A NOVEL APPROACH OF AUTHENTICATION USING PIXEL VALUE GRAPHICAL PASSWORD SCHEME
©2014
Master's Thesis
124 Pages
Summary
In decades, authentication system is relying on username and password as passphrase object for authentication process. The username and password mechanism bring major problem lately and raising the system developer worries on security for client server communication. Many methods and mechanisms are being introduced to overcome this authentication flaws. One of mechanism that has been introduce is graphical password mechanism on purpose to reduce human memory burden based on psychological study that shows human is better at recognizing and remembering images. However, the current method result many security flaw on graphical password authentication mechanism and require specific tool which is cannot be easily implement on any computer system platform. To overcome current method flaws, pixel value graphical password scheme is being introduced by combining the text-based password mechanism and graphical password mechanism where the authentication system extracting pixel value that resides in a digital image file. The extracted eight bits pixel value is used as the passphrase alongside with username during authentication process. The design and development of this method is based on identified graphical password enhancement and user requirement through literature review analysis. Results on literature analysis are being referred to develop the system flow and system design as the design concept which is being used for prototyping development. The developed prototype is being tested with several collections of image specimens as image experimental testing. Results and output from the testing show promising results as the result for Pixel Value graphical password scheme is bring an extremely positive impact. In other words, pixel value graphical password scheme is bringing graphical password scheme a secure promising authentication implementation.
Excerpt
Table Of Contents
MOHD AFIZI, MOHD SHUKRAN: A NOVEL APPROACH OF AUTHENTICATION USING
PIXEL VALUE GRAPHICAL PASSWORD SCHEME, Hamburg, Anchor Academic
Publishing 2015
PDF-eBook-ISBN: 978-3-95489-913-5
Druck/Herstellung: Anchor Academic Publishing, Hamburg, 2015
Bibliografische Information der Deutschen Nationalbibliothek:
Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen
Nationalbibliografie; detaillierte bibliografische Daten sind im Internet über
http://dnb.d-nb.de abrufbar.
Bibliographical Information of the German National Library:
The German National Library lists this publication in the German National Bibliography.
Detailed bibliographic data can be found at: http://dnb.d-nb.de
All rights reserved. This publication may not be reproduced, stored in a retrieval system
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the prior permission of the publishers.
Das Werk einschließlich aller seiner Teile ist urheberrechtlich geschützt. Jede Verwertung
außerhalb der Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung des Verlages
unzulässig und strafbar. Dies gilt insbesondere für Vervielfältigungen, Übersetzungen,
Mikroverfilmungen und die Einspeicherung und Bearbeitung in elektronischen Systemen.
Die Wiedergabe von Gebrauchsnamen, Handelsnamen, Warenbezeichnungen usw. in
diesem Werk berechtigt auch ohne besondere Kennzeichnung nicht zu der Annahme,
dass solche Namen im Sinne der Warenzeichen- und Markenschutz-Gesetzgebung als frei
zu betrachten wären und daher von jedermann benutzt werden dürften.
Die Informationen in diesem Werk wurden mit Sorgfalt erarbeitet. Dennoch können
Fehler nicht vollständig ausgeschlossen werden und die Diplomica Verlag GmbH, die
Autoren oder Übersetzer übernehmen keine juristische Verantwortung oder irgendeine
Haftung für evtl. verbliebene fehlerhafte Angaben und deren Folgen.
Alle Rechte vorbehalten
© Anchor Academic Publishing, Imprint der Diplomica Verlag GmbH
Hermannstal 119k, 22119 Hamburg
http://www.diplomica-verlag.de, Hamburg 2015
Printed in Germany
1
ABSTRACT
In decades, authentication system is relying on username and password as
passphrase object for authentication process. The username and password
mechanism bring major problem lately and raising the system developer wor-
ries on security for client server communication. Many methods and mecha-
nisms are being introduced to overcome this authentication flaws. One of
mechanism that has been introduce is graphical password mechanism on pur-
pose to reduce human memory burden based on psychological study that
shows human is better at recognizing and remembering images. However, the
current method result many security flaw on graphical password authentica-
tion mechanism and require specific tool which is cannot be easily implement
on any computer system platform. To overcome current method flaws, pixel
value graphical password scheme is being introduced by combining the text-
based password mechanism and graphical password mechanism where the au-
thentication system extracting pixel value that resides in a digital image file.
The extracted eight bits pixel value is used as the passphrase alongside with
username during authentication process. The design and development of this
method is based on identified graphical password enhancement and user re-
quirement through literature review analysis. Results on literature analysis are
being referred to develop the system flow and system design as the design con-
cept which is being used for prototyping development. The developed proto-
type is being tested with several collections of image specimens as image exper-
imental testing. Results and output from the testing show promising results as
the result for Pixel Value graphical password scheme is bring an extremely pos-
itive impact. In other words, pixel value graphical password scheme is bringing
graphical password scheme a secure promising authentication implementation.
2
LIST OF TABLES
Table 1. Identified problems and possible improvement ... 44
Table 2. Solving characteristics and statements... 45
Table 3. Roles interaction with control / process ... 54
Table 4. Pixel value compliance table ... 82
Table 5. List of image experiment specimen ... 104
Table 6. List of RGB value result ... 108
Table 7. List of DCT Value result ... 114
3
LIST OF FIGURES
Figure 1. Grayscale and RGB Color-space (Dawn Pederson, 2009) ... 9
Figure 2. Pixel value information storing structure (Processing, 2008) ... 10
Figure 3. The 8 by 8 matrices ... 13
Figure 4. Text-based authentication model ... 20
Figure 5. Blonder Method (Blonder, 1996) ... 25
Figure 6. V-Go (Passlogix Inc., 2006 in Hai Tao, 2006) ... 26
Figure 7. The Passface (left) and story scheme (right), (Davis et al., 2004) ... 27
Figure 8. Random arts technique (R. Dhamija et al, 2000) ... 28
Figure 9. A shoulder-surfing scheme, (L. Sobrado et al, 2002) ... 29
Figure 10. Shoulder surfing scheme (S. Man et al, 2003). ... 30
Figure 11. Takada and Koike (T. Takada et al., 2003) ... 31
Figure 12. W. Jansen Technique (W. Jansen et al., 2004) ... 32
Figure 13. Passpoint method (Image source: blog.roodo.com, 2009) ... 33
Figure 14. Proposed by Syukri et al. (1998) ... 35
Figure 15. Draw-a-Secret (DAS), (Jermyn et al, 1999) ... 36
Figure 16. Passgo method design (Hai Tao, 2006)... 37
Figure 17. Pixel Value graphical password model ... 49
Figure 18. Prototype system flowchart ... 52
Figure 19. Basic extraction process ... 56
Figure 20. Two dimensional pixel value extraction ... 58
Figure 21. Extraction dimension grid ... 59
Figure 22. PVAC login screen ... 60
Figure 23. DCT pixel value output ... 62
Figure 24. DCT in pixel value extraction process ... 63
Figure 25. System testing deployment ... 65
Figure 26. System testing flow ... 66
Figure 27. Image experiment testing flow ... 68
4
Figure 28. Specimens for PVAC image experimental testing ... 69
Figure 29. Test scenario 1 result ... 70
Figure 30. Test scenario 2 result ... 71
Figure 31. Test scenario 3 result ... 72
Figure 32. Test scenario 4 result ... 73
Figure 33. Test scenario 5 result ... 74
Figure 34. Test scenario 6 result ... 75
Figure 35. Pixel composition differences ... 76
Figure 36. Test scenario 7 result ... 77
Figure 37. 10% filled on a grid ... 78
Figure 38. Test scenario 8 result ... 79
Figure 39. Spotted grayscale value ... 79
Figure 40. Pixel density differences on normal mode and opacity mode... 80
Figure 41. Password strength against grids ... 86
Figure 42. Comparison on paspix attempt for extraction techniques ... 88
Figure 43. Login screen ... 99
Figure 44. Image browser ... 100
Figure 45. Login error message ... 100
Figure 46. Enrollment screen ... 101
Figure 47. Image browser on enrollment ... 101
Figure 48. Enrollment error message ... 102
Figure 49. Content page ... 102
Figure 50. PVAC storyboard ... 103
5
LIST OF ABBREVIATIONS
DAS
: Draw a Secret
DCT
: Discrete Cosine Transform
DFT
: Discrete Fourier Transform
DNA
: Deoxyribose Nucleic Acid
DST
: Discrete Sine Transform
EFT
: Electronic Fund Transfer
GIF
: Graphic Interchange Format
GUI
: Graphical User Interface
HTTP
: Hyper Text Transfer Protocol
IDCT
: Inverse Discrete Cosine Transform
IEC
: International Electrotechnical Commission
IP
: Internet Protocol
ISO
: International Organization for Standardization
JFIF
: JPEG File Interchange Format
JPE
: Associate with JPEG
JPEG
: Joint Photographic Experts Group
JPG
: Associate with JPEG
MDCT
: Modified Discrete Cosine Transform
PassPix :
Passphrase
Pixel
PDA
: Personal Digital Assistant
PIN
: Personal Identification Numbers
PNG
: Portable Network Graphics
PVAC
: Pixel Value Access Control
PX
:
Pixel
RGB
: Red, Green, and Blue
6
TABLE OF CONTENT
ABSTRACT ... 1
LIST OF TABLES ... 2
LIST OF FIGURES ... 3
LIST OF ABBREVIATIONS ... 5
TABLE OF CONTENT ... 6
1.1 Technique Concepts ... 9
1.1.1 Pixel and pixel value ... 9
1.1.2 JPEG Image files ... 11
1.1.3 Discrete Cosine Transform (DCT) algorithm ... 11
1.2 Research Aim and Objective ... 14
1.3 Research Scope ... 14
1.4 Research Significant and Contribution ... 15
1.5 Thesis organization ... 16
1.6 Chapter Summary ... 16
CHAPTER 2: LITERATURE REVIEW ... 18
2.1 Authentication System ... 18
2.1.1 Text-based Authentication Method ... 20
2.1.2 The Weaknesses of Traditional Authentication Method ... 21
2.2 Graphical Password Authentication ... 23
2.3 Graphical Password Schemes ... 24
2.3.1 Click-Based Graphical Password Schemes ... 24
2.3.2 Draw-Based Graphical Password Scheme ... 34
2.3.3 Arguments on Existing Graphical Password Scheme ... 38
2.4 Findings and Outcome ... 42
2.5 Chapter Summary ... 45
CHAPTER 3: PROPOSED METHOD ... 47
3.1 Components ... 47
7
3.1.1 Passpix ... 47
3.1.2 Pixel Value Extractor ... 48
3.2 Pixel Value Graphical Password Model ... 49
3.3 Developing Pixel Value Graphical Password Prototype ... 50
3.3.1 Designing the Prototype ... 52
3.3.2 Designing the Extraction Process ... 55
3.4 The Pixel Value Graphical Password Prototype System. ... 59
3.4.1 Two Dimensional Pixel Value Extraction ... 61
3.4.2 Image Compression Algorithm Practice ... 61
3.5 Prototype Testing Report ... 64
3.5.1 System Testing ... 64
3.5.2 Image experimental testing ... 67
3.6 Result Study and Analysis ... 81
3.6.1 Design Compliances ... 81
3.6.2 Password Style ... 83
3.6.3 Accuracy ... 86
3.7 Chapter Summary ... 88
CHAPTER 4: CONCLUSION ... 90
REFERENCES ... 92
APPENDICES ... 99
Appendix A : GUI designed for PVAC and story board ... 99
Appendix B: Image experimental testing specimens ... 104
Appendix C: Image experimental testing results ... 108
RGB results ... 108
DCT results ... 114
BIODATA OF STUDENT ... 120
LIST OF PUBLICATIONS ... 121
8
CHAPTER 1: INTRODUCTION
Authentication through username and alpha-numeric password is a way of
computer authenticating its owner. Knowledge of the password is assumed to
guarantee that the user is authentic. On each subsequent use, the user must
know and use the pre-declared password. However, several human burden
matters are arising from the text-based password where human will choose a
password that easily to be remembered. Meaningful and character are easily
can be guess, in case of personal information acquired by closed person with
the user or just can be break with dictionary attack. A longer passphrase with
complex combination of alphabet, numeric and symbols is safest text-based
password structure but causing it hard to memorize. As an initiative to reduce
this burden, the graphical password scheme was introduced where psychology
studies have revealed that human brain is better at recognizing and recalling
image than text. Click-Based graphical password was the early technique of
graphical password scheme that pioneering varieties of graphical password
scheme have been designed and developed through various researches. For se-
curity vulnerabilities reason, pixel Value graphical password scheme is de-
signed and develops to be a new technique of graphical password scheme that
used a different approach and workflow from any other graphical password
scheme.
9
1.1 Technique Concepts
The basic idea of pixel value graphical password scheme is a graphical pass-
word scheme that authenticating user through images' pixel value extraction
that designed based on several concepts or knowledge on digital image files
and pixel value extraction process. Section 1.1.1 to 1.1.4 will explain briefly on
relationship image files, pixel value extraction process, and extraction algo-
rithm.
1.1.1 Pixel and pixel value
Figure 1. Grayscale and RGB Color-space (Dawn Pederson, 2009)
Pixel is a smallest single unit or point of a display whose color or brightness
can be controlled and manipulate. It is in the form of one spot in a rectilinear
grid of thousands of such spots that are individually "painted" to form an im-
age produced on the screen ("Microsoft computer dictionary", 2002). For a
10
grayscale images, the pixel format is stored as an 8-bit integer giving a range of
possible values from 0 to 255. Typically zero is taken to be black, 255 is taken to
be white, and values in between make up the different shades of gray. To rep-
resent color images, separate red, green and blue colors must be specified for
each pixel (RGB colorspace), often the three different components are stored as
color planes (one for each of red, green and blue: 255, 255, 255), which have to
be recombined when displaying or processing. The Figure 1 showing grayscale
gray shades and RGB colorspace.
Figure 2. Pixel value information storing structure (Processing, 2008)
An image stored description of a graphic picture, either as a set of brightness
and color values of pixels or as a set of instructions for reproducing the picture
("Microsoft computer dictionary", 2002). Pixel value is determined by color
strength for each block that describes how bright that pixel is, and/or what
color it should be. In an image, each pixel block is arrange into sequence of pix-
el value and stored into image property as shown in Figure 2. As in pixel value
graphical password scheme, extracted pixel value is being used as passphrase
to validate a username during authentication.
11
1.1.2 JPEG Image files
JPEG, an acronym for Joint Photographic Experts Group, is an ISO/IEC group
of experts that creates and maintains standards for a suite of lossy compression
technique for storing pictures on computer (Collin, 2004). JPEG standards help
image files to be compressed without noticeable some details lost during com-
pression and commonly used file extensions .jpg, .jpeg, .or jpe. This flat file
format type is using discrete cosine transform algorithm for compression algo-
rithm ("Microsoft computer dictionary", 2002) that cannot be edited without
overlay another layer on that image file. JPEG performs best on photographs
and paintings of realistic scenes with smooth variations of color and tone but
not frequently used for charts, line drawings, and other iconic or textual
graphics since the compression method used by JPEG can distort these images.
PNG (Portable Network Graphics) and GIF (Graphic Interchange Format) are
used for these types of graphics. JFIF (JPEG File Interchange Format) is another
technique developed to enable image file being interchange between computers
or over internet using JPEG compression format.
1.1.3 Discrete Cosine Transform (DCT) algorithm
The Discrete Cosine Transform (DCT) is a Fourier-like transform, which was
first proposed by Ahmed et al. (1974) that performs only the cosine function
oscillating at different frequencies while the Fourier Transform represents a
signal as the mixture of sines and cosines (Anton Obukhov & Alexander Khar-
12
lamov, 2012). There are various type of DCT algorithms which is DCT-1, DCT-
2, DCT-3, and DCT-4 where DCT-2 with its' inverse is widely use for image
processing or in specific, for JPEG image compression (Ahmad M. Sarhan,
2009). DCT-2, also known as DCT matrix or two-dimensional DCT, is a DCT
algorithm that computes pixel value by dividing into the set of non-
overlapping symmetrical two-dimensional blocks and each block is processed
independently where commonly DCT is being implemented using 8 by 8 ma-
trices that produce 64 blocks. In JPEG compression, DCT coefficients are quan-
tized to reduce the amount of information that cannot be perceived by the hu-
man eye and the compression rate depends on the quantity of coefficients that
are non-zero after quantization has been performed (Anton Obukhov & Alex-
ander Kharlamov, 2012).
Since each dimension can be handled separately, the two-dimensional
DCT follows straightforward form the one-dimensional DCT. The two-
dimensional DCT of an M-by-N matrix A is defined as follows.
13
The values Bpq are called the DCT coefficients of A. The DCT is an invertible
transform, and its inverse is given by
These functions are called the basic functions of the DCT. The DCT coefficients
Bpq, then, can be regarded as the weights applied to each basis function. 8-by-8
matrices are illustrated by Figure 3.
Figure 3. The 8 by 8 matrices
14
1.2 Research Aim and Objective
The aim of this research is to develop a password scheme for highly sensitive
authentication that reduce human memory burden on alphanumeric password
based that password is only known and visible to user. The research aim can be
achieved based on several objectives as listed below:
· The password scheme characteristic is drive to graphical based password
scheme that aim to reduce human memory burden on alphanumeric pass-
word that involving graphical or digital image recognition during authenti-
cation process.
· The password scheme is pass-object protection equipped to ensure the secu-
rity and privacy of pass-object.
· The proposed password scheme is flexible to implement on any computer
system platform.
1.3 Research Scope
A highly sensitive computer system such as online banking, online payment
system, database system and much more require a highly sensitive authentica-
tion process and usually required user to construct a strong password to guard
their interest on that kind of system. Unfortunately a strong password structure
requires a strong human brain and memory resources. Therefore, a graphical
password scheme is needed to address this human memory burden that solves
pass-object secrecy and implementation flexibility for highly sensitive authenti-
15
cation system. Since it being designed and developed for highly sensitive au-
thentication, the pass-object processing will dealing with zero tolerance result,
it means an accurate and precise result are accepted from similar image settings
and qualities as registered during enrollment process. Thus, these studies will
not emphasis on fault tolerance, since it is for highly sensitive authentication,
and image storing location, where it will affect image settings and qualities.
Discussion on effort to bypass authentication system is also not a part of this
study where the scope is only limited to protecting password from being ob-
tained illegally.
1.4 Research Significant and Contribution
The proposed method is new approach for graphical password scheme which
is using pixel value extraction technique that developed by combining pass-
word based access control process with pixel value extraction technique and
designed to be suitable to any system environment and requirement either
online or offline. The proposed graphical password scheme is not an enhance-
ment or modification for currently available graphical password scheme; it is
designed and developed based on the concept of pass-object secrecy and im-
plementation flexibility. The unique features of Pixel Value graphical password
scheme, brings benefit to most of computer user in terms of flexibility and se-
curity. Users enjoy a freedom to decide their recognizable or unique pass-object
image and it is only available to access by user if it is kept in personal drive.
16
Even though other peoples have the information on which image is being used,
the image file is unavailable for them. Pixel value graphical password scheme
is proposed to solving a lot of authentication process issue not only for graph-
ical password scheme, also for other authentication method.
1.5 Thesis organization
This thesis is containing four chapters and organized in sequent as follows
· chapter 1 is introduction chapter that introduced the idea and concepts of
pixel value graphical password scheme
· Chapter 2 is literature review chapter that will elaborate the current authen-
tication system and graphical password scheme design and implementation
· Chapter 3 will discuss the method use to design develop Pixel Value graph-
ical password scheme and analysis of the prototype Pixel Value graphical
password scheme
· Chapter 4 will conclude this thesis and discussing on extended discussion.
· References chapter is containing the list of all references used in this re-
search and thesis.
1.6 Chapter Summary
Knowledge on basic idea and basic concept of pixel value graphical password
scheme has led to the directed research direction through objectives, scopes
and contributions. However, the aim and objectives can not be meeting without
a proper designed authentication method. Thus, next chapter will briefly dis-
17
cuss on current authentication problems and exemplify several graphical pass-
word scheme method that construct ideas for solutions.
18
CHAPTER 2: LITERATURE REVIEW
This chapter will elaborate on authentication system, text-based password sys-
tem and practices, and a collection of graphical password scheme that have
been review and referred in this research. At the end of this chapter, a prob-
lems analysis on current graphical password scheme and Pixel Value graphical
password scheme as a referencing technique for this research. The identified
problems then are being used to identify the improvement features on graph-
ical password schemes.
2.1 Authentication System
An authentication system comprises an authentication enforcement engine
adapted to interface with an authentication provider for performing an authen-
tication process for a user requesting access to a computer resource (Valiudin
Ali & Manuel Novoa, 2005). Authentication factors can be placed into three cat-
egories, namely what you know, (password, secret, personal identification
number); what you have, (token and smart card) and what you are (biometrics
and behavorial) (Andrew et al., 2004). A blind credential, in contrast, does not
establish identity at all, but only a narrow right or status of the user or program
while as web trust, "authentication" is a way to ensure users are who they say
they are--that the user who attempts to perform functions in a system is in fact
the user who is authorized to do so (Le Xuan Hung, 2007). Passwords and PINs
are also susceptible to cracking attacks an automated process of systematical-
19
ly trying all combinations until a match is found that pushed toward two dif-
fering authentication techniques: smartcards the notion of `what you have':
and, biometric authentication the notion of `what you are'. Most users are
more familiar with smartcards than they realize; EFT cards that require PINs fit
the profile of the smartcard architecture that uses in computing authentication
but are more commonly implemented for access control and for physical secu-
rity. Another authentication approach exists that relieve users from carrying
smartcards, and forgetting passwords as it measures physical and they cannot
forget is biometrics that measures a physical or behavioral attribute of humans
to uniquely identify them. Physical biometrics include: fingerprint, iris, retina,
face, voice, and deoxyribose nucleic acid (DNA) while behavioral biometrics
includes: handwriting (graphology) and keystroke analysis. Biometric-based
authentication required specific input device or tools to enable computer to
read and translate into computer signal make it less popular to implement on
computer system by most of developers. Of course the degree to which peo-
ple's privacy is invaded depends on the type of biometric used, the sensitivity
of the information, and the possibility for combining data with other databases
(Ali Eljetlawi, 2008). Conversely, another authentication technique that uses the
innate ability of humans to recognize visual information could be adopted as
an alternative to smartcard and biometric authentication.
20
2.1.1 Text-based Authentication Method
The simplest, and unfortunately still quite common, authentication method
available is the text-based authentication method. Username and password in-
formation for each authentic table user is stored locally on the server system.
On authentication process, a user's name and password are compared against
an authorized list, and if the system detects a match, access is granted to the
extent specified in the permission list for that user (Microsoft computer dic-
tionary, 2002). This is basically the model used for login authentication on tra-
ditional multi-user systems, and it has been replicated numerous times within
various application packages as illustrated in Figure 4.
Figure 4. Text-based authentication model
21
2.1.2 The Weaknesses of Traditional Authentication Method
Authentication has traditionally centered on `what you know' that embodied in
Personal Identification Numbers (PINs) and passwords. The unreliability of
passwords and PINs has exemplified in several well known usage issue such as
user have a difficulty in remembering strong passwords. In some cases, when
the system policies are requiring users to use strong passwords: that which has
no meaning to the user it means that human memory resources are consum-
mated. In fact, it is a widely accepted fact that the majority of users' passwords
can be found written down within 4 feet of the workstation (Berger et al., 2003).
In many cases, passwords are stored in encrypted form on the server machine,
plain-text passwords are still sent across a possibly-insecure network from the
client to the server that maybe able to be capture and replay them to forge au-
thentication to the system. That is, users must authenticate separately to each
system or application they wish to access, users must repeatedly type their
passwords and users likely to choose less-than-secure passwords for conven-
ience. Passwords easily guessed are known as weak or vulnerable; passwords
very difficult or impossible to guess are considered strong. A strong password
is sufficiently long, random, or otherwise producible only by the user who
chose it, that successfully guessing it will require too much resources. The
longer and the wider the variety of symbol choices, the more intensive the
password cracking effort or well matched the Rainbow Table must be to defeat
the password; assuming that suitable password hashing and protection meth-
22
ods are in place (Ali Eljetlawi, 2008). The terms weak and strong are relative
and quality of the password depends on how well the password system limits
attempts to guess a user's password, whether by a person who knows the user
well, or a computer trying millions of possibilities. A study by Van Oorschot
and Thorpe (Van Oorschot & Thorpe, 2005) found that about 25% of 14,000
passwords were cracked by a dictionary with only 3 million entries (the size of
the dictionary is 21.5 bits) by using a 3.2GHz Pentium 4 machine in only 0.22
second. Therefore, it is widely believed that the security of a password scheme
is related more closely to the size of its memorable password space, rather than
that of its full password space (Hai Tao, 2006). The implementation of two-
layer authentication (smartcards) method is an uncertain solution. Page et al.
(Page et al., 2003) argue "The size of the authentication layer is actually a ques-
tion of tradeoffs. Having less authentication checks means the turnaround time
is less but on the flip side it can become a security hazard too". Security threats
in biometrics come out with the possibility of spoofing, replay or bruteforce at-
tacks where digital biometric signals are `replayed' to the system, deceiving it
into accepting an actual biometric sample has been presented. Apart of security
issue and time consummated, authenticating using biometrics password re-
quires a computer to be equipped with dedicated biometric input (example:
fingerprint scanner) make it less flexible to be implement on typical personal
computer environments.
23
2.2 Graphical Password Authentication
Research in the psychology discipline suggests that humans are better at recog-
nizing visual information than recalling meaningless text-based strings
(A.Perrig et al., 1999 & R.Dhamija et al., 2000), whether for authentication or
otherwise. We can use this innate ability in humans for authentication in a
similar way to recalling passwords (Ali Eljetlawi, 2008). The early designed for
graphical password scheme was started in 1996 when Blonder (Blonder, 1996)
patented a graphical password that required users to touch predetermined are-
as of an image in sequence for authentication. There is a lot of design that ex-
panding Blonder's idea that based on image click. Based on click behavioral
method, Perrig and Song (A.Perrig et al., 1999) proposed a technique where us-
ers identify previously seen images using RandomArt that hashes users' pass-
words and root keys in public key infrastructures and creates a visual represen-
tation of that hash. Most of the developed method that used this technique is
designed to protect password from shoulder surfing attack on click-based
graphical password and spyware for text-based password. Different from click-
based method, Jermyn et al. (Jermyn et al., 1999 cited in Dhamija and Perrig,
2000) proposed a graphical password scheme that consisted of simple pictures
drawn on a grid. Details on graphical password authentication evolutions and
example on graphical password scheme is being discussed on following section
on this thesis.
24
2.3 Graphical Password Schemes
Knowledge based techniques are the most widely used authentication tech-
nique and include both text-based and picture-based passwords. There is no
official or standard for graphical password categorization guideline, but, as Hai
Tao (2006) thesis, and Xiao Yuan (2006) thesis, the existing Graphical password
schemes are categorized as either on Recall Base Graphical Password Schemes
or Recognition Base Graphical Password Schemes. Using recognition-based
techniques, a user is presented with a set of images and the user passes the au-
thentication by recognizing and identifying the images user selected during the
registration stage. Using recall-based techniques, a user is asked to reproduce
something that user created or selected earlier during the registration stage.
However, based on human interaction with graphical password scheme, the
behavioral can be dividing into click-based graphical password scheme and
draw-based graphical password scheme.
2.3.1 Click-Based Graphical Password Schemes
In click-based graphical password scheme, user is asked to click on image or
image library selected earlier during the registration stage. There are two kind
of click interaction technique developed under this graphical password scheme
which is series click on a single image (on click regions or click points), and
click on series of image library or image clip in sequence.
25
Figure 5. Blonder Method (Blonder, 1996)
Single image interaction require user to deal click-region sequence on a single
that selected during enrolment stage to authenticate user and is the earliest idea
of graphical password scheme as proposed by Blonder (Blonder, 1996) in 1996.
Blonder designed a graphical password scheme in which a password is created
by having the user click on several locations on an image and during authenti-
cation, the user must click on the approximate areas of those locations (MN
Doja & N Kumar, 2008) in correct sequence. The image that appear to user dur-
ing enrollment stage and authentication stage is equipped with predetermined
click-region. The image can assist users to recall their passwords and therefore
this method is considered more convenient than unassisted recall (X Suo et al.,
2005).
Details
- Pages
- Type of Edition
- Originalausgabe
- Year
- 2014
- ISBN (PDF)
- 9783954899135
- File size
- 8.8 MB
- Language
- English
- Publication date
- 2015 (March)
- Grade
- 8
- Keywords
- Novel graphical password mechanism
