Captcha as graphical password

CAPTCHA AS GRAPHICAL PASSWORDS
A NEW SECURITY PRIMITIVE BASED ON
HARD AI PROBLEMS
By
Gopinath.R
(1BY14SCS08)
M.Tech (CSE),BMSIT
Under the Guidance of:
Mr. Ravi Kumar B.N
Asst. Professor , Dept of CSE, BMSIT

AGENDA
 Introduction
 Background
 Captcha as Graphical Password
 Recognition Based CaRP
 Security Analysis
 Applications
 Conclusion 2

INTRODUCTION
 Using hard Artificial Intelligence problems for Security is an exciting
new paradigm.
 Under this paradigm, the most notable primitive is Captcha, which
distinguishes human users from computers by presenting a
challenge, i.e., a puzzle .
 Captcha is now a standard Internet security technique to protect
online email and other services from being abused by bots.
 A new security primitive based on hard AI problems, namely, a novel
family of graphical password systems integrating Captcha
technology, called as CaRP.
 CaRP is click-based graphical passwords, where a sequence of
clicks on an image is used to derive a password.
3

BACKGROUND
 Graphical Passwords
Recall Based Techniques
A user is asked to reproduce something that he created or
selected earlier during the registration stage
Recognition Based Techniques
A user is presented with a set of images and the user passes the
authentication by recognizing and identifying the images he
selected during the registration stage.
Cued-recall Technique
An extra cue is provided to users to remember and target specific
locations within a presented image.
4

 Captcha
Completely Automated Public Turing test to tell Computers &
Humans Apart.
It is a program that is a challenge response to test to separate humans
from computer programs.
TYPES:
Text Captcha
The Text Captcha relies on character recognition
Image-Recognition Captcha (IRC)
The IRC relies on recognition of non-character objects.
5

TEXT BASED
simple, normal questions :-
 what is the sum of three & thirty-five ?
 If today is Saturday, what is day after tomorrow?
 Which of mango, table & water is a fruit?
 Very effective, needs a large question bank.
 Cognitively challenged ,users find it hard.
6

IMAGE-RECOGNITION CAPTCHA
1.BONGO
 User has to solve a pattern recognition problem.
 Has to tell the distinct characteristic between two sets of figures.
 Then tell to which set a given figure belongs to.
7

2.PIX
 Uses a large database of labelled images.
 It shows a set of images, user has to recognize the common feature
among those.
 Eg :- pick the common characteristic among the following 4 pictures =
“aeroplane”.
8

 Captcha in Authentication
 It was introduced to use both Captcha and password in
authentication protocol, called as Captcha-based Password
Authentication (CbPA) protocol.
 The CbPA-protocol requires solving a Captcha challenge after
inputting a valid pair of user ID and password.
9

CAPTCHA AS GRAPHICAL
PASSWORDS- CARP
A New Way to Thwart Guessing Attacks
 In a guessing attack, a password guess tested in an unsuccessful trial
is determined wrong and excluded from subsequent trials.
 To counter guessing attacks, traditional approaches in designing
graphical passwords aim at increasing the effective password space.
 Here we distinguish two types of guessing attacks:
Automatic guessing attacks apply a automatic trial and error process.
Human guessing attacks apply a manual trial and error process.
10

CaRP: An Overview
 In CaRP, a new image is generated for every login attempt.
 CaRP uses an alphabet of visual objects
(e.g., alphanumerical characters, similar animals) to generate a CaRP
image
 CaRP schemes are clicked-based graphical passwords.
 CaRP schemes can be classified into two categories:
Recognition
which requires recognizing an image and using the recognized objects
as cues to enter a password.
Recognition-recall
combines the tasks of both recognition and cued-recall 11

USER AUTHENTICATION WITH
CARP SCHEMES
A typical way to apply CaRP schemes in user authentication is as
follows.
12
Flowchart of basic CaRP authentication.

 The authentication server AS stores a salt s and a hash value H(ρ,s)
for each user ID .
 Upon receiving a login request, AS generates a CaRP image.
 The coordinates of the clicked points are recorded and sent to AS
along with the user ID.
 AS maps the received coordinates onto the CaRP image, and
recovers a sequence of visual object IDs .
 Then AS retrieves salt s of the account, calculates the hash value of
ρ with the salt.
 Authentication succeeds only if the two hash values match.
13

RECOGNITION BASED CARP
1.Click Text
 Click Text is a recognition-based CaRP scheme built on top of text
Captcha.
 A Click Text password is a sequence of characters in the alphabet,
e.g.ρ =“AB#9CD87”, which is similar to a text password.
14
Click-Text image with 33 characters

2.Click Animal
 Click Animal is a recognition-based CaRP scheme built on top of
Captcha Zoo ,with an alphabet of similar animals such as dog,
horse, cat, etc.
 Its password is a sequence of animal names such as
ρ = “Turkey, Cat, Horse, Dog,….”
15
Captcha Zoo with horses circled red. A Click Animal image

3.Animal Grid
 Animal Grid is a combination of Click Animal and CAS.
 Click-A-Secret (CAS) wherein a user clicks the grid cells in his password.
password.
 To enter a password, a Click Animal image is displayed first.
 After an animal is selected, an image of n × n grid appears, with the grid-
grid-cell size equaling the bounding rectangle of the selected animal.
16
A ClickAnimal image 6 × 6 grid

SECURITY ANALYSIS
 Security of Underlying Captcha
As a framework of graphical passwords, CaRP does not
rely on any specific Captcha scheme.
If one Captcha scheme gets broken, a new robust
Captcha scheme can be used to construct a new CaRP
scheme
17

 Automatic online guessing attcks
In automatic online guessing attacks, the trial and error
process is executed automatically whereas dictionaries can
beconstructed manually
18

APPLICATIONS
 CaRP can be applied on touch-screen devices .
 Many e-banking systems uses Captchas in user logins that
requires solving a Captcha challenge for every online login
attempt.
 CaRP increases spammer’s operating cost and thus helps
reduce spam emails.
 If CaRP is combined with a policy to throttle the number of
emails sent to new recipients per login session, leads to
reduced outbound spam traffic.
19

CONCLUSION
 CaRP is both a Captcha and a graphical password scheme.
 A desired security property that other graphical password schemes
lack.
 CaRP is also resistant to Captcha relay attacks, and, if combined with
dual-view technologies shoulder-surfing attacks.
 CaRP can also help to reduce spam emails sent from a Web email
service
 More efforts will be attracted by CaRP than ordinary Captcha.
 CaRP does not rely on any specific Captcha scheme. 20

REFERENCES
[1] Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu “Captcha as
Graphical Passwords—A New Security Primitive Based on Hard AI Problems”
VOL. 9, NO. 6, JUNE 2014
[2] R. Biddle, S. Chiasson, and P. C. van Oorschot, “Graphical passwords:
Learning from the first twelve years,” ACM Compute Surveys, vol. 44, no. 4,
2012.
[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, “The design and
analysis of graphical passwords,” in Proc. 8th USENIX Security Symp., 1999,
pp. 1–15.
[4] H. Tao and C. Adams, “Pass-Go: A proposal to improve the usability of
graphical passwords,” Int. J. Netw. Security , vol. 7, no. 2, pp. 273– 292, 2008.
[5] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon,
“PassPoints: Design and longitudinal evaluation of a graphical password
system,” Int. J. HCI, vol. 63, pp. 102–127, Jul. 2005.
21

Captcha as graphical password

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Captcha as graphical password

Similar to Captcha as graphical password (20)

Recently uploaded

Recently uploaded (20)

Captcha as graphical password