Beruflich Dokumente
Kultur Dokumente
K-1
11_
L
where L denotes the password length and K denotes the
number of login sessions intercepted by the attacker. In the
proposed scheme, the resistance to eavesdropping is improved
by using the start-icon and end-padding mechanisms, which
can conceal the users password length by hiding the
starting-time and the ending-time of password input. In the
proposed scheme, as the attacker doesnt know the start-icon,
the attacker cannot know when the user starts to inputting his
password. In addition, no matter how long is the users
password L, where 8L15, the user has to click color
buttons 20 times to finish the login process. Thus, the attacker
cannot obtain the users password length by observing the
number of color buttons the user has clicked. On the other hand,
since the 5 color buttons are randomly placed in the invisible 3
5 matrix each time the user clicks any color button, the user
will not keep clicking the same position, which avoid revealing
the password length. Clearly, by employing the start-icon and
end-padding mechanisms, the eavesdropping resistance of the
proposed scheme is better than the one of ColorPallete.
D. Usability
The user interface of the proposed scheme has a
qwerty-like on-screen keyboard that is familiar to most users.
By using colors, the user can efficiently complete the login
process. Since the user can easily learn the operations of the
proposed scheme even without reading detailed instructions,
the proposed scheme is suitable for people of all ages. In
addition, the user is free to use the same or similar textual
passwords to access multiple systems to reduce his memory
burden. Comparing with ColorPallete [16], the user only needs
to additionally memorize one start-icon and the login time is
slightly longer. Additionally, different background colors of the
color buttons can be replaced by different background patterns,
e.g., solid lines, dashed lines, dotted lines, wavy lines, grids,
and meshes, for color-blind users.
V. CONCLUSIONS
Herein, we have proposed an enhanced eavesdropping
resistant remote password authentication scheme, in which the
user can securely and efficiently complete the login process,
without using cryptographic technology. The proposed scheme
is simple in that its design, implementation, and operation are
simple. We have shown that the eavesdropping resistance and
the password space of the proposed scheme are superior to the
ones of ColorPallete while the resistance to accidental login is
kept unchanged at the cost of additionally memorizing one
pass-icon. In practice, as it is difficult for the attacker to
intercept the complete login process many times, the resistance
of the proposed scheme to eavesdropping attacks is satisfactory.
The proposed scheme achieves a good balance between
security and usability.
Fig. 3: The probability of accidental login (p
aI
).
234
REFERENCES
[1] J. G. Steiner, B. Clifford Neuman, and J.I. Schiller, Kerberos: An
authentication service for open network systems, Proceedings of the
1988 Winter Usenix Conference, 1988.
[2] J. T. Kohl, B. C. Neuman, and T. Y. T'so, The evolution of the
Kerberos authentication system, Distributed Open Systems, IEEE
Computer Society Press, pp. 78-94, 1994.
[3] Network Working Group of the IETF, The Secure Shell (SSH)
authentication protocol, RFC 4252, 2006.
[4] M. S. Hwang, C. C. Lee, and Y. L. Tang, A simple remote user
authentication scheme, Mathematical and Computer Modelling, vol. 36,
no. 1-2, pp. 103-107, 2002.
[5] W. C. Ku and S. M. Chen, Weaknesses and improvements of an
efficient password based remote user authentication scheme using smart
cards, IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp.
204-207, 2004.
[6] M. L. Das, A. Saxena, and V. P. Gulati, A dynamic ID-based remote
user authentication scheme, IEEE Transactions on Consumer
Electronics, vol.50, no.2, pp. 629-631, 2004.
[7] H. Y. Chien, J. K. Jan, and Y. M. Tsheng, A modified remote login
authentication scheme based on geometric approach, The Journal of
System and Software, vol. 55, pp. 287-290, 2001.
[8] L. Sobrado and J. C. Birget, Graphical passwords, The Rutgers
Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4,
2002.
[9] S. Man, D. Hong, and M. Mathews, A shoulder surfing resistant
graphical password scheme, Proceedings of the 2003 International
Conference on Security and Management, pp. 105-111, 2003 .
[10] B. Hoanca and K. Mock, Screen oriented technique for reducing the
incidence of shoulder surfing, Proceedings of the 2005 International
Conference on Security and Management, pp. 334-340, 2005.
[11] F. Alsulaiman and A. E. Saddik, A novel 3D graphical password
schema, Proceedings of the 2006 IEEE International Conference on
Virtual Environments, Human-Computer Interfaces and Measurement
Systems, pp. 125-128, 2006.
[12] H. Zhao and X. Li, S3PAS: A scalable shoulder-surfing resistant
textual-graphical password authentication scheme, Proceedings of the
21st International Conference on Advanced Information Networking and
Applications Workshops, vol. 2, pp. 467-472, 2007.
[13] S. Komanduri and D. Hutchings, Order and entropy in Picture
Passwords, Proceedings of the 2098 Graphics Interface Conference,
2008.
[14] T. Perkovic, M. Cagalj, and N. Rakic, SSSL: shoulder surfing safe
login, Proceedings of the 17th International Conference on Software,
Telecommunications & Computer Networks, pp. 270-275, 2009.
[15] Z. Zheng, X. Liu, L. Yin, and Z. Liu, A stroke-based textual password
authentication scheme, Proceedings of the First International Workshop
on Education Technology and Computer Science, pp. 90-95, 2009.
[16] Y. C. Yeh, W. C. Ku, W. P. Chen, and Y. L. Chen, An easy-to-use
login-recording attacks resistant password scheme, Proceedings of the
2011 Conference on Innovative Applications of Information Security
Technology, 2011.
[17] V. Roth, K. Richter, and R. Freidinger. A pin-entry method resilient
against shoulder surfing, Proceedings of the 11th ACM Conference on
Computer and Communication Security, pp. 236-245, 2004.
[18] L. Sobrado and J.C. Birget, Shoulder-surfing resistant graphical
passwords Draft, 2005
(http://clam.rutgers.edu/~birget/grPssw/srgp.pdf).
[19] S. Wiedenbeck, J. Waters, L. Sobrado, and J. C. Birget, Design and
evaluation of a shoulder-surfing resistant graphical password scheme,
Proceedings of the 2006 Working Conference on Advanced Visual
Interfaces, pp. 177-184, 2006.
[20] B. Hartanto, B. Santoso, and S. Welly, The usage of graphical
password as a replacement to the alphanumerical password, Journal
Informatika, vol. 7, no. 2, pp. 91-97, 2006.
[21] M. Bond. Comments on Gridsure Authentication
(http://www.cl.cam.ac.uk/~mkb23/research/GridsureComments.pdf)
[22] H. Gao, X. Liu, S. Wang, H. Liu, and R. Dai, Design and analysis of a
graphical password scheme, Proceedings of the 4th International
Conference on Innovative Computing, Information and Control, pp.
675-678, 2009.
[23] H. Gao, X. Liu, S. Wang, and R. Dai, A new graphical scheme against
spyware by using CAPTCHA, Proceedings of the 5th Symposium on
Usable Privacy and Security, pp. 760-767, 2009.
[24] T. Yamamoto, Y. Kojima, and M. Nishigaki, A
shoulder-surfing-resistant image-based authentication system with
temporal indirect image selection, Proceedings of the 2009
International Conference on Security and Management, pp. 188-194,
2009.
[25] P. Shi, B. Zhu, and A. Youssef. A PIN entry scheme resistant to
recording-based shoulder-surfing, Proceedings of the 3rd International
Conference on Emerging Security Information, Systems and
Technologies, pp. 237-241, 2009.
[26] S. H. Kim, J. W. Kim, S. Y. Kim, and H. G. Cho. A new
shoulder-surfing resistant password for mobile environments,
Proceedings of the 5th International Conference on Ubiquitous
Information Management and Communication, 2011.
[27] M. Sreelatha, M. Shashi, M. Anirudh, Md. S. Ahamer, and V. M. Kumar.
Authentication schemes for session passwords using color and images,
International Journal of Network Security & Its Applications, vol. 3, no.
3, 2011.
235