International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
PCCP with Scrambling: A knowledge Based
Authentication Technique with Image Scrambling
Binitha . V .M.
Computer Science and Information Systems. Department Of Computer Science, Federal Institute Of Science And Technology,
Mahatma Gandhi University, Kerala, India
ABSTRACT : Adequate
user authentication is a
persistent problem, particularly with hand- held devices
such as Personal Digital Assistants (PDAs), which tend
to be highly personal and at the fringes of an
organization's influence. Yet, these devices are being
used increasingly in corporate settings where they pose
a security risk, not only by containing sensitive
information, but also by providing the means to access
such information over wireless network interfaces. User
authentication is the first line of defence for a lost or
stolen PDA. However, motivating users to enable simple
PIN or password mechanisms and periodically update
their authentication information is a constant struggle.
This paper describes a general-purpose mechanism for
authenticating a user to a PDA using a visual login
technique called Picture Password. The underlying
rationale is that image recall is an easy and natural way
for users to authenticate, removing a serious barrier to
I.
compliance with organizational policy. Features of
Picture Password include style dependent image
selection, password reuse, and embedded salting, which
overcome a number of problems with knowledge-based
authentication for handheld devices. Though designed
specifically for handheld devices, Picture Password is
also suitable for notebooks, workstations and other
computational devices. Scrambling technique is applied
to make image recognition more complex during the
login process and thus protecting from the common
attacks in the graphical password system.
Keywords - Graphical Passwords, Security, Image
Scrambling, KBRP, Two Factor Authentication, hashing
technique.
INTRODUCTION
Computer security depends largely on passwords to
authenticate human users. One of the key areas in
security[1] research and practice is authentication, the
determination of whether a user should be allowed access to
a given system or resource. Traditionally, alphanumeric
passwords have been used for authentication. How-ever,
users have difficulty remembering passwords over time if
they choose a secure password, i.e. a password that is long
and random. Therefore, they tend to choose short and
insecure passwords. The continued domination of
passwords over all other methods of end-user authentication
is a major embarrassment to security re- searchers. A
password authentication system should encourage strong
passwords while maintaining memorability. To validate the
end user for authentication, the system usually prefer to
adopt the knowledge-based authentication, which involves
text based passwords. The text based passwords are
vulnerable to be hacked. The attackers can easily guess the
text passwords with other details of the system. If we want
to avoid this, the system can assign a strong password,
which the attacker cannot guess. But the system assigned
passwords are very difficult to memorize and remembered
by the user. The study on the graphical passwords states
that the click point passwords are hard to guess by the
attacker and easy to remember for the users. So the
password authentication system should encourage the
strong password selection while maintaining the
ISSN: 2231-5381
memorability of the user. Two-factor authentication is a
security process in which the user provides two means of
identification, one of which is typically a physical token,
such as a card, and the other of which is typically
something memorized, such as a security code. In this
context, the two factors involved are sometimes spoken of
as something you have and something you know. A
common example of two-factor authentication is a bank
card: the card itself is the physical item and the personal
identification number (PIN) is the data that goes with it.
This paper proposes the idea of persuasive cued click point
authentication[2,3] with the technique of scrambling which
is authenticated by a device. This scheme will make the
user to set a number of clicks from a picture and size of
passwords needed. The user can also change his passwords
during a week or everyday with altered images. This
scheme fully depended on the memorability of the user
about his selected images. Once he could not remember
which portion of the image he selected for the click, the
user will not authenticate even though he is a genuine user.
II.
BACKGROUND
Graphical password systems are a type of knowledge-based
authentication that attempts to leverage the human memory
for visual information. The Persuasive cued based graphical
password authentication ,provides a way for creating a
http://www.ijettjournal.org
Page 36
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
password more securely by using images and it provides a
triple authentication by the use of an external interface
(Two Factor Authentication), where the only authenticated
user can get into the system and login by the graphical
password and create another user to use the system. The
new scheme which makes use of a scrambling based
approach which works by a key based random permutation,
that actually overcomes the all drawbacks faced by the
previous passpoints and other graphical password
techniques.
Unique characteristics of a Graphical Passwords include:
1. Usability benefits
_ Memory wise -Effortless
_ Scalable-for-Users
_ Nothing-to-Carry
_ Physically-Effortless
_ Easy-to-Learn
_ Efficient-to-Use
_ Infrequent-Errors
2. Deployability benefits
_ Accessible
_ Negligible-Cost-per-User
_ Server-Compatible
_ Browser-Compatible
_ Non-Proprietary
3. Security benefits
_ Resilient-to-Physical-Observation:
_ Resilient-to-Targeted-Impersonation
_ Resilient-to-Throttled-Guessing
_ Resilient-to-Internal-Observation
2.1 Challenges In Graphical Passwords
Different kinds of attacks like hotspots and patterns
reduce the security of click- based graphical passwords[3],
as attackers can use skewed password distributions to
predict and prioritize higher probability passwords for more
successful guessing attacks. As per research, it shows
different people are attracted to the same predictable areas
on an image. This suggests that if users select their own
click-based graphical passwords without guidance, hotspots
will remain an issue.
1.HotSpot Attack
This attack indicate the attacker knows that which areas of
the image where users are more likely to select. Trying that
same areas sometimes may lead to an intruder to enter in to
the system. The areas may be depend upon the user’s
personal choices and priorities. The attacker can easily
select the click points, if he knows the users favourite areas
in the image the click-points can easily available are areas
of the image that have higher likelihood of being selected
by users as password click- points. Attackers who gain
knowledge of these hotspots through harvesting sample
passwords can build attack dictionaries and more
successfully guess PassPoints passwords.
ISSN: 2231-5381
2. Shoulder Surfing Attack
An attacker can capture a password by direct observation or
by recording the individuals authentication session while
inserting passwords in public. This is referred to as
shoulder-surfing. The only defence against shoulder-surfing
has been vigilance on the part of the user. So it aims to
motivate the user with a fun, game-like visual environment
designed to develop positive user affect and counterbalance
the drawback of the longer time to input the password.
3. Pattern Formation Attacks
It is easy for attackers to guess the password because user
forms certain patterns in order to remember the secret code
which results pattern formation attacks are easily possible.
Users also tend to select their click-points in predictable
patterns(e.g. straight lines), which can also be exploited by
attackers even without knowledge of the background
image; indeed, purely automated attacks against PassPoints
based on image processing techniques and spatial patterns
are a threat in this system.
III PERSUASIVE TECHNOLOGY
Persuasive Technology [2] used to motivate and
influence people to behave in a desired manner. An
authentication system which applies Persuasive Technology
should guide and encourage users to select stronger
passwords, not the system- generated passwords[4]. Even
though the users are guided, the resulting passwords must
be memorable. This persuasion makes the password
stronger by avoiding the hot spots in almost all the cases.
The click points are more randomly scattered to avoid the
correct guess by the attackers. The users must not ignore
the persuasive elements and the resulting passwords must
be memorable. As detailed below, PCCP accomplishes this
by making the task of selecting a weak password more
tedious and time consuming. The path of least resistance[5]
for users is to select a stronger password (not comprised
entirely of known hotspots or following a predictable
pattern). The formation of hotspots across users is
minimized since click-points are more randomly
distributed.
3.1 Persuasive Cued Click Points (PCCP)
Using a skewed password distribution the attackers
can guess the password in the previous graphical password
schemes. Without the system guidance most of the users
clicks on the hotspot in each image. In this method the
system influence the user to select more random clicks, and
also maintains the user memorability. In this scheme when
the image is displayed the randomly selected block called
the view port only clearly seen out. All the other parts of
the image are shaded, so that the user can click only inside
the view port. This is how the PCCP [6] influence the user
to select the position of the click point. The view ports are
selected by the system randomly for each image to create a
graphical password. It will be very hard for the attackers to
guess the click point in all the images. The users are
allowed to click anywhere in the view port. There is an
http://www.ijettjournal.org
Page 37
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
option for changing the viewport position also. This option
is called the Shuffle. There is a limit on the number of times
the shuffle option to be used. While users may shuffle as
often as desired, this significantly slows password creation.
The viewport[7] and shuffle button appear only during
password creation.
of the PCCP approach proved that remembrance of
the graphical password is much better than the textbased passwords.
IV IMPLEMENTATION
In this chapter the detailed description of
how these graphical passwords are created and
recalled from a scrambled , unrecognised image.To
access the PCCP system, the user need to be an
authenticated one and that authentication is done
with two factor authentication technique.
4.1 Scrambling
With the current development of ubiquitous
wireless network technology and digital
multimedia devices, wireless image/video data
transmission is becoming more prevalent. As a
result, information security becomes a key problem
for consumers, companies and governments.
Security of image and video data is very important
in many areas, such as video-on-demand,
confidential remote video conferencing, security
communication, and also in military applications.
Image scrambling technologies are very useful
tools to ensure image security by transforming the
image into an unintelligible image. Scrambling
makes the image unrecognizable to pre- vent
eavesdroppers [8] from decoding the true form or
meaning of the image using the human visual
system or a computer system. Image scrambling is
a useful approach to secure the image data by
scrambling the image into an unintelligible format.
This paper introduces a key based random
permutation scheme, in which while in the time of
entering to the system the image can used as a cue
and from the coordinate position from the click
ISSN: 2231-5381
Figure 1. User interface of PCCP
During later password entry, the images are displayed
normally, without shad- ing or the viewport, and users may
click anywhere on the images. Like PassPoints and CCP,
login click-points must be within the defined tolerance
squares of the original points. The theoretical password
space for a password system is the total number of unique
passwords that could be generated according to the system
specifications. Ideally, a larger theoretical password space
lowers the likelihood that any particular guess is correct for
a given password. Whereas text passwords have very
skewed distributions resulting in an effective password
space much smaller than the theoretical space, PCCP is
specifically designed to significantly reduce such skews.
The
recall
studies
points will decide which image has to be come to
next and to select next cue. Each image will be
different and it fully depends upon the permutation.
This scrambling will works by a key that the user
passed to the system and the key length defines the
sequence of scrambled image parts to appear for
recalling cues in login time for a valid user.
4.2 Key Based Random Permutation
Introduces a method for generating a particular
permutation [9]P of a given size N out of N!
permutations from a given key. This method
computes a unique permutation for a specific size
since it takes the same key; therefore, the same
permutation can be computed each time the same
key and size are applied. The name of random
permutation comes from the fact that the
probability of getting this permutation is 1 out of
N! possible permutations.
Besides that, the
permutation cannot be guessed because of its
generating method that is depending completely on
a given key and size. permutation is generated from
certain key (alphanumeric string) by considering all
the elements of this given key in the generation
process. The permutation is stored in onedimensional array of size equal to the permutation
size (N). The process involves three consecutive
steps: init(), eliminate(), and fill().
Step1: First step, init(), is to initialize array of size
n with elements from the given key, by taking the
ASCII code of each element in the key and storing
them in the array consecutively. To complete all
elements of the array, we add elements to the array
by adding two consecutive values of the array until
all the elements of the array are set to values.
Finally, all values are set to the range 1 to N by
applying
the
mode
operation
http://www.ijettjournal.org
Page 38
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
Algorithm of Function fill()
.
Algorithm of Function init()
Step2: eliminate()
This function is used to get rid of repeated values
by replacing them with value of zero and keep only
one value out of these repeated values. Last step,
fill(), is to replace all zero values with nonzero
values in the range 1 to N which are not exist in the
array. The resulted array now represents the permutation. In this step, array P contains N values.
Repetition for some values maybe exists; therefore,
the repeated values are examined and replaced with
zero. Only one value out of the repeated values is
kept in P. now P has only distinct values in the
range 1 to N and some zero values are appeared in
P. Missing values in the range 1 to N that are not
exist in P will be substituted by the zero elements.
This process is shown in the following algorithm.
Algorithm of Function eliminate()
Step3:The final step, fill(), is to replace
any zero value in P by a value in the range
1 to N which is not exist in P. All zero
values will be replaced through a sequence
of one value from the left side of P and one
value from the right side of P and
repeating this sequence until all zero
values are gone. The resulted array now
contains all distinct values in the range 1 to
N which represents the permutation stored
in P. This process is shown in the
following algorithm.
ISSN: 2231-5381
The KBRP algorithm is used to map the
coordinates in the scrambled images to the
ordinates of the images which are selected as the
click points without scrambling in the stored
database. This mapping is done by the
corresponding quadrant number which is the
number of quadrant in which the user selects the
portion of the image as click points. This number is
passed as the argument that is key length of the
KBRP algorithm and depending upon this key
length the KBRP brings the scrambled images.
After the scrambling these coordinates are mapped
with the quadrant number and corresponding series
number of the scramble is mapped and is checking
with the database coordinates. If there is a match
then it is accepted by the system .The system is
allowed with 10%tolerence the pixel positions.
4.3 Authentication
Authentication module it is implemented using a
connecting device normally a ash drive is used to
authenticate the valid user. The device should be
configured and depending upon the serial unique
identification number of the device a valid user can
authenticate , and an authenticated user and get allowed to enter into the system. These portable
tokens plug into a computers USB port either
directly or using a USB extension cable. When
users attempt to login to applications via desktop,
VPN/WLAN or Web portal, they will be prompted
to enter their unique PIN number. If the entered
PIN number matches the PIN within the
AuthShield USB Token, the appropriate digital
credentials are passed to the network and access is
granted. This technique is widely used to ensure
security for passwords and an effective tool to
avoid dictionary attacks in password system
currently running. Two-factor authentication is
commonly found in electronic computer
authentication, where basic
authentication is the process of a requesting entity
presenting some evidence of its identity to a second
entity. Two-factor authentication seeks to decrease
the probability that the requester is presenting false
evidence of its identity. The number of factors is
important, as it implies a higher probability that the
bearer of the identity evidence indeed holds that
identity in another realm (e.g., computer system v/s
http://www.ijettjournal.org
Page 39
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
real life). In reality, there are more variables to
consider when establishing the relative assurance of
truthfulness in an identity assertion than simply
how many "factors" are used. Paragraph Twofactor authentication is often confused with other
forms of authentication. Two-factor authentication
requires the use of two of the three authentication
factors. The factors are identified in the standards
and regulations for access and these factors are
something only the user knows (e.g., password,
PIN, pattern); something only the user has (e.g.,
ATM card, smart card, mobile phone); and
something only the user is (e.g., biometric
characteristic such as a fingerprint).
According to proponents, two-factor
authentication could drastically reduce the
incidence of online identity theft, phishing
expeditions, and other online fraud, because the
victim's password would no longer be enough to
give a thief access to their information. Opponents
argue (among other things) that, should a thief have
access to your computer, he can boot up in safe
mode, bypass the physical authentication processes,
scan your system for all passwords and enter the
data manually, thus at least in this situation making
two-factor authentication no more secure than the
use of a password alone. Two-factor authentication
offers identity theft protection by making it
difficult for attackers to steal users online identities.
However when protecting a system
with graphical passwords , the system should be
able to resist all kinds of attacks previously
incurred by the existing graphical password
Scheme. Securing the passwords from the attackers
is a most critical task, even if we are implementing
the graphical based passwords. Whenever an
attacker get access to the system he should not get
access to the database contents, which stores the
password data. Even if the passwords are accessed
,the attacker should not get the actual content. The
content have to be encrypted or in other words it
should be converted in to another unreadable
format.
4.5 Device Authentication Process
For device authentication Process, two factor
authentication scheme [10] is used. This is a most
widely used in the due to the system related
features like flexibility reliability, security etc. The
USB device drive is used as the external
authentication element to enter in to the system.
Once the system identified and configured with the
external device, the device will act as the
gatekeeper and provide the first level security to the
system.
The above diagram shows the USB detection
process. When the system starts working, it will
check whether any external device is connected
with the system. If more than one external device
connected it will check the unique identifier for that
device. Once the unique identifier that is the serial
number detected by the system it will check the
unique identifier with its configuration details. If
both are matching it will get connected to the
graphical password scheme. Else the system will
give an error message reporting the serial number is
not matching with the configuration string. The
host controller information will be containing the
host controller name, the root hub name, which is
configured in the system. When the external device
is connected the system is compared with the
configuration details of that external device such as
manufacture name, product name and serial
number. This details are used to compare with the
configuration details. If all information matching
then the system grants the access to the graphical
password system
4.6 PCCP Password scheme
The password creation will be containing the
graphical password interface where the user can
create new passwords and the existing user can
login to the system. When the user is entered into
the password creation, the user will be getting a
default image as the first image and user can select
the click points and according to the number of
click points, the user have to select the click points.
After selecting cues up to the number of click
points the password creation will start. It will keep
the coordinates of the cues selected by the user
in the selected order.
Figure 3. PCCP User Interface
Figure 2. Device Authentication Process
ISSN: 2231-5381
Order of Cues. The order is used to create and
restore the passwords depending upon the cues.
The quadrant which selects the first cue will define
http://www.ijettjournal.org
Page 40
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
what images have to appear for the next cue
selection. The user is unaware with the portion of
the default image. The cue selection in the default
image will effect order of images to be appeared
for the password creation . This means, from a
single default image the number of passwords can
be created is defined depending upon the number of
quadrants which is used to divide the image
4.7 Password Analysis
This includes the password selection which is
used to login from a scrambled image. Here the
default image also scrambled into the a number
normally 9 or 12 etc. KBRP algorithm is used to do
the mapping from the cues with the actual image
cues . Because of the randomness itself the user
will be getting confused about his actual cues. Thus
upto an extent this will keep the system secure
from the common graphical password attacks.
Figure 4. PCCP with Scrambling
Thus the PCCP is working with two factor
authentication and KBRP algorithm. Once the user
login to the system, user have to remember the cues
every time .By this reason this scheme is known as
knowledge based authentication. Because the
system will not give access to the system with a
wrong order of the cues, even if an authenticated
user.
Figure 5. PCCP Working Flow Diagram
The above figure shows the overview of the
system, which includes the login process, password
creation, user registration, password information
request and retrieval. The log is used to keep the
passwords created by the user, and have to be
accessed while login process and registration
process.
ISSN: 2231-5381
V PROTECTION OF PASSWORD DATA
The database should be protected from
malicious attacks because it always contain vital
information’s. In this study we are storing our
passwords to login to the system. So for protecting
passwords from unauthorised access. As explained
above the a secure hash function is used to create
the hash code for the created password kept in the
database. It provides a third level of security for our
passwords. The coming section explains how the
hash function is performed to protect the database.
SHA 3-KECCAK The Secure Hash Algorithm[11]
is a family of cryptographic hash functions
published by the National Institute of Standards
and Technology (NIST) as a U.S. Federal
Information Processing Standard (FIPS), and may
refer to SHA-0: A retronym applied to the original
version of the 160-bit hash function published in
1993 under the name "SHA". It was withdrawn
shortly after publication due to an undisclosed
"significant aw" and replaced by the slightly
revised version SHA-1. SHA-1: A 160-bit hash
function which resembles the earlier MD5
algorithm. This was designed by the National
Security Agency (NSA) to be part of the Digital
Signature Algorithm. Cryptographic weaknesses
were discovered in SHA-1, and the standard was no
longer approved for most cryptographic uses after
2010. SHA-2: A family of two similar hash
functions, with different block sizes, known as
SHA- 256 and SHA-512. They differ in the word
size; SHA-256 uses 32-bit words where SHA-512
uses 64-bit words. There are also truncated versions
of each standardized, known as SHA-224 and
SHA-384. These were also designed by the NSA.
SHA-3: A hash function formerly called Keccak,
chosen in 2012 after a public competition among
non-NSA designers. It supports the same hash
lengths as SHA-2, and its internal structure differs
significantly from the
rest of the SHA family.
5.1 Architecture
Keccak [11,12]is a family of cryptographic
hash functions or, more accurately, sponge
functions this cryptographic hash algorithm family
called SHA-3. A Keccak f round consists of a
sequence of invertible steps each operating on the
state, organized as an array of 55 lanes, each of
length w 2 f1, 2, 4, 8, 16, 32, 64g (b = 25w). When
implemented on a 64-bit processor, a lane of
Keccak[1600] can be represented as a 64-bit CPU
word. Any instance of the Keccak sponge function
family makes use of one of the seven Keccak-f
denoted Keccak-f[b], where b 2 f25; 50; 100; 200;
400; 800; 1600g is the width of the permutation.
These Keccak-f permutations are iterated[13]
constructions consisting of a sequence of almost
identical rounds. The number of rounds nr depends
on the permutation width, and is given by nr = 12 +
http://www.ijettjournal.org
Page 41
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
2`, where 2` = b=25. This gives 24 rounds for
Keccak-f[1600]. Internally, the state of Keccak is
organized in three dimensions and its bits are
identified with coordinates x, y 2 E 5 and z E Zw,
for b = 25w . Externally the sponge and duplex
constructions require to have a linear numbering of
the bits from 0 to b-1. Here, the bit index i = z +
w(5y + x) externally corresponds to the coordinates
(x, y, z) internally. lane (i.e., bits with the same
coordinates (x, y)) contains
bits with w consecutive indices If an input or
output block is organized as lanes, the outer part of
the state spans [r/w ] lanes. In a typical software
implementation, the bits in a lane are packed
together in a w-bit CPU Thus,
this allows to organize the input and output in
terms of CPU words. The sponge construction is a
mode of operation, based on a fixed length
permutation (or transformation) and on a padding
rule, which builds a function mapping of variablelength input to variable-length output. The sponge
construction, can be used to implement a wide
spectrum of symmetric cryptography functions.
This includes hashing, reseedable pseudo random
bit sequence generation, key derivation, encryption,
message authentication code (MAC) computation
and authenticated encryption. The fundamental
cryptographic primitive underlying all this is a
fixed-length permutation. These permutation-based
modes form efficient alternatives for the current
block- cipher dominated cryptographic practice. On
top of its conceptual elegance, a permutation has
the advantages that it does not have a key schedule
and that its inverse does not need to be
implemented or efficient. Sponge is constructed
such that it does not allow mounting shortcut
attacks that have a higher success probability than
generic attacks for the same workload using a
random transformation instead of a random
permutation does not offer less resistance against
the critical operations iterate a simple nonlinear
round function enough times until the resulting
permutation has no properties that can be exploited
in attacks. Iterated permutation can be seen a block
cipher with a fixed and known key, it should be
impossible to construct for the full-round versions
distinguishers like the known-key distinguishers for
reduced-round versions of DES and AES[14].
Figure 6 Architecture
ISSN: 2231-5381
Properties of Sponge Functions
Heart of keccak -f
O/p length is arbitrary
Based on a fixed length permutation
Can be used as stream Cipher
Single iterated permutation with VLIP and VLOP
Length b is called width of permutation
Does not have initial values(IV)
Provide a single nonlinear round function
5.2 Implementation
SHA-3 uses the "sponge construction", where
input is "absorbed" into the hash state at a given
rate, and then an output hash is "squeezed" from it
at the same rate. To absorb r bits of data, the data is
XORed into the leading bits of the state, and the
block permutation is applied. To squeeze, the first r
bits of the state are produced as output, and the
block permutation is applied if additional output is
desired. Central to this is the "capacity" of the hash
function, which is the c=25w,r state bits that are not
touched by input or output. This can be adjusted
based on security requirements, but the SHA-3
proposal[13] sets a conservative c=2n, where n is
the size of the output hash. Thus r, the number of
message bits processed per block permutation,
depends on the output hash size. The rate r is 1152,
1088, 832, or 576 for 224, 256, 384 and 512-bit
hash sizes, respectively, when w is 64. To ensure
the message can be evenly divided into r-bit blocks,
it is padded with the bit pattern 10*1: a 1 bit, zero
or more 0 bits (maximum r1), and a final 1 bit. The
final 1 bit is required because the sponge
construction security proof requires that the final
message block [14] is not all-zero. The process of
generating the hash code is shown below.
Algorithm of Sponge Function
http://www.ijettjournal.org
Page 42
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
To compute a hash, initialize the state to 0, pad the
input, and break it into r-bit pieces. Absorb the
input into the state; that is, for each piece, XORit
into the state and then apply the block permutation.
After the final block permutation, the leading n bits
of the state are the desired hash. Because r is
always greater than n, there is actually never a need
for additional block permutations in the squeezing
phase. However, arbitrary output length may be
useful in applications such as optimal asymmetric
encryption padding. In this case, n is a security
parameter rather than the output size. Although not
part of the SHA-3[15] competition requirements,
smaller variants of the block permutation can be
used, for hash output sizes up to half their state
size.
5.3 Phases of Sponge Function
The sponge function have four phases
Padding:making the raw bits of input data to a
divisible by the word size, appending zero in the
remaining parts to make it divisible by word size
and a single one will add to indicate padding starts
Initialization:Initialize the state array,which is
used to store the data to
manipulate the entire function
Squeezing:Consists exoring the state array with
padded blocks of data.
Absorbing:means absorb the output from the
squeezed data and represent as a string.
VI
Pattern Formation Attacks:-In the PCCP this
attack is not possible because the click points is
selecting randomly and there is no way to build a
corresponding pattern from next image.
Malware:- Malware is a major concern for text
and graphical pass- words, since keylogger, mouse
logger, and screen scraper malware could send
captured data remotely or otherwise make it
available to an attacker. Since the scheme used
above will remove the challenging malware also in
a secure way.
VII
RESULTS AND EVALUATION
In this section ,it evaluates the various features
of the system possess and comparing how it is
beneficial to provide security to protect passwords
and an authenticated user. As per the previous
study, effectiveness of the password memorablity
in all graphical password schemes are shown below
with 17 core images that we are commonly dealing
in daily life.
SECURITY ANALYSIS
The users must not ignore the persuasive
elements and the resulting passwords must be
memorable. As detailed above, PCCP accomplishes
this by making the task of selecting a weak
password more tedious and time consuming. The
path of least resistance for users is to select a
stronger password (not comprised entirely of
known hotspots or following a predictable pattern).
Hotspot Problem:- The formation of hotspots
across users is minimized since click-points are
more randomly distributed. PCCPs de- sign follows
Foggs Principle of Reduction by making the
desired task of choosing a strong password easiest
and the Principle of Suggestion by embedding
suggestions for a strong password directly within
the pro- cess of choosing a password. By using the
permutation function the hot spot problem is
reducing and only making a slight difficulty in
password security.
Shoulder Surfing Attack :-This kind of attacks
still strongly effect the security in every graphical
password scheme. This study also not effective for
removing shoulder surfing attack. Much more
researches are needed
in this area.
ISSN: 2231-5381
Figure 7 Comparison of all password schemes with 17 core
images
The system studies shows that after scrambling it is
difficult to recall a password , may be the points of
clicks can remember, but locating that cues in the
scrambled image with 10% tolerance is difficult.
This increases the difficulty to guess the password
and shoulder surfing ,because the exact point in the
image is difficult to recall after certain weeks.
Table 1.Different features of PCCP
VIII CONCLUSION
The current graphical password techniques
are still immature. Still from Passponts to the
implemented PCCP some common attacks are
existing . From passpoint to a recall based
technique, graphical passwords provide much more
security than text password .In this system it uses
http://www.ijettjournal.org
Page 43
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 1 - Mar 2014
the cues as click points and not providing any
scope for the mainly known attack called dictionary
attack. Even though the shoulder surfing attacks
play an important role in graphical passwords
because images are more memorable entities rather
than a text word. So every human being will be
having the same capability to recall the images
from a pool of image. In this system it is
implemented a user device verification as a user
authentication technique and it provide a first level
of security to the system. The implemented system
has the features like, Wide choice of hardware and
software one-time password (OTP) credentials,
including free mobile phone credentials Leverage
device and behaviour profiling to deliver strong
authentication without requiring hardware or
software credentials, Integrates with enterprise
infrastructure via RADIUS out-of-the-box or
through plug-ins into popular enterprise
applications. Find a complete list of third-party
integrations, Out-of-box self-service application
including token activation, token synchronization.
The key advantages are providing by these system
are, it enables compliance, reduces capital costs,
accelerates time-to-security, speeds deployments
by eliminating infrastructure and physical tokens,
delivers scalability traditional authentication
schemes used username and password pairs to
authenticate users. This provides minimal security,
because many user passwords are very easy to
guess. In two factor authentication, the password
still provides the something you know component.
By implementing this system it give a
good knowledge based authentication in graphical
passwords users.
REFERENCES
[1] The Quest to Replace Passwords: A Framework
for Comparative Evaluation of Web Authentication
Schemes,Joseph Bonneau University of Cambridge
Cambridge, UK jcb82@cl.cam.ac.uk Cormac
Herley Microsoft Research Redmond, WA, USA
cormac@microsoft.com Paul C. van Oorschot
Carleton University Ottawa, ON, Canada
paulv@scs.carleton.ca Frank Stajanoy University
of
Cambridge
Cambridge,
UK
frank.stajano@cl.cam.ac.uk
[2] Persuasive Cued Click-Points: Design,
Implementation, and Evaluation of a KnowledgeBased Authentication Mechanism Sonia Chiasson,
Member, IEEE, Elizabeth Stobert, Student
Member, IEEE, Alain Forget, Robert Biddle,
Member, IEEE, and Paul C. van Oorschot,
ISSN: 2231-5381
Member, IEEE.IEEE Transactions on Dependable
and Secure Computing, VOL. 9, NO. 2,
MARCH/APRIL 2012
[3] Persuasive Cued Click Points with Click Draw
Based Graphical Password Scheme P. R. Devale
Shrikala M. Deshmukh, Anil B. Pawar.
[4]Graphical Passwords: A Survey Xiaoyuan Suo
Ying Zhu G. Scott. Owen Department of Computer
Science
Georgia
State
University
xsuo@student.gsu.edu,
yzhu@cs.gsu.edu,
owen@siggraph.org.
[5] Purely Automated Attacks on PassPoints-Style
Graphical Passwords Paul C. van Oorschot,
Amirali Salehi-Abari, and Julie Thorpe IEEE
Transactions on
Information Forensics
and
Security, VOL. 5, NO. 3, September 2010
[6]Graphical Password Authentication Using Cued
Click Points, Sonia Chias son1,2, P.C. van
Oorschot1, and Robert Biddle, School of Computer
Science, Carleton University, Ottawa, Canada,
Human-Oriented Technology Lab, Carleton
University, Ottawa, Canada
[7] S. Chiasson, P. van Oorschot, and R. Biddle,
Graphical Password Authentication Using Cued
Click Pointsm Proc. European Symp. Computer
Security (ESORICS), pp. 359-374, Sept. 2007.
[8] The science of guessing: analyzing an
anonymized corpus of 70 million passwords Joseph
Bonneau Computer Laboratory University of
Cambridge jcb82@cl.cam.ac.uk. 2012 IEEE
Symposium on Security and Privacy
[9] Key Based Random Permutation (KBRP)
Shakir M. Hussain1 and Naim M. Ajlouni Applied
Science University1, Jordan Amman Arab
University for Graduate Studies, Jordan
[10]Painless migration from passwords to two
factor authentication , Ziqing Mao Palo Alto, CA,
USA ; Florencio, D. ; Herley, C, Information
Forensics and Security (WIFS), 2011 IEEE
International Workshop
[11] J.-P. Aumasson and D. Khovratovich, First
analysis of Keccak, Available online, 2009.
[12] D. J. Bernstein, Second preimages for 6
rounds of keccak, 2010.
[13] G. Bertoni, J. Daemen, M. Peeters, and G. Van
Assche, RADIOGATUN, a belt-and-mill hash
function, Second Cryptographic Hash Workshop,
Santa Barbara.
[14] Keccak speci_cations, version 2, NIST SHA-3
Submission, September 2009.
[15] Aumasson and W. Meier, Zero-sum
distinguishers for reduced Keccak-f and for the
core functions of Lu_a and Hamsi, Available
online,2009
http://www.ijettjournal.org
Page 44