Enhancement of Shoulder-Surfing Resistant Graphical Password Scheme for Cloud using Caesar Cipher Technique

Enhancement of Shoulder-Surfing Resistant
Graphical Password Scheme for Cloud using
Caesar Cipher Technique
R.Vijayakumari 1
, K.Gangadhara Rao 2
, B.Basaveswara Rao 3
1
Department of Computer Science,
Krishna University, Machilipatnam, India
2,3
Department of Computer Science,
Acharya Nagarjuna University, Guntur, India
1
vijayakumari28@gmail.com, 2
kancherla123@gmail.com, 3
bbrao@alu.ac.in
Abstract- Password prevents unauthorized access to the data and also provides high security and confidentiality. Due to
various drawbacks in text based passwords, graphical password authentication was developed as an alternative.
Graphical passwords also provide more security when compared to text based. In graphical password authentication,
users click on images to set their passwords. Images are generally easier to be remembered than text. In graphical
password authentication users can set images as their password. Caesar Cipher Technique is an encryption
technique used for secure transmission of textual data. In this paper, this technique is applied for graphical
password in order to provide enhanced security to the user.
Keywords – Graphical Password, Authentication, Shoulder-Surfing, Usability, Security
I. INTRODUCTION
Providing system security for the user has become more important in present days. So password is provided for
authentication. There are different authentication mechanisms for providing security. Prominent among them is
alpha numeric passwords which provides high security are also known as text based passwords. A password in text
based system contains a string of letters and digits. Therefore, these text-based passwords are stronger enough. But,
the security of this password is directly proportional to the complexity of the password [1]. However, text based
passwords are easy to guess. They are even prone to dictionary attacks, brute force attacks, key logger, social
engineering etc. That is why an alternative approach for text-based passwords, called Graphical Password
Authentication has been developed, to provide more security to the user. In this system of authentication, user has to
select a set of images in a particular order as his/her password. The images that are to be selected can be of any type
like an image of a flower, animal, place, person, vegetable, etc. Users are good at remembering or recognizing
images better than the text [2]. But, shoulder-surfing is the significant problem in graphical password authentication.
Shoulder-surfing means looking over someone’s shoulder to steal the password. To deal with this problem both the
Recognition and Recall based techniques are used. In Recall based authentication technique, a user has to reproduce
the thing in the same way as they are created or selected at the time of registration. In Recognition based technique,
a set of images are presented to the user at the time of authentication, from which he/she has to select correct images
in a sequential order. Caesar Cipher technique is the earliest known and the simplest substitution cipher [3]. It was
International Journal of Computer Science and Information Security (IJCSIS),
Vol. 15, No. 9, September 2017
222 https://sites.google.com/site/ijcsis/
ISSN 1947-5500

first used for blocks of text. This technique involves replacing each letter of the alphabet with the letter standing ‘k’
places further down the alphabet. Here, ‘k’ is called the key and takes on a value from 1 to 25.
II. RELATED WORKS
Graphical passwords have been proposed as a possible alternative to text-based password. Blonder [4] first
introduced the concept of graphical password. Later, Dhamija et al proposed Deja Vu [5] which is, in effect, a
recognition-based graphical password scheme. At present there are many approaches available for graphical
password based authentication system, although, Xiaoyuan Suo et al [6] mentioned that this scheme is still under
research and require more experiments to finally deploy in the market. Sobrado and Birget [7] proposed a graphical
password technique which acts as a shoulder surfing resistant, in which system displays a specific number pf pass
objects (pre-selected by the users) from many objects that are given. In Man et al. [6] algorithms a number of images
are selected by user as pass-objects. Each pass-object with a unique code has several variants. During authentication
process several scenes are presented before user. Jansen et al [8] proposed a mechanism based on graphical
password for mobile devices. Takada and Koike [9] discussed a similar technique for mobile devices. Real User
Corporation developed a Pass-face algorithm [10] where user is asked to select four images from database as their
password. Ali Mohamed et al [11] proposed Recognition Based Graphical Password interface. Here, author has
presented “Graphical Password Prototype Design”. Its features were about ease of use, memorize, creation, learning
and satisfaction. To create the password the user should choose three images and sort them as he want in some order
and save them. While login, user selects only these images for authentication. K. Gangadhara Rao et al [12]
proposed a click based graphical password authentication system. There are two phases – registration and login. The
user has to register by giving his username and password and the selected password is shifted circularly to the right
by one character and stored in the database. Login procedure happens in four sages and in each stage the entered
input is compared with the rotated, stored, password string by shifting one character to the left by ‘n’ number of
times. Here ‘n’ represents the number of iteration. If all the four stages are successfully passed by the user, then he is
allowed to access the system. Vijayakumari Rodda et al [13] proposed a Shoulder-surfing Resistant Graphical
Password Scheme in which the user uses a variable grid for selecting password images during login. But this scheme
was only 70% secure when the user uses the key board for login procedure. Amish shah et al [14] proposed
shoulder-surfing resistant graphical password system to minimize the search time to find the pass-images on a login
screen. This scheme uses texts in images instead of objects such that quicker recognition can take place. Each and
every image has two characters in it. The user can select an alpha numeric pass phrase at the time of registration.
During login, the user will have to move the frames with appropriate characters and arrange them as per the
alignment chosen during registration. Abutalha et al [15] proposed an alignment based graphical password scheme.
It has two phases: select, training phase and identification phase. In first phase, user has to register username and
password pictures. He is also trained to remember images in this phase. In the second phase, user has to identify and
align the pass pictures displayed in circles. The number of circles displayed is equal to number of password pictures
selected. Each and every circle consists of only one pass picture during login. So, he has to align them and submit
them to get access to the system. Mrs.Gokhale et al [16] introduced a graphical password technique which has two
ISSN 1947-5500

phases called registration and login. During registration, the user has to select some even number of images to set as
a password. Later any other picture can be selected by the user to select any three questions. The answers to the
questions must be any three regions on the later selected image. User has to click on region of answers and save
them for login purpose along with his other details. During login, the user has to select the appropriate images and
also answer the questions correctly. Amol Bhand et al [17] proposed a click based recognizable graphical password
authentication system. In this system, at the time of registration user gets one system generated text password on his
e-mail on the basis of RGB values of the selected click points of the image. While logging in user has to enter this
text password.
III. EXISTING SYSTEM
As shown in Figure 1 and Figure 2, the existing system [13] has variable grid for displaying pictures in login
interface. The size of the grid is given during login. From the displayed pictures, the user has to select his/her
password pictures correctly to login to the system.
Figure 1. Login interface to enter grid size [13]
Figure 2. Login interface to select images [13]
A. Limitations in the Existing System
The existing system was shoulder-surfing resistant password system used for accessing cloud resources. But, its has
certain limitations.
1. The system is secure only upto 70% when we use mouse to login
ISSN 1947-5500

2. A chance of cracking a password if the attacker watches the login procedure closely.
B. Modification Suggested for the Existing System
Use Caesar Cipher Technique for giving password input. The encryption and decryption algorithms of Caesar
Cipher are:
C = E(k, P) = (P + k)
P = D(k,C) = (C - k)
Where P is original password, C is encrypted password, and k is key for encryption
Using this technique, the original passwords are hidden and mapped passwords are given each and every time of
login. Therefore, though the attacker observes the login procedure closely, he cannot get the original password.
IV. PROPOSED SYSTEM
The proposed scheme has 1200 pictures in the database for acquiring greater password space as it is in the existing
system. The purpose of the proposed scheme is to enhance the existing shoulder-surfing resistant system in both
security and usability. This scheme contains two phases – Registration Phase and Login Phase. During registration
the user details are registered. The details include user name, e-mail ID, mobile number, and number of pictures for
password. The registration interface is shown in Figure 3.
Figure 3. Registration interface for proposed scheme
During Login, the user enters the encrypted password for authentication. The code for encryption is sent to user’s
mail-id as well as Mobile number. First, the user has to enter his/her user name first and then he/she has to generate
a pass-code for encryption. When the user generates the pass-code, the proposed scheme sends the pass-code to user
email-id as well as his/her mobile number automatically. Basing on the pass-code, the user has to select the images
as his/her password. The login interface is shown in Figure 4.
ISSN 1947-5500

Figure 4. Login interface for proposed scheme
The pass-code for encryption contains an alphabet followed by a number.
Alphabet – L/R/T/B (L – left, R – left, T – top, B – bottom)
Number – 1/2/3/4 (number of positions to slide)
‘Number’ represents the number of positions a user has to move from original pass picture, to select the mapped
pass picture. ‘Alphabet’ represents the direction to move. We assume that the grid is foldable (or rollable) for
applying Caesar Cipher Technique, so that the side edges, touch each other whenever necessary. i.e., first column
will touch last column if you roll (or fold). Similarly, first row will touch last row if you fold. For example in Figure
4, if the pass picture is Pomegranate and the pass-code is R2, then the user has to select Zebra as his password
picture by sliding two positions to the right. If the pass picture is Papaya and the pass-code is T1, then the user has to
select Beans as his picture by moving one position up. If the pass picture is Watermelon and the pass-code is L4,
then the user has to select Cauliflower as his pass picture by moving four positions to the left. Same way if the pass
picture is Elephant and the pass-code is B3, then the user has to select the ‘Picture of Lady with Red Dress’ as his
pass picture by moving 3 positions to the bottom. Limits are set for the two parameters – number of password
pictures and the length of the grid.
Table 1. Limits for No. of Pictures in the Password and Length of Grid
S.No. Password/Grid Upper Limit Lower Limit
1 Number of Pictures in
the Password
07 03
2 Length of the Grid 12 05
V. IMPLEMENTATION
The proposed scheme was implemented using Java. MySQL database was used for storing pictures. ‘Eclipse’ is the
development tool used for application development.
ISSN 1947-5500

Technology Used: Java
Database: MySQL
Development Tool: Eclipse/Net Beans
Figure 5. Implementation of Proposed Scheme
VI. RESULTS AND DISCUSSION
Let ‘N’ be the set of all possible passwords and ‘m’ be the number of pictures in the selected password of a user.
Then, the password space is given by
N = 1200Cm
Let ‘K’ be the set of all possible keys. Then,
K = {L1, L2, L3, L4, R1, R2, R3, R4, T1, T2, T3, T4, B1, B2, B3, and B4}
The password is given in the encrypted format during login and it is decrypted by the proposed system to verify
the authenticity of the user. i.e., E (k, P) = D (k, C). If at all an attacker tries to attack, he has to try with 12 different
keys. And the keys are sent to user instantly at each and every login. So, it is impossible for the attacker to have
knowledge of key at that particular instance. After 3 failed attempts of login, user is alarmed, according to the
proposed system. So, it is impossible for the attacker to crack the password in the proposed system.
A user study was conducted involving 25 post graduate students to study usability, security, and login times for
the proposed scheme, after a learning session on the proposed scheme. The average login time for the proposed
scheme consisting of grid length 5, 6, and 7 was 21.6, 25.6, and 33.6 respectively. The average login times increase
as the number of pictures in the password increases in the proposed scheme. It was also found that 23% of the
participants in the study found the selection of pass pictures are a bit time taking when they chose the lengthy
password length. Shoulder-surfing attack and dictionary attacks are restricted as the user is not directly selecting the
ISSN 1947-5500

original pass pictures and the password pictures are mapped with other input pictures in the interface. In case of
repeated attempts the security grid of the proposed scheme will be ceased and an SMS and e-mail will be sent to
user mobile and mail-id respectively. Hence, the security of the proposed scheme is larger than the existing shoulder
surfing resistant password scheme.
VII.CONCLUSION AND FUTURE WORK
An Enhanced Graphical Password Scheme using Caesar Cipher Technique is proposed to eliminate the shoulder-
surfing attack and brute-force attack. Shoulder-surfing attack is restricted as the user inputs other images as
password in place of the original pass pictures. When the number of login failures exceeds a certain threshold say 3
or 4, the interface sends the message to user via SMS and e-mail. The grid displays the password pictures randomly
at each and every time of login. This restricts the random click attack in the proposed scheme. The proposed scheme
may be extended to ATM machines where the users be authenticated to log into their accounts.
REFERENCES
[1] Authentication Using Graphical Passwords: Basic Results. Susan Wiedenbeck, Jim Waters. College of IST Drexel University Philadelphia,
PA, 19104 USA. Susan.wiedenbeck@cis.drexel.edu jw65@drexel.edu
[2] R.N.Shepard, “Recognition memory for words, sentences, and pictures”, Journal of Verbal Learning and Verbal Behavior, Vol. 6, pp. 156-
163, 1967.
[3] Stallings W. Cryptography and network security: principles and practices. Pearson Education India; 2006.
[4] Blonder, Greg E. "Graphical password." U.S. Patent No. 5,559,961. 24 Sep. 1996.
[5] Dhamija R, Perrig A. Deja Vu-A User Study: Using Images for Authentication. InUSENIX Security Symposium 2000 Aug 14 (Vol. 9, pp.
4-4).
[6] Suo X, Zhu Y, Owen GS. Graphical passwords: A survey. InComputer security applications conference, 21st annual 2005 Dec 5 (pp. 10-
pp). IEEE.
[7] Wiedenbeck S, Waters J, Sobrado L, Birget JC. Design and evaluation of a shoulder-surfing resistant graphical password scheme.
InProceedings of the working conference on Advanced visual interfaces 2006 May 23 (pp. 177-184). ACM.
[8] Jansen W. Authenticating mobile device users through image selection. WIT Transactions on Information and Communication
Technologies. 2004 Apr 7;30.
[9] Takada T, Onuki T, Koike H. Awase-e: Recognition-based image authentication scheme using users' personal photographs. InInnovations
in Information Technology, 2006 2006 Nov (pp. 1-5). IEEE.
[10] RealUser, "www.realuser.com," last accessed in June 2005.
[11] Eljetlawi AM. Graphical password: Usable graphical password prototype. J. Int'l Com. L. & Tech.. 2009;4:298.
[12] Rao KG, Vijayakumari R, Rao BB. 4-STAGE GRAPHICAL PASSWORD AUTHENTICATION SCHEME FOR CLOUD. Journal of
Theoretical and Applied Information Technology. 2017;95(1):105.
[13] Vijayakumari Rodda, Gangadhar Rao Kancherla, Basaveswara Rao Bobba. Shoulder-Surfing Resistant Graphical Password System for
Cloud. International Journal of Applied Engineering Research. 2017. Vol 12(16). Pp. 6091-6096.
[14] Shah, A., Ved, P., Deora, A., Jaiswal, A. and D'silva, M., 2015. Shoulder-surfing Resistant Graphical Password System. Procedia Computer
Science, 45, pp.477-484.
[15] Danish, A., Sharma, L., Varshney, H. and Khan, A.M., 2016, March. Alignment based graphical password authentication system.
In Computing for Sustainable Global Development (INDIACom), 2016 3rd International Conference on (pp. 2950-2954). IEEE.
[16] Gokhale, M.A.S. and Waghmare, V.S., 2016. The shoulder surfing resistant graphical password authentication technique. Procedia
Computer Science, 79, pp.490-498.
[17] Bhand, A., Desale, V., Shirke, S. and Shirke, S.P., 2015, December. Enhancement of password authentication system using graphical
images. In Information Processing (ICIP), 2015 International Conference on (pp. 217-219). IEEE.
ISSN 1947-5500

Enhancement of Shoulder-Surfing Resistant Graphical Password Scheme for Cloud using Caesar Cipher Technique

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Enhancement of Shoulder-Surfing Resistant Graphical Password Scheme for Cloud using Caesar Cipher Technique

Similar to Enhancement of Shoulder-Surfing Resistant Graphical Password Scheme for Cloud using Caesar Cipher Technique (20)

Recently uploaded

Recently uploaded (20)

Enhancement of Shoulder-Surfing Resistant Graphical Password Scheme for Cloud using Caesar Cipher Technique