires DAS has many drawbacks. In 2002, Goldberg [11]a correct image being clicked or touched in a particular conducted a survey which concluded that most users forgetorder. Some examples of recognition-based system are their stroke order and they can remember text passwordsAwase-E system [6], AuthentiGraph [3, 5], and Passfaces easier than DAS. Also, the password chosen by users aresystem [4]. vulnerable to graphical dictionary attacks and replay attack. An image password called Awase-E [6] is a new systemwhich enables users to use their favorite image instead of atext password for authentication purpose. Even thoughAwase-E system has a higher usability, it is difficult toimplement due to the storage space needed for images andalso the system cannot tolerate replay attack. Adding to this,a user may always tend to choose a well-known (orassociated with the user through some relation, like son,wife or a place visited etc.) image which may be prone toguessing attacks. Weinshall and Kirkpatrick [7] studied a recognition-basedscheme and concluded that users can still remember theirgraphical password with 90% accuracy even after one ortwo months. Their study supports the theory that humanremember images better than text. In addition for example, Figure 1. Example of DASthe commercial system Passfaces [4] uses images of humanfaces. Davis, et al. [7] worked on such A scheme andconcluded that user’s password selection is affected by raceand gender. This makes the Passfaces’s password somewhatpredictable. Although a recognition-based graphical password seemsto be easy to remember, which increases the usability, it is 431
  3. 3. 2) Cued Recall-Based Techniques In this technique, the system gives some hints which help users to reproduce their passwords with high accuracy. These hints will be presented as hot spots (regions) within an image. The user has to choose some of these regions to register as their password and they have to choose the same region following the same order to log into the system. The user must remember the “chosen click spots” and keep them secret. There are many implementations, such as Blonder algorithm [12] and PassPoint scheme [13]. Figure 2. . Example of Grid Selection Model In 1996, Blonder [12] designed a method where a pre- determined image is shown to the user on a visual display and the user should “click” on some predefined positions on In 2004, the Grid selection technique was proposed by the image in a particular order to be authenticated as inThorpe and Van Oorschot [9] to enhance the password Figure 4. This method was later modified and presented asspace of DAS. Their study showed the impact of stroke- Passpoint [13].count on DAS password space which decreases significantly In 2005, the PassPoint [13] scheme was created to bewith less strokes for a fixed password length. To improve similar to the Blonders scheme while overcoming some ofthe DAS security level, they suggested the "Grid Selection" its main limitations. In Passpoint, the image can be antechnique, where the selection grid is large at the beginning, arbitrary photograph or paintings with many clickableA fine grained grid from which the person selects a drawing regions as shown in Figure 5. This will increase thegrid, a rectangular area to zoom in on, in which they may password space of Passpoint scheme which in turn willenter their password as shown in Figure 2. This technique increase the security level. Another source of difference iswould increase the password space of DAS, which improves that there is no predefined click area with clear boundariesthe security level at the same time. Actually, this technique like the Blonder algorithm. The user password couldonly improves the password space of DAS but still carries contain any chosen sequence of points in the image, whichover DAS weaknesses and drawbacks as mentioned above. increases the usability level of this scheme. Passdoodle [11], is a graphical password of handwrittendrawing or text, normally sketched with a stylus over atouch sensitive screen as shown in Figure 3. In [11],Goldberg et.al have shown that users were able to recognizea complete doodle password as accurately as text-basedpasswords. Unfortunately, the Passdoodle scheme has manydrawbacks. As mentioned in [9], users were fascinated byother users drawn doodles, and usually entered other userspassword merely to a different doodles from their own. In[1], the authors concluded that the Passdoodle scheme isvulnerable to several attacks such as guessing, spyware,key-logger, and shoulder surfing. Figure 4. Example of Blinder Scheme Figure 3. Example of Passdoodle Figure 5 Example of PassPoint System 432
  4. 4. The Passpoint system has a large password space, which remotely. Since all the image based password schemesimproves the security level compared with other similar known to us use static passwords, the recorded movie maysystems. For example, five or six click points on an image be replayed and with some human-interaction, the user’scan produce more passwords than 8-character text-based password may be decoded.passwords with standard 26-character alphabet [13]. Formore security, the Passpoint system stores the imagepassword in a hashed (encrypted) form in the password file. IV. IMPLICIT PASSWORD AUTHENTICATION SYSTEMMoreover, hashing does not allow approximation e.g. two In this section, we propose our Implicit Passwordpasswords that are almost the same but not fully identical Authentication System. IPAS is similar to the PassPointwill be hashed differently. In order to be authenticated, the scheme with some finer differences. In every “what youuser has to click close to the selected points, within some know type” authentication scheme we are aware of, themeasured tolerance distance from the pass point. server requests the user to reproduce the fact given to the Wiedenbeck et al. [14] proposed the best tolerance server at the time of registration. This is also true inaround the click point in such an image. To log in, the user graphical passwords such as PassPoint. In IPAS, weshould click with the tolerance of such a click point. In fact, consider the password as a piece of information known toa larger password space leads to a smaller tolerance size e.g. the server at the time of registration and at the time of2 to 5 mm2 around the chosen click point or pixel. For authentication, the user give this information in an implicitexample, an image of size 330 x 260 mm2 with tolerance form that can be understood only by the server. We explainareas of size 6 x 6 mm2 gives more than 590 tolerance areas this through a Mobile Banking case-study.[14]. It is clear that password space depends on the tolerancesize or system choice. This enhancement makes the A. Study Case of IPAS (Mobile Banking)Passpoint system more flexible, especially for people using In our case study, we consider mobile banking as ourmobile devices. domain. However, our proposed (IPAS) may also be implemented in any client-server environment, where we need to authenticate a human as a client (IPAS will not work III. PROBLEMS WITH THE EXITING SCHEMES in machine-to-machine authentication). We also assume that Traditional alphanumeric passwords are always the server has enough hardware resources like RAM andvulnerable to guessing and dictionary attack. There may CPU. This is not un-realistic as high-end servers areeven be a rogue program that may record the key strokes becoming cheaper day-by-day. The bank may have aand publish it on a remote website. In order to overcome the database of 100 to 200 standard questions. During the timekey logger based attacks, newer systems may show a of registration, a user should pick 10-20 questions from thegraphical keyboard and the user has to press the correct database (depending upon the level of security required) andpassword using “mouse clicks”. This may also be defeated provide answers to the selected questions. For example, theif the attacker uses a screen capture mechanism, rather than user may choose the following questions:using a key logger. Since new video-codec is providinghigher compression ratio, an attacker may use a screen x The maker of your first car?capture program and record a short video clip and send it to x The city you love to visit or visited?a remote server for publishing. So, as an alternative, a token x Date of birth?based authentication method may be used either as a stand-alone authentication or used in addition to the traditional For each question, the server may create an intelligentalphanumeric password. But this technology is not authentication space using images, where the answers to thepervasive. The user may have to carry a trusted token card particular question for various users are implicitlyreader. With unknown token readers, a user may not be embedded into the images. During the time ofaware whether they are using a trusted legitimate reader or authentication, the server may pick one or more questionsusing an un-trusted one that may clone the token (similar to selected by the users at the time of registration randomlythe recent ATM card scam). (the number of questions depends on the level of service Although image based authentication systems reviewed in requested). For each chosen question, the server may chooseour paper address most of the threats, still they suffer from an image randomly from the authentication space andthe following attacks: replay, Shoulder-surfing, and present IT to the user as a challenge. Using the stylus or therecording the screen. mouse, the user needs to navigate the image and click the One may argue that replay attack can be prevented using right answer. For example, the server may present the userencryption and tamper-proof time stamps, and physical with the picture of the Globe. The user should correlate toshoulder-surfing may be known to the user as this process is Question 2. If Sydney is the city the user loves to visit orinvasive. However, due to the availability of high- has visited, he needs to click on to Australia. It will thenbandwidth to mobile devices and light-weight, high-efficient enlarge Australia. Then in the map, the user needs to clickvideo codecs, a rogue program may still capture and publish Sydney as shown in Figure 6. 433
  5. 5. the correct “clickable area”. Then based on the function f(I), the image I and the area the user clicked, the client will then generate a key K. The function f(I) is chosen in such a way that S(Qi) = K if and only if the user and the server has exactly the same area of interest in the image. The user then decrypts S(Qi)[p] to get the random number. He then transmits p+1 to the server for authentication and to the next level. In this way, the user is authenticated implicitly and no confidential information is exchanged over the network. When the server is executing the last question in the authentication process, instead of encrypting a pseudo Figure 6. Example of an IPAS random number, it will pick a session key and encrypt with the derived key. When the client decrypts it, he gets an implicit message from the server to use this session key for Next time, if the same question is chosen by the server, transmission. This procedure not only authenticates a userthe same scenario may not be presented. For the next time, implicitly, this will also exchange a session key implicitly.the server may show an image containing all famous It is up to the application developer and the organizationbuildings and monuments. The user needs to click on the to decide on what to do when a user gives an incorrect“Sydney Opera house” to implicitly convey his answer. answer to one or more of the questions.Since every time the server uses a different scenario and theanswers are given implicitly, our proposed system isimmune to screen capture attack. Also, except for the server C. Strength of IPASand the legitimate user, for others, the answers may look As one can easily see, IPAS is immune to shoulderfuzzy. For example, if the user click “Opera house”, it may surfing and screen-dump attacks. Also, the authenticationeven mean the “type of music user is interested to listen”, or information is presented to the user in an implicit form thatmay represent his “place of birth”, or “current residency” can be understood and decoded only by the legitimate end-and so on. user. Traditional password based authentication schemes and PassPoint are special cases of IPAS. The strength ofB. IPAS Implementation Framework IPAS depends greatly on how effectively the authentication information is embedded implicitly in an image and it The bank will have a set of 100 to 200 questions. Every should be easy to decrypt for a legitimate user and highly-user selects a set of 10 to 20 questions at the time of fuzzy for a non-legitimate user.registration and provides their individual answer. For each One of the weaknesses of implementing this scheme isquestion, the system then either creates an authentication that the system may simply ask the user an alphanumericspace (the space that represents implicit answers for the question given during the time of registration process andquestions using images) if it is not available or add the new ask the user to input the answer through a graphicaluser’s answer to the existing authentication space. Once the keyboardauthentication space is created, the system is ready forauthenticating a user. V. CONCLUSION AND FUTURE DIRECTIONS First, a user may request access to the system by In this paper, we have proposed a new Implicit Passwordpresenting his user name and the level of access required. Authentication System where the authentication informationThis may be sent as a plain text. Depending on the level of is implicitly presented to the user. If the user “clicks” theaccess required, the system might choose one or more same grid-of-interest compared with the server, the user isquestions registered by the user during the time of implicitly authenticated. No password information isregistration process. For each question, the server may exchanged between the client and the server in IPAS. Sincechoose a random scenario from the authentication space that the authentication information is conveyed implicitly, IPASrepresents the correct answer. The chosen scenario will have can tolerate shoulder-surfing and screen dump attack, whichone or more “clickable” points that represent the answer to none of the existing schemes can tolerate. The strength ofthe question provided by the particular user. Similar to IPAS lies in creating a good authentication space with aPassPoint, the IPAS considers the image as a grid and the sufficiently large collection of images to avoid shortanswers represent a clickable area. repeating cycles. Compared to other methods reviewed in Similar to Kerberos, a session key S(Qi) is derived from our paper, IPAS may require human-interaction and carefulthe correct clickable area through a function f(I). The server selection of images and “click” regions. IPAS may alsowill choose a random number p and then encrypt p with the need user training. Once this is done, IPAS can be moresession key S(Qi) and transmit <Image, S(Qi)[p], f(I)> to the robust. In our subsequent papers, we present various stepsmobile device. The client application then displays theimage. Using the stylus or a mouse, the user needs to choose 434
  6. 6. involved in creating a robust authentication space for every symposium on Usable privacy and security. Pittsburgh, Pennsylvania,question. ACM. [8] Wei-Chi, K. and T. Maw-Jinn (2005). “A Remote User Authentication Scheme Using Strong Graphical Passwords”, Local Computer Networks, 2005. 30th Anniversary. REFERENCES [9] Lashkari, A. H., F. Towhidi, et al. (2009). “A Complete Comparison on Pure and Cued Recall-Based Graphical User Authentication[1] Sabzevar, A.P. & Stavrou, A., 2008,” Universal Multi-Factor Algorithms”, Computer and Electrical Engineering, 2009. ICCEE 09. Authentication Using Graphical Passwords”, IEEE International Second International Conference. Conference on Signal Image Technology and Internet Based Systems [10] Renaud, K. (2009)."On user involvement in production of images (SITIS). used in visual authentication." J. Vis. Lang. Comput. 20(1): 1-15.[2] Haichang, G., L. Xiyang, et al. (2009). “Design and Analysis of a [11] Masrom, M., F. Towhidi, et al. (2009). “Pure and cued recall-based Graphical Password Scheme”, Innovative Computing, Information graphical user authentication”, Application of Information and and Control (ICICIC), 2009 Fourth International Conference on Communication Technologies, 2009. AICT 2009. International Graphical Passwords. Conference.[3] Pierce JD, Jason G. Wells, Matthew J. Warren, & David R. Mackay. [12] Birget, J. C., H. Dawei, et al. (2006). "Graphical passwords based on (2003). “A Conceptual Model for Graphical Authentication”, 1st robust discretization", Information Forensics and Security, IEEE Australian Information security Management Conference, 24 Sept. Transactions on 1(3): 395-399. Perth, Western Australia, paper 16. [13] S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon,[4] Xiaoyuan, S., Z. Ying, et al. (2005). “Graphical passwords: a survey”, ``PassPoints: Design and longitudinal evaluation of a graphical Computer Security Applications Conference, 21st Annual. password system, International J. of Human-Computer Studies[5] Wells, Jason; Hutchinson, Damien; and Pierce, Justin, "Enhanced (Special Issue on HCI Research in Privacy and Security), 63 (2005) Security for Preventing Man-in-the-Middle Attacks in Authentication, 102-127. formation Security Management Conference. Paper 58. [14] S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N.[6] Takada, T. and H. Koike (2003). “Awase-E: Image-Based Memon, ``Authentication using graphical passwords: Effects of Authentication for Mobile Phones Using User’s Favorite Images”, tolerance and image choice, Symposium on Usable Privacy and Human-Computer Interaction with Mobile Devices and Services, Security (SOUPS), 6-8 July 2005, at Carnegie-Mellon Univ., Springer Berlin / Heidelberg. 2795: 347-351. Pittsburgh.[7] Dirik, A. E., N. Memon, et al. (2007). “Modeling user choice in the PassPoints graphical password scheme”, Proceedings of the 3rd 435