International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Active Image Authentication System (AIAS): Design, Implementation and Analysis S.B.Nikam1, P.A.Jadhav2 and A.D.Kadam3 1 Asst.Professor, Computer Engineering Department, BVDUCOE, Pune-43(INDIA) Asst.Professor, Information Technology Department, BVDUCOE, Pune-43(INDIA) 3 M.tech. scholar, Information Technology Department, BVDUCOE, Pune-43(INDIA) 2 Abstract Providing a security to the information system is the necessity of today’s networking age. Authentication is one of the important principal of security. Provision of the unique combination of username and password is the common way to authenticate the system. A graphical based authentication mechanism had provided a strong alternative for knowledge based, biometric and token based authentication mechanism. In this paper we have proposed new graphical based authentication mechanism. This Active Image Authentication System (AIAS) provides a strong solution on guessing attack using random positioning of Active Points (AP) with respect to time domain. Keywords: Security, Authentication, Active Points (AP), Active Image Authentication System (AIAS). 1. INTRODUCTION Security is the important issue for any information system. Information technology has reached in almost all areas. Organizations such as governments, military, corporations, financial institutions, hospitals have to deal with the confidential information about their employees, customers, products, research and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. So to access this information one has to authenticate himself. Importantly, security and usability are two main measures for authentication schemes [3]. Basically authentication is carried out using different techniques like Knowledge based, token based and biometric based [1] [2]. Knowledge based authentication technique requires to enter text or characters as the password but this technique is vulnerable to dictionary search, social engineering etc. So to prevent from these one can use complex password but it may be very difficult to remember. Token based authentication allows user to use an authentication token, which is a physical device that gives an aid in authentication. Token based authentication reduces burden on human memory but it may be stolen, forgotten or shared with unauthorized person. Biometric based techniques authenticate human being through identification of human characteristics or traits. Mainly behavioral (such as typing rhythm, voice) and physiological (such as fingerprint, face recognition, DNA, Palm print, hand geometry, iris recognition, retina) characteristics have been used for describing human to authenticate. In biometric systems, each stage is independent to transform the input and so sometimes due to poor quality of image, some of the stages could not utilize the entire input data, which becomes the drawback of this system. For mitigating the flaws within these traditional methods graphical based authentication schemes have been proposed to provide strong alternative for knowledge based, token based & biometric authentication mechanism. And psychological studies also say that human memory more tends to remember pictures rather than text. 2. LITERATURE SURVEY: Security and usability problems cannot be fully addressed by the text based password mechanism but graphical based passwords can provide the solutions in both of these aspects i.e. usability and security. Graphical passwords have become an effective research area after introducing the concept of click based passwords by Blonder [5]. His concept is mainly based on click points on predefined areas of image. And as this scheme forces user to click on predefined areas this scheme is vulnerable to predictive attacks. Later Wiedenbeck et al. Proposed PassPoints. Passpoints consists of passwords that could be composed of several points anywhere on an image [6]. Adrian Perrig, Dawn Song proposed a graphical password based scheme Déjà Vu, based on Hash Visualization algorithm [7]. In this scheme large amount of pictures have to be stored at server side and may require transferring over the network, which delays the authentication process. Also the process of selecting a set of picture from the database of picture can be tedious and very time consuming.[9] Passfaces[8] is authentication scheme, which is based on recognition. In this scheme user has to select set of faces. During login user is presented with the decoy of faces among them user has to select faces from his preselected set of faces. But passface scheme is more vulnerable to predictive attack. Volume 2, Issue 11, November 2013 Page 228 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Jansen et al. [10] introduced the graphical based authentication scheme as “picture password”. In this scheme user has to select a theme at the time of password creation. The theme consists of thumbnails. Then the user then selects a sequence of thumbnail photos as a password. Oorshot proposed hybrid authentication approach called Two-Step [11]. This scheme is composed of two steps. In the first step user has to enter text based password. If the text based password is correct then user is presented with an image portfolio. User must correctly select the images which previously selected at the time of registration in each round of graphical password verification. Although this scheme provides a security through the combination of text based and graphical based schemes, it has put burden on for remembering text based password as well as image. Chiasson et al. [14] have proposed the scheme of cued click points (CCP). User click on particular point per image for a sequence of image and next image is based on previous click point as it is cued scheme. PCCP enhances CCP by adding the persuasive features. PCCP encourages users to select less predictable passwords, and makes it more difficult to select passwords where all click-points are hotspots [15]. Hotspots are areas of the image that have higher likelihood of being selected by users as password click-points [16]. These both schemes consist of sequence of image which may put burden on user memory to remember more click points. 3. AIAS TECHNIQUE 3.1 PROPOSED SYSTEM Figure 1 shows the architecture of active image authentication system. Architecture mainly consists of following phases Phase 1: User name verification Phase 2: Click Phase 3: Authentication token calculation Phase 4: Authentication token matching As user enters username and password, this combination of user name and password verified with the combination of user name and password in the database through the user name verification phase. Then user has to enter click points which serves as password. Time vector and click vector are generated after entering the click points. Click vector is based on positions of clicks on image and time vector is nothing but the timestamp at which click can be done on image. Authentication token is calculated from time vector and click vector. Then the authentication token will compare with the token which was already there in database. Token in the database was stored at the time of registration. If the authentication token matches with the token in database then authentication will be successful otherwise failure notification will generate 3.2 Caparison with existing work AIAS provides different advantages over existing schemes like paassfaces, CCP, PCCP etc. we design authentication mechanism based on calculation along with click points. Our system has following advantages over others 1. Authentication is not only based on sequence of successful consecutive clicks but it depends upon calculation of accurate authentication token. 2. User have rights to select security precisions i.e. selection of security level by deciding tolerance of active points. 3. Due to dynamic click points it shows strong resistance to guessing, directory etc attacks. Easy to operate & understand Figure 1 Architecture of AIAS Volume 2, Issue 11, November 2013 Page 229 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 4. LAB STUDY & USABILITY REVIEW Lab study is carried out for usability review of our system & it is according to ethics in psychological studies. We perform this study to collect data for benchmarking & to find nature of our system as real world application. For this we select 20 participants, 10 with technical background & remaining are novices. In the series experiments we use mouse operated screen instead of touch screen panel. We perform different experiments to get benchmarks for performance analysis. Using experimental data different studies are carried out for 1. To collect baseline data for benchmarking. 2. To study memorability of participant with compare to other systems. 3. To find usability of our system as an application according to existing systems. In this study we select following systems for benchmarking along with our system: 1. Text password 2. PCCP Lab work is conducted in 2 phases: Phase-I: Lab level study Phase-II: Field / application level study 4.1 PHASE-I: LAB LEVEL STUDY This phase is conducted in two stages at first we select 10 novice participants & 10 with technically computer background to deal with 3 systems one by one as text password system, PCCP & AIAS in sequence. While dealing with each system participant first have to complete registration & then login process 3 times for each system. In this phase environment is controlled & experiments are carried out on standalone application. 4.1.1 Registration process At First stage of experiment the registration process is carried out. In this process each participant has to choose 3 different usernames & for each username they need to set a password in each type authentication system. Table 1 time analysis of Registration process for novice participants Parameters Type of authentication system(Registration process for novice participants) Text based PCCP AIAS No of trials 3 3 3 Avg. registration time 36 53 41 Avg. conformance time 21 32 28 Total process time 171 255 207 Above table 1 shows result of each type of system for registration process. Same procedure is repeated for another 10 participants those are technically computer background. Result of this provided in following table 2. Table 2 time analysis of Registration process for technical participants Parameters Type of authentication system(Registration process for technical participants) Text based PCCP AIAS No of trials 3 3 3 Avg. registration time 30 42 36 Avg. conformance time 18 24 20 Total process time 144 198 168 4.1.2 Login process The second stage of experiment is login process. In this process each participant tries to login using previously registered usernames for each type authentication system. As in previous stage first novice users are trying to login then remaining batch of 10 participants will try for it. Table 3 show time analysis of login process for novice participants Volume 2, Issue 11, November 2013 Page 230 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Table 3 time analysis of login process for novice participants Parameters Type of authentication system(Login process for novice participants) Text based PCCP AIAS No of trials 3 3 3 Avg. login time 25 42 31 Total process time 75 126 93 Total no of faults occurred during login 8 7 4 Data collected in this phase provide comparison between text based authentication & graphical based authentication with respected to memorability overhead. As participants are from two broad categories like technical & novice it helps to prove usability. Time analysis for login process for technical users is given in table 4. Table 4 time analysis of login process for technical participants Parameters Type of authentication system(Login process for technical participants) Text based PCCP AIAS No of trials 3 3 3 Avg. login time 23 32 27 Total process time 69 96 81 Total no of faults occurred during login 6 5 3 4.2 PHASE-II: FIELD/APPLICATION LEVEL STUDY In the second phase of lab work we follow most of the steps in phase-I for both registration & login process. In this phase we are going to interact users with considered authentication systems. But instead of dividing participants into to two groups we consider them commonly. Two stages i.e. registration process & login process are objectives for participants. For this phase we deploy our system as a part of web application. Each user needs to go through two processes i.e. registration & login for 3 times using single a username. 4.2.1 Registration process At this stage user will register using single username for each authentication system. We collect data to get idea about time required for registration as well as participants performance. As all participants become familiar with all systems in phase-I it reflects considerable progress in performance. Time analysis of registration process at field study is given bellow in the table 5. Table 5 Time analysis of Registration process at field study Parameters Type of authentication system(Registration process for novice participants) Text based PCCP AIAS No of trials 1 1 1 Avg. registration time 33 48 39 Avg. conformance time 20 33 24 Total process time 53 81 61 4.2.2 Login process Participants are going to login using username & password combination acquired by them during registration process of respective authentication system. Table no. shows performance of participants during login process in phase-II. Table 6 shows time analysis of login process during field study. Volume 2, Issue 11, November 2013 Page 231 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 Table 6 Time analysis of login process at field study Type of authentication system(Login process for technical participants) Parameters Text based PCCP AIAS No of trials 1 1 1 Avg. login time 24 37 29 Total process time Total no of faults occurred during login 24 37 29 7 6 3 5. RESULT ANALYSIS Lab study has been conducted in two phases to analyze usability study of our system. In result analysis we are going to analyze collected data with respect to two dimensions i.e. time required for interaction with each system & no of faults occurred during lab work. 5.1 Timeline analysis Time requires for registration or login is also important factor to decide usability of system. Any system is said to be usable if it is user friendly & user can take considerable time span to interact with it. Important factor in lab study phase-I is availability of two types of user i.e. novice & technical. They are focus us on whether the system is handy or not with compare to another type of systems. Figure 1 comparison of timeline analysis of novice participants (A) & technical participants in (B) Above figure 1 show that time required to register novice participants (fig (A)) were more than that of technical participants in fig (B). For text based system both participants took least time compare to others as to confirm password they need enter text only. But compare PCCP both participants were took less time to register themselves in AIAS. 5.2 Fault analysis No of faults occurred during lab study are also measuring parameter which reflect participants approach towards system. Figure 2comparison of no of fault occurred during both phase of study by novice (A) & technical (B) users Above figure 2 shows the number of trials along with the total number of faults. Fig (A) shows trial and the fault ratio for novice participants and it shows that our system has come across less number of faults. Fig (B) shows trial and the fault ratio for technical participants and figure clearly indicates superiority of AIAS over text based and PCCP. Volume 2, Issue 11, November 2013 Page 232 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 5.3 Success rate of AIAS over PCCP and Text based We analyze our system by calculating success coefficient. We define the success coefficient mathematically as follows S α Ts and S α 1/T Where, S is the success coefficient and Ts is the number of successful trials T is the number of fail trials Success rate is mainly depends on two factors i.e. successful trial and fail trial. When a user tries to create a new account and if he will get a success in creating that account then it is a successful trial otherwise a fail trial. So, by observing the user behavior we analyze our system. A password entry attempt was considered successful any time the entire correct password for an account was entered, with no mistakes or restarts. We have considered 20 participants. Create Text based PCCP AIAS Table 7 Success rate comparison Confirm Login 18/20 (95%) 14/20(70%) 15/20 (75%) 17/20(85%) 18/20(95%) 15/20(75%) 16/20(80%) 16/20(80%) 17/20(85%) Table 7 shows the comparisons of text based, CCP/PCCP and AIAS. We analyze our AIAS system by taking clicking samples of participants. We observe their clicking points at various phases and calculate the success rate. Creation rate of AIAS is 95% which is more superior to PCCP as our scheme contains only one active image instead of sequence of image as that in the PCC/CCCP. Confirmation and login success rate of AIAS is 80% and 85% respectively which is more than PCCP/CCP and text based. In text based scheme user has to remember texts or character so it can be difficult to remember to remember because some percipients have created complex text password. So Confirmation and login success rate of text based password is less than our system. And PCCP/CCP also involves sequence of image and different click points which may enhance security but cannot attain satisfactory usability so due to this participant have faced little difficulty during confirmation and login. 6. Conclusion: Active image authentication system has attained both usability and security. We have conducted feasibility test of our system and obtained satisfactory results. It proves AIAS is more user-friendly as it put fewer burdens on human memory and along with that it is more secure as it involves active image and prevent from predictive attack. AIAS surely become a best alternative against existing graphical password schemes. An important usability and security goal in authentication systems is to help users’ select better passwords and thus increase the effective password space. We believe that users can be persuaded to select stronger passwords through better user interface design. We obtained favorable results both for usability and security. References: [1] Hafiz Zahid, Ullah Khan, “Comparative Study of Authentication Techniques,” International Journal of Video& Image Processing and Network Security IJVIPNS-IJENS Vol: 10 No: 04 [2] Xiaoyuan Suo, Ying Zhu G., Scott. Owen “Grphical password: A survey” [3] Yuxin Meng, “Designing click-draw based graphical password scheme for better authentication”, IEEE seventh International conference on networking, networking and storage 2012 [4] Sonia Chiasson, Alain Forget, Robert Biddle, P.C. van Oorschot, “Influencing Users Towards Better Passwords: Persuasive Cued Click-Points” British computer society [5] Blonder, G. (1996), Graphical password, 5.559.961, available at: http://www.patentstorm.us/ Patents/5559961.html [6] Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A. and Memon, N. (2005), 'PassPoints: design and longitudinal evaluation of a graphical [7] A.Perrig and D.Song, “Hash Visualization: A New Technique to improve Real-World Security”. In International Workshop on Cryptographic Techniques and E-Commerce, pages 131--138, 1999. [8] Passfaces Corporation, “The science behind Passfaces,” White paper, http://www.passfaces.com/enterprise/resources/white papers.htm, accessed July 2009 [9] Wazir Zada Khan, Mohammed Y Aalsalem, Yang Xiang, “ A Graphical Password Based System for Small Mobile Devices” International Journal of Computer Science Issues, Vol. 8, Issue 5, No 2, September 2011 Volume 2, Issue 11, November 2013 Page 233 International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com Volume 2, Issue 11, November 2013 ISSN 2319 - 4847 [10] JANSEN, W., GAVRILA, S., KOROLEV, V., AYERS, R., AND SWANSTROM, R. 2003, “Picture Password: A Visual Login Technique for Mobile Devices”, NIST Report - NISTIR7030 [11] Oorschot, P. C. V., Wan, T. (2009), TwoStep: An AuthenticationMethod Combining Text and Graphical Passwords. 4th InternationalConference, MCETECH [12] R. N. Shepard, "Recognition memory for words, sentences, and pictures," Journal of Verbal Learning and Verbal Behavior, vol. 6, pp. 156-163, 1967. [13] Partha Pratim Ray, “Ray’s Scheme: Graphical Password Based Hybrid Authentication System for Smart Hand Held Devices” Journal of Information Engineering and Applications www.iiste.org ISSN 2224-5782 (print) ISSN 22250506 (online)Vol 2, No.2, 2012 [14] Sonia Chiasson, P.C. van Oorschot, Robert Biddle, “Graphical Password Authentication Using Cued Click Points” ESORICS 2007, LNCS 4734, pp.359-374, 2007. [15] Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, Paul C. van Oorschot “Persuasive Cued ClickPoints: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism” IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012 [16] J. Thorpe and P.C. van Oorschot, “Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords,” Proc. 16th USENIX Security Symp., Aug. 2007. Volume 2, Issue 11, November 2013 Page 234