Beruflich Dokumente
Kultur Dokumente
BACHELOR OF TECHNOLOGY
IN
INFORMATION TECHNOLOGY
By
G.Pratyusha Reddy(11B81A1219)
Under the Esteemed Guidance of
CERTIFICATE
Password
for
More
Secure
1.
2.
___________________
______________________
INTERNAL GUIDE
SEMINAR
INCHARGES
_______________________
2
HEAD OF DEPARTMENT
DECLARATION
Password
for
More
Secure
G.Pratyusha Reddy(11B81A1219)
ACKNOWLEDGEMENT
ABSTRACT
Index
Table of Contents
Page
Introduction
Literature Survey
Discussion
1
2
3
4
5
4 Conclusion
4
8
10
12
13
16
17
Applications
Technologies Used
Design
Working
Benefits and Limitations
Future Scope
18
References
19
1.Introduction
The dramaticincrease of computer usage has givenrise to many security concerns. One
major security concernis authentication, which is the process of validating who you are to
whom you claimed to be. In general, human authenticationtechniques can be classified as
knowledge based (whatyou know), token based (what you have), and biometrics
(whatyou are).Knowledge-based authentication can be further divided into two categories
as follows: 1) recall based and 2) recognitionbased. Recall-based techniques require the
user to repeator reproduce a secret that the user created before. Recognition
basedtechniques require the user to identify and recognize thesecret, or part of it, that the
user selected before. One ofthe most common recall-based authentication schemes used
inthe computer world is textual passwords. One major drawbackof the textual password
is its two conflicting requirements: the selection of passwords that are easy to remember
and, at the same time, are hard to guess.
Many authentication systems, particularly in banking, re-quire not only what the
user knows but also what the user possesses (token-based systems). However, many
reports have shown that tokens are vulnerable to fraud, loss, or theft by using simple
techniques.
In 3-D Password Authentication System it is the users choice to select which type
of authentication techniques will be part of their 3-D password. This is achieved through
interacting only with the objects that acquire information that the user is comfortable in
providing and ignoring the objects that request information that the user prefers not to
provide. For example, if an item requests an iris scan and the user is not comfortable in
providing such information, the user simply avoids interacting with that item. Moreover,
giving the user the freedom of choice as to what type of authentication schemes will be
part of their 3-D password and given the large number of objects and items in the
environment, the number of possible 3-D passwords will increase. Thus, it becomes much
more difficult for the attacker to guess the users 3-D password.
7
2.Literature Survey
Now days the IT industries are fast going and people living in an electronic world,
where all their needs are met through internet. Obviously different authentication
mechanisms have emerged and came into existence. In this situation people started to
consent one of the human authentication methods for their secure web services. These
authentication methods are based on what you know, what you have and finally what you
are. Textual passwords are the widely used, easy to implement and common. The
password should be easy to remember, user authentication protocol should be executed
quickly and it should be secure. It is a great burden to select a good password. Selecting a
good password may face restriction on at least eight characters long and it is vulnerable
to dictionary attack if any meaningful words are used.
Token based techniques, such that ATM cards, smart cards are widely used. This is
also working with the help of knowledge-based mechanism to enhance security. With the
ATM card magnetic strips details the user should enter four digit pin number for secure
access to the transaction. Many biometric schemes have been proposed; fingerprints,
palm prints, hand geometry, face recognition, voice recognition, iris recognition, and
retina recognition are all different biometric schemes. Each biometric recognition scheme
has its advantages and disadvantages based on several factors such as consistency,
uniqueness, and acceptability.
One of the main drawbacks of applying biometrics is its intrusiveness upon a
users personal characteristic. Moreover, retina biometrical recognition schemes require
the user to willingly subject their eyes to a low-intensity infrared light. In addition, most
biometric systems require a special scanning device to authenticate users, which is not
applicable for remote and Internet users. With effect of all these, it is highly expensive to
8
implement and consume more time to authenticate. However the knowledge based
mechanism is the widely use one. It can be of text based or picture based. Ideas about
graphical password system were the starting of the graphical password era. In which
predefined image positions are selected at the registration stage. Then applying a recall
based techniques to reproduce something that selected earlier at registration stage. Later a
new method was introduced based on hash Visualization. In which the user is asked to
select number of images from a set of random pictures. Later the user will require
identifying preselected images in order to be authenticated.
3.Discussion
5. The new scheme should provide secrets that can be easilyrevoked or changed.
Based on the aforementioned requirements, we propose ourcontribution, i.e., the 3-D
password authentication scheme.
3.23-D Password Overview
The 3-D password is a multifactor authentication scheme.The 3-D password
presents a 3-D virtual environment containingvarious virtual objects. The user navigates
through thisenvironment and interacts with the objects. The 3-D passwordis simply the
combination and the sequence of user interactionsthat occur in the 3-D virtual
environment. The 3-D passwordcan combine recognition-, recall-, token-, and biometricsbasedsystems into one authentication scheme. This can be doneby designing a 3-D virtual
environment that contains objectsthat request information to be recalled, information to
berecognized, tokens to be presented, and biometrical data to beverified.
For example, the user can enter the virtual environmentand type something on a
computer that exists in (x1, y1, z1)position, then enter a room that has a fingerprint
recognitiondevice that exists in a position (x2, y2, z2) and provide his/herfingerprint.
Then, the user can go to the virtual garage, open the car door, and turn on the radio to a
specific channel. Thecombination and the sequence of the previous actions towardthe
specific objects construct the users 3-D password. Virtual objects can be any object that
we encounter in reallife. Any obvious actions and interactions toward the real-lifeobjects
can be done in the virtual 3-D environment toward thevirtual objects. Moreover, any user
input (such as speakingn a specific location) in the virtual 3-D environment can
beconsidered as a part of the 3-D password. We can have thefollowing objects:
1.
2.
3.
4.
5.
6.
7.
130).The user then presses the login button. The initial representationof user actions in
the 3-D virtual environment can be recordedas follows:
Designing
environment
affects
theusability,
Therefore,the probable 3-D password space broadens. However, asmall 3-D virtual
environment usually contains only a fewobjects, and thus, performing a 3-D password
will takeless time.
4. Number of objects (items) and their types: Part of designinga 3-D virtual environment
is determining the typesof objects and how many objects should be placed in
theenvironment. The types of objects reflect what kind ofresponses the object will have.
For simplicity, we canconsider requesting a textual password or a fingerprintas an object
response type. Selecting the right objectresponse types and the number of objects affects
theprobable password space of a 3-D password.
5.System importance: The 3-D virtual environmentshould consider what systems will be
protected bya 3-D password. The number of objects and the typesof objects that have
been used in the 3-D virtual environmentshould reflect the importance of the
protectedsystem.
16
1.1. APPLICATIONS
4 Web Authentication
SECURITY ANALYSIS
1.2.
To analyze and study how secure a system is, we have toconsider how hard it is for
the attacker to break such a system.A possible measurement is based on the
information content ofa password space, which is defined in [13] as the entropy ofthe
probability distribution over that space given by the relativefrequencies of the
passwords that users actually choose. Wehave seen that textual password space may
be relatively large;however, an attacker might only need a small subset of the
fullpassword space as Klein [2] observed to successfully breaksuch an authentication
system. As a result, it is important tohave a scheme that has a very large possible
password spaceas one factorfor increasing the work required by the attackerto break
the authentication system. Another factor is to finda scheme that has no previous or
existing knowledge of the
most probable user password selection, which can also resistthe attack on such an
authentication scheme.In Section IV-A, we will discuss the size of the 3-D password
space. Then, we will study the knowledge distribution of the3-D password. Afterward,
we will analyze the possible attackson the 3-D password.
A. 3-D Password Space Size
One important factor to determine how difficult it is tolaunch an attack on an
authentication system is the size of thepassword space. To determine the 3-D
password space, we haveto count all possible 3-D passwords that have a certain
numberof actions, interactions, and inputs toward all objects that existin the 3-D
virtual environment
3-D Password Distribution Knowledge
Studying the users behavior of password selection andknowing the most probable
textual passwords are the keybehind dictionary attacks. Klein [2] used such
18
knowledge to collect a small set of 3 106 words that have a high probabilityof usage
among users. The question is how has suchinformation (highly probable passwords)
been found and why.Users tend to choose words that have meaning, such as
places,names, famous peoples names, sports terms, and biologicalterminologies.
Therefore, finding these different words from thedictionary is a relatively simple task.
Using such knowledgeyields a high success rate for breaking textual passwords.
Anyauthentication scheme is affected by the knowledge distributionof the users
secrets. According to Davis et al. [9], Passfaces[8] users tend to choose faces that
reflect their own taste onfacial attractiveness, race, and gender. Moreover, 10% of
malepasswords have been guessed in only two guesses. Anotherstudy [14] about user
selection of DAS [13] concluded thatfor their secret passwords, users tend to draw
things that havemeaning, which simplifies the attackers task.Currently, knowledge
about user behaviors on selecting their3-D password does not exist. Every user has
different requirementsand preferences when selecting the appropriate 3-D
password.This fact will increase the effort required to find a patternof users highly
selected 3-D password. In addition, since the3-D password combines several
authentication schemes intoa single authentication environment, the attacker has to
study every single authentication scheme and has to discover whatthe most probable
selected secrets are. For textual password, thehighly probable selected textual
password might be determinedby the use of dictionaries. However, there are many
authenticationschemes with undiscovered probable password space.Since every 3-D
password system can be designed accordingto the protected system requirements, the
attacker has toseparately study every 3-D password system. This is becauseobjects
that exist in one 3-D password system might not exist onother 3-D password systems.
Therefore, more effort is required to build the knowledge of most probable 3-D
passwords.
C. Attacks and Countermeasures
To realize and understand how far an authentication schemeis secure, we have to
consider all possible attack methods. Wehave to study whether the authentication
19
scheme
is
not
immune,
we
then
have
to
find
thecountermeasures that prevent such attacks. In this section, wetry to cover most
possible attacks and whether the attack is validor not. Moreover, we try to propose
countermeasures for suchattacks.
Brute Force Attack: The attacker has to try all possible 3-Dpasswords. This kind
of attack is very difficult for the followingreasons.1) Time required to login: The total
time needed for alegitimate user to login may vary from 20 s to 2 minor more,
depending on the number of interactions andactions, the size of the 3-D virtual
environment, and thetype of actions and interactions done by the user as a3-D
password. Therefore, a brute force attack on a 3-Dpassword is very difficult and time
consuming.2) Cost of attacks: In a 3-D virtual environment that containsbiometric
recognition objects and token-based objects,the attacker has to forge all possible
biometric informationand forge all the required tokens. The cost of forgingsuch
information is very high; therefore, cracking the3-D password is more challenging.
Moreover, the highnumber of possible 3-D password spaces (as shown inTable I)
leaves the attacker with almost no chance ofbreaking the 3-D password.
Well-Studied Attack: The attacker tries to find the highestprobable distribution of
3-D passwords. However, to launchsuch an attack, the attacker has to acquire
knowledge
of
themost
probable
3-D
password
distributions.
Acquiring
suchknowledge is very difficult because the attacker has to studyall the existing
authentication schemes that are used in the 3-Denvironment. Moreover, acquiring
such knowledge may requireforging all existing biometrical data and may require
forgingtoken-based data. In addition, it requires a study of the usersselection of
objects, or a combination of objects, that the userwill use as a 3-D password.
Moreover, a well-studied attackis very hard to accomplish since the attacker has to
perform acustomized attack for every different 3-D virtual environmentdesign. Every
system can be protected by a 3-D password thatis based on a unique 3-D virtual
environment. This environmenthas a number of objects and types of object responses
20
21