Professional Documents
Culture Documents
During this time when the Internet provides essential and is being increasingly used as a tool for
commerce, security becomes a tremendously important issue to deal with. One essential aspect for
secure communications is that of cryptography.
1.3 CRYPTOGRAPHY
Cryptography[2] is the science of writing in secret code and is an ancient art. The first
documented use of cryptography in writing dates back to circa 1900 B.C. Cryptography is the method of
transferring private information and data through open network communication. In cryptography, it is
started with unencrypted data, referred to as plaintext. Plaintext is encrypted into ciphertext, which is in
turn decrypted into usable plaintext.
Page 1
1.3.3 Hash Functions
Hash functions, also called message digests and one-way encryption. It is a mathematical
function that converts a numerical input value into another compressed numerical value. The input to
the hash function is of arbitrary length but output is always of fixed length. Values returned are called
message digest. Some of the Hash Algorithms are Message Digest Algorithm, Secure Hash Algorithm,
RACE, Integrity Primitives Evaluation Message Digest, Hash of Variable Length, Whirlpool, Tiger etc.
Fig 1: Secret Key Cryptography, Public Key Cryptography Fig 2: Hash Function
A digital envelope comprises an encrypted message and an encrypted session key. The digital
signature is formed in two steps, first, computing the hash value, next, encryption of the hash value with
the private key. The receiver applies hash function to the senders original message, which the receiver
has already decrypted.
1.4 AUTHENTICATION
The convenient method to provide network security is Authentication[3]. Authentication is the
act of confirming the truth of an attribute of a single piece of data claimed true by an entity. It might
involve confirming the identity of a person by validating their identity documents, verifying the
authenticity of a website with a digital certification etc. Widely used authentication protocols are Secure
Sockets Layer, IP SEC, Secure Shell, Kerberos.
The way in which someone may be authenticated fall into three categories, based on what are
known as factors of authentication: something the user knows(knowledge factor), something the user
has (ownership factor) and something the user is or does(inherence factor).
Types of authentication[3]
1. Single-factor authentication: Only a single component of the three categories of factors is used
to authenticate an individuals identity.
2. Two-factor authentication: When elements representing two factors are required for
authentication, the term two factor authentication is applied. (e.g. bankcard and PIN).
3. Multi-factor authentication: Instead of using two factors, multiple authentication factors are
used to enhance security. This enhances the security of a transaction.
4. Strong authentication: This is defined as layered authentication approach relying on two or
more authenticators to establish the identity of an originator or receiver of information.
Page 2
1.4.1 PASSWORDS
Passwords[4] are the most widely used form of authentication. Users provide an identifier, a
typed in word or phrase or perhaps a token card, along with a password. In many systems the passwords
are not stored as plaintext but are encrypted. The traditional method used is textual passwords. These
types of passwords are string of letters and digits. But it has several vulnerabilities.
One-time password(OTP)
To avoid problems associated with password reuse, OTP[4] were developed. There are two
types, a challenge-response password and a password list. The challenge-response password responds
with a challenge value after receiving a user identifier. The response is then calculated from either the
response value or select from a table based on the challenge. The OTP makes use of lists of passwords
which are sequentially used by the person wanting to access a system. The values are generated so that
it is very hard to calculate the next value from the previously presented values.
Textual Passwords are set in such a way so that it is easy to remember but they are vulnerable
to various attacks like dictionary attack, easy to guess, key loggers, shoulder surfing, social engineering,
spyware attack, hidden camera. So alternative to textual password, a technique proposed is graphical
password.
Graphical password methods can be of classified into four general categories: Drawmetric (Draw
based), Locimetric (Position based), Cognometric (Chosen Position) and Hybrid Schemes. Hybrid
schemes combine two or more of the other categories.
Page 3
1. Recognition Based System
In this system, for registration the user has to select the certain number of images from a set of
random images in an order as a password, and for authentication the user has to identify those images
in a same order. The schemes under this are:
Jansen et al. Method[7]: In this scheme images of size 40x40 were shown in 5x6 matrix on the
basis of selected theme, user have to select images from the matrix with the help of stylus. A numerical
sequence based on image selection is registered to form a password. At login time user has to recognize
same images in same sequence at login time.
Fig 5: Jansen et al method- Sea and shore theme, Dhamija and Perrig Scheme, Passface Scheme
Dhamija and Perrig Scheme[5]: In this scheme, during registration the user has to pick the
several pictures according to choice from a set of random pictures in a sequence and during
authentication the user has to identify those same pictures in a sequential manner.
Passface Scheme[5]: In this scheme, human faces are used as password. In this, a grid of nine
human faces is used. In these nine faces one is known to the user and remaining are decoys. The user
has to recognize that known face among the nine faces. And this is continued until all the four faces are
identified.
Sobrado and Birget Scheme[5]: Sobardo and Birget developed a method to prevent shoulder
surfing attack. In this scheme system display a number of pass-objects among other objects, user click
inside the convex hull bounded by pass-objects.
Hong et al. Method[7]: The user has to enter a string corresponding to each variation of pass-
icons. At login time user is challenged with recognizing the pass-icons from n grid login screen. Once the
icon has been correctly identified user has to enter string corresponding to the variation of particular
pass-icon.
Fig 6: Sobrado Birget scheme Fig 7: Hong et al Method Setting pass-icons and Login Screen
Page 4
Akul and Devisettys[7]: User has to identify correct pass-image. It is similar to dhamiga and
perrig. The only difference is that it store 20 byte hash code produced by SHA-1 hash function. It takes
less memory but space occupied is still larger.
2. Recall-Based System
In this system a user is asked to reproduce something that he created or selected earlier during
the registration stage. It has two categories: a) Pure Recall Based Techniques b) Cued Recall Based
Techniques
a. Pure Recall Based Techniques: In this user is not provided a clue to recall a password. Some
schemes belonging to this technique are:
Passdoodle Technique[6]: It is handwritten design or text, usually drawn with stylus onto touch
sensitive screen.
Draw-A-Secret(DAS) Scheme[5]: Here user will draw a simple picture on 2D grid. The coordinates
of the grids are occupied by the picture are stored in the order of drawing. During authentication, the
user will be told to re-draw the picture in the same sequence.
Signature Scheme[5]: Here, during registration user will record signature as a password and
authentication is conducted by having the user drawing their signature using mouse.
Blonder Technique[6]: In this user is presented with a predetermined image with predetermined
areas (tap regions). To create a password user has to click those tap regions in a particular order. For
authentication, user has to click the approximate areas of those tap regions in the predefined sequence.
Grid Selection[8]: This consists of Drawing grid and DAS password. The selection grid is a fine
grained grid from which user selects a drawing grid, to zoom in on, in which they may enter password.
b. Cued Recall Based Techniques: In this user is provided a clue to recall a password registered
earlier. Some schemes belonging to this technique are:
Pass-point technique[6]: Here a picture could be any natural picture or painting but at the same
time should be rich enough in order to have many possible click points. Here no need of predefined click
points. The user can click on any place on the image to create a password. The tolerance around each
chosen pixel is calculated. For authentication, user has to click within the tolerances of chosen click
points in a correct order.
Page 5
Background DAS (BDAS) technique[6]: Here, the background image is added to original DAS as
an improvement. So background image is a clue here. Password is a free form drawing that a user
creates on a grid under laid with a background image of their choice. The background image is used to
draw a password. For authentication user has to recreate a same drawing on the grid with background
image.
Qualitative DAS technique[8]: In this scheme, a stroke is mapped to its starting cell and the
sequence of qualitative direction changes. So the user need to remember the starting cell index and the
correct direction order of each stroke.
Cued Click Points(CCP)[7]: Unlike pass point rather than making multiple clicks on single image
user has to make click on multiple images. The images come in sequence one after the other. An image
appearing next is determined by the click made in the previous image.
Jiminy[8]: In this scheme, users are provided with templates based on color that contain several
holes. The user first selects an image, chooses a colored template, picks a specific location inside the
image, then clicks on the position to place the template and record the password. During login, the
users must select the right template, place it on the correct location on the image then enter the
characters visible through the holes.
VisKey[7]: SFR company developed a scheme for mobile devices. User has to select an image
from the images stored in the device and tap on the spots in sequence this sequence is registered. To
login user has to tap at same spots as and should be in registered sequence.
VisKey
v-Go[7]: Passlogix has proposed a v-Go scheme, here user has to select a background image and
user can perform various actions with items present in image like clicking, dragging etc. Click on items is
detected with the help of invisible boundaries on them.
Page 6
1.4.3 CAPTCHA(Completely Automated Public Tuning tests to tell Computer and Human Apart)
Captcha[5] is a program that generates and grades tests that are human solvable, but beyond
the capabilities of current computer programs. Captcha is used to test whether the user is computer or a
human by creating a task easy for humans but difficult to machines. Captcha mainly include 3 types:
text-based, image-based and sound-based.
b. Recognition-Recall CaRP[5]
This combines the tasks of both recognition based and cued-recall and retains the advantages of
both. The password is a sequence of some invariant point of object which is a point that has a fixed
relative position in different incarnations of object and thus uniquely identified by humans. For
authentication first user has to identify the object and then click the invariant points on the object
matching the password.
There are two techniques under this scheme are TextPoint, TextPoints4CR.
Fig 11: ClickText Image Fig 12: ClickAnimal Image Fig 13: A ClickAnimal Image and 6X6 grid Fig 14: TextPoint
Page 7
Hybrid Textual Authentication technique[6]: Here user has to first enter a username and then
has to rate colors from 1 to 8 randomly and can remember it. During login, after entering username the
login interface based on colors selected by users is displayed consisting of color grid of 8X8 size with 4
pairs of colors. According to color pair, the number in the intersection of the row and column of the
number grid is the part of session password.
Fig 15: Pair-Based technique Fig 16: Hybrid Textual technique: Color ratings and login interface
Image Pass Technique[6]: It is recognition based graphical password technique. User has to
select a valid username and then can select the particular number of images as a password from a set of
30 images. The selected images are displayed on selected password panel on top-right corner of image.
During authentication after entering valid username, user has to select the valid images on a grid of 4X3
is displayed.
Fig 17: Password selection, current selection panel, authentication for Image Pass Technique
A multiple click based graphical authentication system[10]: In this the authentication system is
presented by introducing the multi-level authentication technique which generates the password in
multiple levels to access the services.
NAVI(Novel Authentication with Visual Information) a Novel graphical password scheme[11]: For
this scheme a Movie CAPTCHA method with Amdol Completion is used. The password is marked as
route on a predefined map call Geo-Points. The user logs in using user id and password has be entered
i.e., Geo-Points is to be marked. If the password is wrong the log in fails. Captcha validation is done
where it distinguishes between human and bots-program.
Page 8
Awase-E[12]: This is a novel recognition-based image authentication system. The features of the
system are that it uses users personal photo collection, and it also introduces a no answer case in a
verification of an authentication trial. Awase-E with personal photos are easy to memorize and recall for
a long period of time, and its level is almost same as an authentication with a 4 digit number.
Use Your Illusion Authentication[13]: Distorted images are used to maintain the usability of
graphical password schemes. Here the user selects their own graphical password images, the selected
images are distorted using a non-photorealistic rendering algorithm that eliminates most details in the
image, while preserving some feasures. To authenticate, the user must choose her own distorted images
from a set of distracter images.
Image and Audio Based Authentication[14]: This method uses Captcha as graphical password
scheme. The user logs in with user id and password. Then an image has been selected for security
purpose. In that image, randomly positioned viewport is used for creating a password. From this image
pixel has been selected. In registration process, by clicking anyone pixel point on the image, the
information will be stored in database. By using cued click points and random password generation, the
sound can be added to the image in particular pixel points.
Click-Draw based Graphical Password[15]: It has two operation steps: image selection ans secret
drawing. Image selection: User selects several images from an image pool. Then users have to further
select one image for click-drawing their secrets. To authenticate users should re-select the same same
images in the correct order and futher select the one right image for click-drawing their secrets.
Fig 19: Image and Audio based scheme Fig 20: Step of image selection, three images that are stored and used in
the image pool, 7 which was drawn by user in secret drawing step(3)
Page 9
Secret Drawing: The image selected for click-draw is portioned into a NxN table. The click-draw action
requires users to use series of clicks to construct their secret drawing. During authentication, users
should re-draw their secrets accurately.
REFERENCES
Page 10