Multifactor Graphical Password Authentication System using Sound Signature and Handheld Device

advertisement
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014
Multifactor Graphical Password Authentication System
using Sound Signature and Handheld Device
Jyoti Rao*1,Kishan Mistry#2, Bhumika Mistry#3, Divya Malviya#4, Devesh Gudway#5
#
Student & Department of Computer Engineering,
Padmashree Dr. D. Y. Patil Institute of Engineering & Technology,
Pimpri, Pune, Maharashtra, India.
*
Faculty & Department of Computer Engineering,
Padmashree Dr. D. Y. Patil Institute of Engineering & Technology,
Pimpri, Pune, Maharashtra, India.
Abstract— Every system uses text password but provide poor
security. Graphical passwords on the other hand provide greater
security and are easy to remember. In this paper we present
various authentication schemes using graphical passwords. These
provides potential solution to the flaws of text as well as graphical
passwords. In this system we present two modes of graphical
password authentication system i.e. offline and online. The offline
mode consists of a graphical password integrated with sound
signature, whereas the online mode focuses on Cued Click Point
(CCP) based pattern using encryption and decryption.
Keywords— Security, Authentication, Sound signature, Graphical
password, CCP, handheld devices.
I.
INTRODUCTION
Traditional authentication systems uses text passwords which
includes username and password. These passwords fails to
provide the desired level of security. Text passwords, once
chosen and learned, the user must able to recall it at the time of
login, which makes them hard to remember. However if we
keep changing our password frequently it is more vulnerable to
be forgotten [6]. To reduce brute force attacks the user should
select long passwords which include characters as well as
numbers. This makes them all the more difficult to remember.
Text passwords include risks of shoulder surfing, hidden
cameras and spyware attacks. Also they are prone to dictionary
attacks and keyboard sniffers. Thus they are not much reliable
and hence for greater security we can use graphical passwords.
Number of graphical password systems have been developed.
Studies shows that text based password suffer with both security
and usability problems.
“According to Picture Superiority Effect Theory, concepts are
more likely to be recognized and remembered if they are
presented as pictures rather than words.”[2].
A graphical password is an image that is uploaded by the user or
provided by the server [3]. The user has to click on various
ISSN: 2231-5381
points on the image that leads to successful authentication. The
user enters the password by clicking on a set of images, specific
pixels on an image or by drawing a secret pattern in a predefined
manner.
A click based graphical password scheme called Cued Click
Points uses a sequence of images in which user can select one
click point per image or multiple points on a single image.
These click points can either be selected by the user or they can
be generated randomly by a server at the time of registration. At
the time of logging in, the click points selected by the user are
verified by the user with the points provided by the user at the
time of registration or those provided by the server. If the
number of possible pictures is made very large then it offers
better resistance to dictionary attacks. It is also difficult to make
automated attacks for graphical passwords. Thus graphical
passwords presumably a higher usability compared to text based
passwords.
However in graphical passwords, users have predefined tap
regions on one image to form a password. User entered a
password by clicking on these regions in a specific order. This
scheme is vulnerable to shoulder surfing and suffers from
having a predetermined and a very small password space. Visual
attention research shows that different people are attracted to the
same predictable regions in an image. These regions are known
as hotspots. If users select their own click-based graphical
passwords without guidance, presence of hotspots will remain
an issue.
In order to overcome these drawbacks of text as well as
graphical passwords, we integrate our system with universal
multifactor authentication scheme. Multi-factor authentication is
a way of authentication in which two or more independent
factors are used as a part of user credentials. Multi-factor
authentication is accomplished in our system by combining
graphical passwords with another factor. This factors can
include smart cards, USB tokens, handheld devices or one-time
http://www.ijettjournal.org
Page 516
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014
password token. In our system another factor is provided using
sound signature in offline mode and using encryptiondecryption in online mode, both implemented on a handheld
device. Having two or more factors strengthens but also
complicates the authentication process.
The rest of the paper has been organized as follows: Section II
describes the various graphical password based system that have
already been implemented. Section III describes our system
architecture and the methodology that we are going to use.
Section IV describes the algorithmic steps for the proposed
methodology, and finally we discuss about the future scope of
the project and conclude in Section V.
II.
RELATED WORK
Many systems have been implemented that use graphical
passwords. The best known of these systems are Passfaces,
Click based graphical passwords, Pass-Point system, Persuasive
click point systems.
Blonder proposed a graphical authentication scheme called
graphical password, based on cued recall. In this scheme the
user creates a password by clicking on several location on an
image, which are stored in the database. The user must click on
the approximate areas of location for authentication [4].
Susan Wiedenbeck proposed and enhanced graphical
authentication system called Pass-Points [3]. This idea is based
on selection of a sequence of multiple click points on a single
image as password. At the time of authentication the image is
displayed on the screen by the system. The user needs to click
on several previously chosen locations in a single image to
login. Any pixel value in the image is a candidate for a click
point. The problem with this scheme is that the number of
predefined regions is small, perhaps a few dozen in a picture,
leading to hotspots and pattern formation attacks. The password
may have to be having 12 click points for sufficient security,
thereby making it difficult for the user to remember.
Cued Click Points (CCP) is a proposed alternative to pass
points suggested by Sonia et al, designed to reduce patterns and
usefulness of hotspots [5]. In CCP, user clicks one point each on
multiple images rather than multiple points on a single image. It
offers cued recall and introduces visual cues that instantly alerts
valid users if they have made a mistake when entering the latest
click point (at which they can cancel their attempt and retry
from the beginning). Hotspot based attacks become more
challenging. Each click results in showing a next image, thus
leading users down a “path” as they click on their sequence of
points. A wrong click results in an incorrect path with an
explicit indication of authentication failure only after the final
click.
Real User Corporation developed a graphical authentication
technique called Passfaces, in which a user logs onto a system
by choosing the required number of faces from a grid of faces,
thus proving additional security to a general text based password
system. This technique is based on human’s verse ability to
recognize human faces [4]. R.Dhamija and A.Perrig mentioned
ISSN: 2231-5381
a major authentication problem i.e., user’s tend to have
remembering secure passwords. In order to overcome this
problem, he suggested a solution called Déjà vu in which the
user has to select a particular number of images from a set of
random pictures called challenge set. At the time of validation
the user has to identify the preselected images.
Another approach, known as Drawmetric password scheme, in
which the user needs to draw a simple outline of the password at
the time of registration and to be authenticated, similar drawing
must be redrawn by the user [6].
Cognometric authentication is another approach in which the
user has to identify a series of recognized images among a larger
set of decoy images [4].
Jermyn introduced an authentication technique called Draw A
Secret (D-A-S) which is basically intended for devices with
stylus inputs such as Personal Digital Assistants (PDAs). Here,
the user shall draw a secret drawing (password) on a 2D grid.
The co-ordinates of this drawing on the grid are stored in order
and the system verifies the drawing by checking the directions
of the drawn stroke on the grid [6].
III.
PROPOSED METHODOLOGY
A. System Architecture:
1) Offline mode: In the offline mode, we have integrated
sound signature along with graphical password. The multifactor
authentication scheme here includes click points and handheld
device. The idea of sound signature is inspired by human ability
to recall objects by listening to a sound related to that particular
object. The offline mode consists of basically 3 modules, i.e.
Registration, Login and Verification modules.
The Registration mode includes registering the user along with
its details. These details comprises of a unique user-id (UID),
Precision Value, e-mail address and phone number. The
registration process proceeds further by allowing the user to
select images, their respective click points and sound signature.
Selection of image can either be done using the handheld
device’s in-built camera or using the ones that are already
present the device. The user can select any click point on the
image. Similar to images, selection of sound signature can either
be done by choosing one of the already present sounds or by
recording one’s own voice that helps in recalling the object.
Once done the user clicks on the sign up button, thus generating
a user profile vector which is stored in the database.
The profile vector consists of:
User-vector (UID, precision, e-mail, Phone number)
Image vector (UID, image-id)
Click point vector (UID, image-id, click point co-ordinates(x,y))
The precision value helps to draw a circle around the click point
which provides a tolerance region in which the user is allowed
to click during the time of login. In Login mode, we first enter
http://www.ijettjournal.org
Page 517
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014
the user id, which if found, retrieves the respective set of images
and the related sound signature from the database. Once the
images and the audio are loaded, the user needs to select the
click point on each of the image. The sound helps to remember
click points (in case the user forgets the click point on a
particular image). At this moment, a login vector is created. The
login vector comprises of click points selected by the user
during the login phase.
Once the user selects all the click points, he/she clicks on the
validate button in order to verify the click points. This module
compares the click points registered in the database with the
ones in the login vector. A successful login indicates the exact
match of click points.
Fig. 1 System Flowchart for Offline mode.
2) Online mode:
In this approach, we use a handheld device that acts as a
terminal, a server or a challenger which is a typical online web
service provider. The server controls storage, retrieval of data
and sending of images to the handheld device. This mode also
includes 3 modules namely same as in the offline mode.
phone number. In the next step the user selects the number of
desired click points. Along with that the user also needs to
choose the sequence of click points which he/she will have to
remember in order to login into the system. Thus a user profile
is generated and sent to the server.
The first screen (in Registration module) on the terminal asks
the user for its unique user id, precision value, email address,
ISSN: 2231-5381
http://www.ijettjournal.org
Page 518
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014
Fig 2. System Flowchart for Online mode
At the time of login, the user needs to enter the registered user id
on the terminal side. The terminal sends a request to the server
for generating an image with a number of click points on it. The
server accepts the request, generates random click points on the
image and sends the encrypted image to the handheld device.
AES i.e. Advanced Encryption Standard technique is used for
encryption. The encrypted image, now received on the terminal,
is decrypted. The user now needs to select the click points in the
same sequence which he/she had selected during the registration
phase. The image provided by the server will have a number of
click points each numbered with a single digit. The position of
ISSN: 2231-5381
the click points will change every time a server responds to a
request, however the sequence of click points is the main key to
access login into the system. The addition click points are added
just to confuse the unauthorized user.
The verification module includes verification of the sequence of
click points during the time of login with the one at the time of
registration. An exact match of sequence leads to a successful
login.
http://www.ijettjournal.org
Page 519
International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014
1.
2.
3.
4.
5.
IV.
ALGORITHM
Start.
Select mode i.e online or offline mode.
If mode selected is offline
3.1. Select operation i.e Registration or Login.
3.2. If operation is Registration
3.2.1. Enter user if, precision value, email id and phone
number.
3.2.2. Select an image from the device gallery or using
camera
3.2.3. Select click point and sound signature for that
image.
3.2.4. For more number of images goto step 3.2.2 else
goto step 3.2.5
3.2.5. Create user profile vector.
3.2.6. Store the user profile vector in the database.
3.3. If operation is Login
3.3.1. Enter user-id to fetch image and sound signature
from the database.
3.3.2. Play sound signature.
3.3.3. Select click point.
3.3.4. Compare click point including precision value
with the one stored in the database for each
image.
3.3.5. If valid for all images, Login successful else
failure.
If the mode selected is online
4.1. Select Operation i.e Login Or Registration
4.2. If Operation selected is Registration
4.2.1. Enter User Id,Email id, Phone No, and the
number of Click Points.
4.2.2. Enter a sequence for the clicks.
4.2.3. Create User Profile Vector.
4.2.4. Store it in Database at Server.
4.3. If Operation selected is Login
4.3.1. Enter User Id to request the Server to send a
random image.
4.3.2. Server selects a random image and creates
random position for click points which are
numbered and send it to the User’s handheld
device.
4.3.3. User clicks on the image according to his
sequence
4.3.4. The sequence is sent to the Server
4.3.5. Server verifies the sequence.
4.3.6. If Match of Sequence occurs ,login is successful
else failure
Stop.
V.
RESULT
On the other hand, graphical passwords where the click points
are randomly generated avoids shoulder surfing, dictionary
attacks. Guessing of passwords in both the cases is difficult.
Since we are using encryption technique (AES) for transmission
over the network, brute force attacks are avoided.
VI.
CONCLUSION AND FUTURE SCOPE
Text based authentication schemes face usability and security
issues even though they are the most commonly used technique
worldwide. Graphical passwords are easier to remember than
text based passwords, but even the existing graphical password
authentication systems have major drawbacks. In this paper, we
propose a new graphical password system that overcomes
difficulties like hotspot prediction, shoulder surfing, dictionary
attacks. The system combines graphical passwords along with a
handheld device and sound signature to form a multifactor
authentication system. The generation of random click points
during the online mode prevents the shoulder surfing attack as
well as dictionary attacks. Storing the images at the server
provides better security as compared to offline mode.
The scope of the project can be further improved by using
various techniques like Sudoku. The passwords can be changed
every minute, thus making the user free from remembering
passwords. He does not have to register on each and every
website. Passwords are automatically generated and changed
every time the user has to login.
REFERENECES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
S. Singh, and G. Agarwal, “Integration of Sound Signature in Graphical
Password Authentication System”, IJCA January 2011.
A. P. Sabzevar, A. Stavrou, “Universal Multifactor authentication system
using Graphical Password”.
S. K. Bandyopadhyay, D. Bhattacharyya, P. Das, “User Authentication
by secured graphical Password Implementation”, IEICE 2008.
S. Malempati, S. Mogalla, “Grid based approach for Data
Confidentiality”, IJCA July 2011
V. Priya darshini, A. Gomathi, N. Saravanaselvam, “A Novel based
Multilevel Graphical Authentication System”, IJARCCE Vol 2,
September 2013.
T. Srinivasa Ravikiran, K.V.S. Rao, M. K. Rao, A. Srisaila, “A symbol
based graphical schema resistant to peeping attack”, IJCSI Vol 10 on
September 2013.
I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, A.D. Rubin,”Design and
Analysis of Graphical Password”, The USENIX Association.
The Graphical password scheme used along with sound
signature provides a better recall based security system
compared to pure text passwords or pure graphical passwords.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 520
Related documents
Download