Secure Authentication Schemes
2
Chintu Mathew, 2Arya Babu
PG Student, Sree Budha College of Engineering, Elavumthitta
Department of Computer Science and Engineering
Christ Knowledge City
Ernakulam, India
Chintukunnath91@gmail.com
Abstract – There are different authentication methods
to provide security. The most commonly used are
textual passwords, but are commonly susceptible to
brute -force attacks. Recognition and Recall-based
techniques on graphical passwords lack security due
to hotspot coverage or attacker can record the
password using camera. Token-based approach can
be lost or stolen. Biometric systems cannot be
changed. Later another security method emerges
which combines the above methods into one scheme
forming a 3-D password.3-D password is a multidimensional authentication scheme providing a
virtual environment. It integrates muli-factor, multidimensional, multi-level security mechanisms. This
paper presents a study on various authentication
schemes based on security analysis.
Index
Terms
–
Authentication,
environment,token-based,biometric.
3-D
I. INT RODUCT ION
In the current scenario security has become a major
concern. A simple security mechanism may be useful
for less confidential data. All the information handled
and processed by the system need to be secured.
Security system should consider reliability, usability
and human factors. Since passwords donot require
any special hardware they are the best means of
authentication. Typically passwords are strings of
letters and digits, i.e. they are alphanumeric. Such
passwords have the disadvantage of being hard to
remember.But memorizing passwords, administrative
issues and password hacking tools render a password
-only authentication policy inadequate for protecting
confidential information. A password should be
encrypted and stored so that a penetration of the file
system does not reveal password lists.
Authentication involves confirming the identity of a
person. Different ways by which the secure
passwords can be hacked are Hashing, Guessing,
Default Passwords, Brute Force and Hashing. Most
password contain uppercase, lowercase characters,
numbers and special characters; is considered as
strong password and can never be guessed. But still is
not secure way of authentication. One way to
strengthen authentication policy is by adding factors
such as tokens, smart cards, digital certificates and
biometrics. An authentication schemes allow user
choice while influencing users toward stronger
passwords. Another goal of passwordsystem is to
discourage users from making such choices. Thus an
approach need to be made that chooses a more secure
password system, in the path of least resistance.
Follow the system’s suggestions for a secure
password—a feature lacking in most schemes rather
than increasing the burden on users.
Most existing graphical password authentication
techniques are sensitive to shoulder surfing, hotspot
and dictionary attack, malware, social engineering.
Thus passwords should easy to remember and very
difficult for another users to guess. Passwords
promotes development, diplomacy, and defence as
security strategies .A multi-feature authentication
scheme which combines the benefits of different
authentication schemes in a single virtual
environment provides more security..
Users interact with security technologies either
passively or actively. For passive actions
understandability may be sufficient for users. Active
users need much more from their security solution
ease of use, memorability, efficiency, effectiveness
and satisfaction. An ideal knowledge-based
authentication system must support users in selecting
passwords of higher security, which expanded
effective security space.
In this paper, a comprehensive survey of the existing
password techniques are discussed, the strengths and
limitations of each method and also pointed out
future scope in this area.
II.DIFFERENT AUTHENTICATION SCEMES
All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)
Page 53
The authentication methods can be broadly divided
into three main areas. Token based (two factor),
Biometric based (three factor), and Knowledge based
(single factor) authentication.
2.1Token based authentication
Token based authentication is focused on “Something
you have”. Bank card, smart card, credit card are
examples of this. Generally they are combined with
knowledge based techniques to enhance security.It
allows users to enter their username and password in
order to obtain a token which allows them to fetch a
specific resource - without using their username and
password. Once they token acquire the token, the
user can offer the token - which offers access to a
specific resource for a time period - to the remote
site.
Smartcards have the advantage that they may be used
to store other non-authentication information. Their
main disadvantage is the requirement for a reader at
every access terminal used. This may be acceptable
for users if only one machine is ever used for access:
but for the system owner it represents a considerable
initial capital outlay and an ongoing administrative
and maintenance burden – as does the issue,
recording and delivery of the smartcards. An
authentication server is required, and normally a
separate smartcard is needed for each protected
application. The card reader is an extra expense.
Another disadvantage is that they are less robust than
most other forms of token. Repeated flexing can
damage both contact and contactless smart cards, and
adverse climatic conditions can reduce the reliability
of contact smartcards.
2.2 Biometrics based authentication
Biometrics is based on “Something You Are”. It is
the study of automated methods for uniquely
recognizing humans based upon one or more intrinsic
physical or behavioural traits. Fingerprints, iris scan,
or facial recognition, are the examples. However, this
technique provides highest level of security. A
biometric scanning device takes a user's biometric
data, such as an iris pattern or fingerprint scan, and
converts it into digital information a computer can
interpret and verify. The problem of lost or forgotten
doesnot happens here. And the cost associated with
lost or reissue can be avoided.Another advantage is
of its speed. The major drawback of this approach is
that such systems can be expensive, and the
identification process can be slow and often
unreliable. They lack users privacy. The fail to enrol
is another performance issue. The biometric sensors
also have a limited lifetime. Also they lack standards.
2.3 Knowledge based authentication
Knowledge based techniques are based on
“Something You Know” .Commonly used techniques
are text-based and graphical-based passwords.
Recognition-based and recall-based graphical
techniques are now using. Using recog nition-based
techniques, user is presented with a set of images and
the user need
to identifying the images he or she selected during
the registration stage. Using recall-based techniques,
a user is asked to recreate something that he or she
created or selected earlier.
2.4.Graphical password
Graphical password systems are a type of knowledgebased authentication that attempts to leverage the
human memory for visual information. In such
systems, users identify and target previously selected
locations within one or more images. The images act
as memory cues to aid recall. Attackers who gain
knowledge of these hotspots through harvesting
sample passwords can build attack dictionaries and
more successfully guess Pass Points passwords.
Users also tend to select their click-points in
predictable patterns which can also be exploited by
attackers even without knowledge of the background
image; indeed, purely automated attacks against Pass
Points based on image.
2.5 Click-based graphical password
Click-based graphical password consisted of a series
of clicks on predefined regions of an image. It
contains a “robust discretization” scheme, with three
over-lapping grids, allowing for login attempts that
were approximately correct to be accepted and
converting the entered password into a cryptographic
verification key. In Cued Click Point, users click one
point on each of images rather than on five points on
one image. It offers cued-recall and introduces visual
cues that instantly alert valid users if they have made
a mistake when entering their latest click-point (at
which point they can cancel their attempt and retry
from the beginning). It also makes attacks based on
hotspot analysis. But increases the workload for
attackers by forcing them to first acquire image sets
for each user, and then conduct hotspot analysis on
each of these images.
All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)
Page 54
2.6 Persuasive cued click points mechanism
Later another method was emerged called persuasive
cued click points. In that users create a password, by
selecting a viewport. The viewport is positioned
randomly, to avoid hotspots. The viewport’s size is
intended to offer a variety of distinct points but still
cover only an acceptably small fraction of all
possible points. Users must select a click-point within
this highlighted viewport and cannot click outside of
the viewport, unless they press the shuffle button to
randomly reposition the viewport. The viewport and
shuffle button appear only during password creation.
During later password entry, the images are displayed
normally, without shading or the viewport, and users
may click anywhere on the images.
After performing the action user exits out the
environment. The actions will be granted after
verification.
2.7 The 3 D password scheme
It is a new authentication scheme that combines
RECOGNITION
+RECALL
+
TO-KENS+
BIOMETRIC in one authentication system. The 3-D
password is a multifactor authentication scheme. It
can combine all existing authentication schemes into
a single 3-D virtual environment. This 3-D virtual
environment contains several objects or items with
which the user can interact. The type of interaction
varies from one item to another. The 3-D password is
constructed by observing the actions and interactions
of the user and by observing the sequences of such
actions. It is the user’s choice to select which type of
authentication techniques will be part of their 3-D
password systems into one authentication scheme.
Any user action in virtual environment can be
considered as a password.
The user is provided with a virtual environment. The
objects are distributed over there. Every object has
(x,y,z) coordinates. The user navigates through the
virtual environment and can interact with the object .
Consider a user who navigates through the 3D virtual
environment that consists of a ground and a
classroom. Assume that the user is in the virtual
ground and the user turns around to the door located
in (10,16,80) and opens it. Then, the user closes the
door and type something.
(10, 16, 80) Action = Open the office door; (10, 16,
80) Action = Close the office door; (18, 5, 20) Action
= Typing,” A”
Fig 1.State diagram showing 3D password
2.7.1 Working
2.7.1.1Text authentication
For text authentication use username and password.It
is stored in the database with password encrypted
using MD-5 algorithm. During login the new
username and pas sword are checked if incorrect an
error message is displayed.
2.7.1.2 Graphical authentication
User need to select an image from multiple image set,
a viewport is provided along with the image. Click
some pixel within the viewport in sequence according
to the users choice which is stored in the database,
they are also stored in encrypted format using MD-5
algorithm. If failed provide error message and if
correct proceed to next authentication.
All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)
Page 55
2.7.1.3 Biometric authentication
For biometric authentication thumbnails impression
are used. It is stored in the database in image format.
During login verify the thumbprint obtained using
thump detection device with the stored image. Other
biometric techniques like iris ,facial detection can be
adopted .Also storing gesture details is another
technique used.
2.7.1.4 3D signature
User is provided with the 3D virtual environment
with some scenes .He can perform action according
to his choice.For e.g opening door, move objects,
close door e.t.c.
III. SECURIT Y ANALYSIS
3.1 Key logger
Key logger is an invisible software which captures all
typed keys through the user’s keyboard and output
them as text files. But with 3D password since it is
not textual the attempt will not be successful.
3.2 Well studied attack
The attacker has to find the highest probable
distribution of 3D passwords.. This would be very
difficult because the attacker need to study all
existing authentication schemes like users selection
of choices. Attacker need to perform attack for every
environment which is very tedious.
3.3 Brute force attack
Time taken for login may vary between 20s to 2
min,is time consuming. Regarding the cost of attack
3D virtual environment contain biometric object, and
the attacker need to obtain all such information.
IV. CONCLUSION
To provide privacy and security the use of robust
security mechanism is necessary.The security goal in
password-based authentication systems is to
maximize the effective password space. When user
choice is involved, it gives usability. Textual
passwords and token-based passwords are the
commonly used authentication schemes which are
facing many weaknesses.Based on the survey on
various authentication schemes 3D passwords found
to provide maximum security. In 3D password, users
have the freedom to select according to their choice
and preferences. This includes many interactions with
virtual environment which increases the key length.
The memory requirement for 3D password is high .
The main application domains of 3D Password are
critical servers, banking and systems logins can also
make use of 3D passwords to provide more secured
authentication.This improves the robustness of
current authentication schemes.
REFERENCES
[1]
Mr.Jaywant N. Khedkar, Ms.Pragati P.
Katalkar, Ms.Shalini V. Pathaket.al.”Integration of
Sound Signature in 3D Password Authentication
System”, International Journal of Innovative
Research in Computer and Communication
Engineering Vol. 1, Issue 2, April 2013
[2]
Kailas I Patil, Jaiprakash Shimpi ,”A
Graphical Password using Token, Biometric,
Knowledge Based Authentication System for Mobile
Devices ”, International Journal of Innovative
Technology and Exploring Engineering (IJITEE)
ISSN: 2278-3075, Volume-2, Issue-4, March 2013
[3]
GroverAman,NarangWinnie,”3DPassword:Strengthening the Authentication Scene”
International Journal of Scientific & Engineering
Research, Volume 3, Issue 10, October-2012 1 ISSN
2229-5518.
[4]
Shubham Bhardwaj, Varun Gandhi, Varsha
Yadav, Lalit Poddar, New Era of authentication: 3-D
Password International Journal of Science,
Engineering
and
Technology
Research
(IJSETR)Volume 1, Issue 5, November 2012
[5]
Fawaz A. Alsulaiman and Abdulmotaleb El
Saddik, Senior Member, IEEE ” Three-Dimensional
Password for More
Secure Authentication”,
IEEE.transaction
on
instrumentation
and
measurement, 0018-9456,2008.
[6]
Jian-Zhu Lu, Shaoyuan Zhang, and Shijie
Qie,” Enhanced Biometrics-based Remote User
Authentication Scheme Using Smart Cards”.
All copy rights Reserved by NATCOMM - 2014, Christ Knowledge City , Mannoor, India.
Published by IJRCCT (www.ijrcct.org)
Page 56