View/Open

advertisement
A New Multi Level Access Control System based on
Face Recognition System and Graphical Password
K. R. Singh1, R. S. Khedgaonkar2
1,2
Computer Technology Department, Y.C.C.E, Nagpur, 441110, India.
1singhkavita19@yahoo.co.in,
2roshni.k86@gmail.com
Abstract -- Authentication and authorization are two
different aspects of access control systems. In this respect,
in this paper we take an opportunity to present a novel
multi level access control system. The proposed system
uses face recognition system as a biometric for
authentication at first level and graphical password for
authorization at second level. The advantage of the
proposed system is twofold; first it overcomes the flaw of
face recognition system alone, that anyone logging with the
photo of some person and second is it totally overcomes the
problem of shoulder surfing existing with graphical based
passwords.
Keywords: Access control system, face recognition system,
graphical password, shoulder surfing.
I.
INTRODUCTION
Security is the degree of protection to safeguard a nation
in general or a person against danger or loss of data.
Security is generally provided through different types of
access control systems. Authentication and authorization
are two different aspects of access control systems.
Authentication is the mechanism whereby systems may
securely identify their users. Briefly speaking,
authentication systems provide answers to the questions: 1)
who is the user? 2) Is the user really who he/she represents
himself to be? Authorization, by contrast, is the mechanism
by which a system determines what level of access a
particular authenticated user should have to secure
resources controlled by the system. Authorization systems
provide answers to the questions: 1) is user X authorized to
access resource R? 2) is user X authorized to perform
operation P? and 3) is user X authorized to perform
operation P on resource R? Authentication and
authorization are somewhat tightly-coupled mechanisms,
i.e., authorization systems depend on secure authentication
systems to ensure that users are who they claim to be and
thus prevent unauthorized users from gaining access to
secured resources.
Further, access to any authenticated system
can be achieved through various means such as text
based passwords [20], graphical based passwords [21
and 22] and biometrics [23 and 24]. Text based
passwords are difficult to remember and easy to crack.
Therefore, in order to overcome the drawbacks of text
based passwords, different biometrics and graphical
passwords have been designed. Graphical passwords [21
and 22] are more memorable and easier for people to use
and, therefore, more secure. A new and more secure
graphical password system; called Pass-Points have
been proposed in [21]. In addition to these two
approaches, biometrics is most commonly used
authentication mechanism in today’s day to day life.
Most commonly used biometric is Face recognition
System [24]. In face recognition, person just has to stand
in front of camera in order to get authenticated. This is
physiological characteristics which cannot be hacked or
given to others. However as reported in [24], these
techniques are useful but somewhere it fails to perform.
Moreover, recently according to report [19], chromium
OS was able to break into one device that used facial
recognition authentication software just by holding it up
to the user's photo. Thus we can see the failure of single
level authentication systems. Designing a secure as well
as a user-friendly password-based method has always
attracted the security researchers for a long time.
Therefore, the goal of proposed hybrid approach is to
exploit the strengths of graphical based passwords and
biometrics to build a multi level authentication system
that can be a robust access control system for
authentication and authorization process.
In this paper we propose a new technique of
authentication by combining both graphical password and
face recognition in order to make our system, confidential
data more secure. The proposed approach is a multilevel
security system. At authentication level we propose to
use face recognition and at authorization level we
propose a graphical based password technique.
The rest of the paper is organized as: Section I gives a
brief introduction; Section II presents a literature survey.
In Section III the overview of three different techniques
of authentication has been presented. Section IV presents
the brief introduction on proposed system followed by
conclusion in Section V.
II.
LITERATURE SURVEY
Authentication and authorization are the two basic ways
of access control mechanism. These two methods
commonly guarantee access control, at the first boundary
of the system that ensures the identity of user before
accessing resources of the system. The most common way
to authenticate the user is through alphanumeric passwords
[1]. Studies have shown that users tend to pick short
passwords or passwords that are easy to remember [4].
Unfortunately, such passwords can be easily guessed or
broken. Thus, text password is a means to find a balance
between easy‐to‐remember and easy‐to‐break passwords.
To address the problems with alphanumeric password
authentication, graphical passwords can be used like
alternative to the text ones. It is generally based on the
human’s peculiarity to remember visual images better than
the text ones [2 and 3]. Thus in a graphical passwords as
described by Blonder [7], a user needs to choose
memorable locations in an image. Choosing memorable
locations depends on the nature of the image itself and the
specific sequence of click locations. To support
memorability, images should have semantically meaningful
content because meaning for arbitrary things is poor [8]. In
the same direction, Dhamija and Perrig [9] proposed a
graphical authentication scheme based on the Hash
Visualization technique [10]. The weakness of this system
is that the server needs to store the seeds of the portfolio
images of each user in plain text. Also, the process of
selecting a set of pictures from the picture database can be
tedious and time consuming for the user. The limitations of
proposed approach in [9] was overcome by Akula and
Devisetty’s algorithm [13] based on hash function SHA-1,
that require less memory. Sobrado and Birget [12]
developed a graphical password technique that deals with
the shoulder-surfing problem. Man, et al. [13] proposed
another shoulder-surfing resistant algorithm. Hong, et al.
[14] later extended this approach to allow the user to assign
their own codes to pass-object variants. In addition, Jansen
et al. [15, 16, and 17] proposed a graphical password
mechanism for mobile devices. Takada and Koike
discussed a similar graphical password technique for
mobile devices. This technique allows users to use their
favorite image for authentication [18]. Although, graphical
password schemes have been proposed as a possible
alternative to text-based schemes, it still suffers from
shoulder surfing. To overcome the problems knowledge
based techniques are the most widely used authentication
techniques and include both text-based and picture-based
passwords specifically making use of biometrics [5, 6, 23
and 24]. Generally, biometric based authentication
techniques [23, 24], such as fingerprints, iris scan, or facial
recognition, although expensive, yet provides the highest
level of security. Thus we have seen that every approach
have its own advantage and disadvantage. Therefore, the
goal of proposed hybrid approach is to exploit the strengths
of graphical based passwords and biometrics to build a
more robust access control system for authentication and
authorization process.
III.
OVERVIEW OF METHODS USED
FOR ACCESS CONTROL SYSTEM
In this section we briefly discuss the idea about
the text password and graphical password along with their
advantage and disadvantages.
A. Password
Text passwords are generally alpha-numeric
passwords. An alpha-numeric password is simply a string
of letters and digits. These passwords only offer good
security as long as they are complicated enough so that
they cannot be cracked easily. Although, alphanumeric
passwords are very easy, they have some disadvantages.
These disadvantages are Human long term memory [20],
decay and interference [20] and dictionary attack [20].
Human long term memory is problem when users use one
password for all systems or trivial variations of a single
password for long term memory. Secondly, users have
many passwords for computers, networks, and web sites.
The large number of passwords increases interference and
is likely to lead to forgetting or confusing passwords.
Items in memory may compete with a password and
prevent its accurate recall.
Lastly, another drawback is the dictionary attack.
Because of the difficulty in remembering random strings
of characters, most users tend to choose a common word,
or a name. Unfortunately, there are several tools that
allow an individual to crack passwords by automatically
testing all the words that occur in dictionaries or public
directories. This attack will usually not uncover the
password of a predetermined user.
B. Graphical password
As we have seen the weaknesses of text based
passwords, many approaches proposed with feasibility of
graphics to provide a more secure and usable alternative.
Based on the studies showing that human brain is better at
recalling images than text, graphical passwords are
intended to solve memory burden and small password
space problem of text passwords. In addition they are also
more resistant to brute-force attacks, since the search
space is practically infinite.
If graphical password is used for authentication, the
user is exposed to the registered picture as shown in fig 1.
Next the user has to correctly pick the point of interest
as shown in fig 2.
The main idea of first type of graphical password is
that user has to choose background picture from the given
library of images or upload picture that should correspond
with method restriction as shown in fig 3. After that the
user must define points of control on the current image.
Fig 4. Passfaces used in authentication [21]
Fig 1. Login Screen
The last type of grpahical password is the same as the
previous one, the only difference is at the step of
authentication. Instead of showing only one “right” image
on the screen system output 3 or 4 of them. User needs to
create mentally the triangle or square(password picture in
each vertex) and click on any image inside this figure as
shown in fig 5. Only after few repetitions system will be
able to identify user correctly. This method called triangle
scheme [21].
Fig 2. An example of creating a graphical password using the
proposed system.
Sequence of these points presents user password. During
authentication process the user has to repeat clicks on the all
points at the right sequence (its’s possible to have
permissible deviation in points because it is almost
impossible for man to click in the same position every time
during authentication [22].
Fig 3. POIs on large image[22]
In second type of garphical password, user has to
choose some amount of the images from the given set,
sometimes there is the possibility to upload picture by
himself. Usually these are pictures of the people of
different ages,sex and nationalities shown in fig 4.
Chosen once will be the user password and during the
authentication process user “type” his password by
clicking on the prevously chosen images [22].
Fig 5. Triangular scheme password[21]
All the three different types of graphical passwords
discussed above are advantagoues in respect of 1)
usability, 2) security, 3) difficult to tell and 4) balance
between usability and security. From usability point of
view graphical password is more preferable for users
because combination of images is easier to remember and
reproduce than the combination of the letters and digest.
Another benefit for using graphical password is
alphabetic independency. Second advantage of graphical
scheme is infeasibility to dictionary attacks and thus are
more secured. Next the POIs are difficult to tell any
person especially by phone. This cannot be sent through
email easily, so it is more secure. Another advantage is
that images are more easier to remember as compared to
text passwords. This helps the user in choosing any image
from a collection of images or he/she can register its own
images. Genarlly, choosing any images doesn’t lead to
dictionary attacks or brute force attack. Thus it maintains
perfect balance between usability and security [21, 22].
However, apart fron the above said advantages,
graphical passwords suffer from some limitations. This
limitation originates from usability advantage only.
Because for human it is easy to remember visual images,
possibilities of “shoulder‐surfing” attack increasing. This
usability has double effect: from one side it becomes
easily for average user to remember the password, from
the other side criminal can easily remember the whole
combination of images or areas on the image by standing
behind the user.
C.
Biometrics
Genrally when either physiological or behavioral nature
of a human is used to distinguish one person from that is
called as biometrics. Different examples of biometrics are
iris, retina, fingerprint, face recognition etc. [23]. Biometrics
offer advantage in many ways. Biometric traits cannot be
lost or forgotten. They are difficult to copy , share &
distribute.
Face recognition technique records face images
through a digital video camera and analyses facial
characteristics like the distance between eyes, nose, mouth,
and jaw edges. These measurements are broken into facial
planes and retained in a database, further used for
comparison. Face recognition can be done in two ways:
In order to overcome the limitations of graphical
passwords and face recognition system, we propose a new
multilevel access control system. This system is a hybrid
method to authentication that inherits the advantages of both
biometrics [24] and graphical passwords [21, 22]. The
details of proposed system are explained in forthcoming
section IV
IV.
PROPOSED SYSTEM
We have seen that there are many ways through which
we can get authenticated, however most secured are
biometric and graphical password. However, these two
techniques even endure certain limitations. This motivates
us to present a new hybrid multi level security system. In
proposed system, security is achieved at two different
levels, one at authentication level and second one as
authorization. For authentication we used face recognition
system and graphical password concept is applied at
authorization level. In order to understand the need of a two
level security system, we describe a circumstance shown in
fig 6.
Consider a big rectangle as a hall in which four
laboratories are established i.e., Laboratory 1, Laboratory 2,
Laboratory 3, Laboratory 4. For each laboratory few persons
are assigned. This means that only those persons are
authorized to that specific department or laboratory. In their
absence no other person should operate that unassigned
department. This will safeguard the department from any
unwanted or mischievous activity by intruder. For such
circumstances if only face recognition is as biometric means,
the authentication can be breach with the help of the image of
an absence person. On the other hand if graphical passwords
are kept they will have a problem shoulder surfing. In this
regard, in our proposed system, first face recognition device
is placed at the entrance of hall and one touch screen display
device is placed in front of each laboratory/department.
When any person wants the entry, that person is first
authenticated by face recognition device at the entrance. This
will help that prohibited area from any intruder.
Fig 6..Senario of Multilevel Security
Let us say, a person A assigned to laboratory1 is being
authenticated at entrance. Once that person gets
authenticated, different face templates of the authenticated
person are displayed on display device placed in front of
laboratory for which that person is authorized. Then
person can draw a pattern using these templates (graphical
password) to get authorization to particular laboratory. In
this way we can come up to a multilevel security system.
If a person A after being authenticated in a hall wants to
do mischievous work in Laboratory 2 in the absence of B,
can’t do as person B is not authenticated at hall door so
his/her facial templates are not displayed in the device
placed in front of the laboratory. Even a person A knows
the graphical pattern of person B which he use for
authorization then also he will not be able to enter the
laboratory 2 as person B is not authenticated hence facial
templates will not be displayed hence he can’t able to
draw a graphical pattern. In this way shoulder surfing is
eliminated.
Thus the advantage of the proposed system is that, the
shoulder surfing-the drawback of graphical password is
totally eliminated. Even a person knows graphical
password however will not be able to able get
authorization.
V.
CONCLUSION AND FUTURE WORK
In this paper, we proposed a hybrid multilevel security
system. We propose to use face recognition at
authentication level and graphical based passwords at
authorization level. We have seen how the proposed
system is advantageous compared to single means of
authentication.
The propose system is under development and future
work will be development of full fledged system for
authentication.
REFERENCES
[1] L. Sobrado and J.C. Birget, “Graphical passwords”, Department of
Computer Science,Rutgers University, Camden New Jersey 08102,
2002;
[2] R. N. Shepard, “Recognition Memory for Words, Sentences and
Pictures”, Journal of Verbal Learnings and Verbal Behavior, vol: 6, pp:
156–163, 1967.
[3] A. Paivio, T. B. Rogers, and P. C. Smythe, “Why Are Pictures
Easier to Recall Than Words?”, Psychonomic Science , vol:11,pp: 137–
138, 1968.
[4] A. Adams and M. A. Sasse, "Users are not the enemy: why users
compromise computer security mechanisms and how to take remedial
measures," Communications of the ACM, vol. 42, pp: 41-46, 1999.
[5] K. Gilhooly, "Biometrics: Getting Back to Business," in
Computerworld, May 09, 2005.
[6] A. Jain, L. Hong, and S. Pankanti, "Biometric identification,"
Communications of the ACM, vol: 33, pp: 168-176, 2000.
[7]G.E. Blonder, “Graphical Passwords”, United States Patent 5559961,
1996.
[8] D.A. Norman, “The Design of Everyday Things”, Basic Books, New
York, 1988.
[9] R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for
Authentication," in Proceedings of 9th USENIX Security Symposium, 2000.
[10] A. Perrig and D. Song, "Hash Visualization: A New Technique to
Improve Real-World Security”, In Proceedings of the 1999 International
Workshop on Cryptographic Techniques and E-Commerce, 1999.
[11] S. Akula and V. Devisetty, "Image Based Registration and
Authentication System", In Proceedings of Midwest Instruction and
Computing Symposium, 2004.
[12] L. Sobrado and J.C. Birget, "Graphical passwords", The Rutgers
Scholar, An Electronic Bulletin for Undergraduate Research, vol: 4, 2002.
[13]S. Man, D. Hong, and M. Mathews, "A shoulder surfing resistant
graphical password scheme", in Proceedings of International conference on
security and management. Las Vegas, NV, 2003.
[14] D. Hong, S. Man, B. Hawes, and M. Mathews, "A password scheme
strongly resistant to spyware" , in Proceedings of International conference
on security and management. Las Vergas, NV, 2004.
[15] W. Jansen, "Authenticating Mobile Device Users Through Image
Selection", in Data Security, 2004.
[16]W. Jansen, S. Gavrila, V. Korolev, R. Ayers, and R. Swanstrom,
"Picture Password: A Visual Login Technique for Mobile Devices",
National Institute of Standards and Technology Interagency Report NISTIR
7030, 2003.
[17]W. A. Jansen, "Authenticating Users on Handheld Devices," in
Proceedings of Canadian Information Technology Security Symposium,
2003.
[18] T. Takada and H. Koike, "Awase-E: Image-based Authentication for
Mobile Phones using User’s Favorite Images", in Human-Computer
Interaction with Mobile Devices and Services, vol. 2795 / 2003:SpringerVerlag GmbH, pp: 347 – 351, 2003.
[19]http://www.chromium.org/chromium-s/chromiumos-designdocs/security-overview.
[20] Jean-Camille Birget , Alex Brodskiy, NasirMemon, “Authentication
Using Graphical Passwords” Susan Wiedenbeck, Drexel University.
[21] Graphical Password Technology, Pass faces Corporation.
[22] Leonardo Sobrado and Jean‐Camille, “Graphical passwords”, Birget
Department of Computer Science, Rutgers University, 2002.
[23] Siddhesh Angle, Reema Bhagtani, Hemali Chheda “BIOMETRICS: A
FURTHER ECHELON OF SECURITY”, Department of Biomedical
Engineering, Thadomal Shahani Engineering College, T.P.S III, Bandra,
Mumbai.
[24] Anil K. Jain, Sharath Pankanti, Salil Prabhakar, Lin Hong, and Arun
Ross, “Biometrics: A Grand Challenge”, Proceedings of the 17th
International Conference on Pattern Recognition, pp: 1051-1059, 2004.
Download