A Technical Seminar Report on

Three-Dimensional Password for More Secure Authentication

Submitted in partial fulfillment of the requirement for the award of the degree of

BACHELOR OF TECHNOLOGY
IN
INFORMATION TECHNOLOGY
By

G.Pratyusha Reddy(11B81A1219)
Under the Esteemed Guidance of

Assoc. Professor, IT Department,

Mr.Nayani Sateesh
CVR College of Engineering

Department Of Information Technology

CVR COLLEGE OF ENGINEERING

(AUTONOMOUS Affiliated to JNTU, Hyderabad)
Mangalpally, Ibrahimpatnam District -501 510
2014-2015
1

CERTIFICATE

This is to certify that the Technical Seminar work entitled

Three-Dimensional

Password

for

More

Secure

Authentication done by Miss. G.Pratyusha Reddy, Roll.

No.11B81A1219, during the academic year 2015 in partial
fulfillment for the award of Degree of Bachelor of Technology in
Information Technology, to CVR College of Engineering,
Vastunagar, is a record of bonafide work carried out by them
under our guidance and supervision. The results embodied in this
seminar report have not been submitted to any other University
or Institute for the award of any Degree or Diploma.

1.
2.
___________________

______________________

INTERNAL GUIDE

SEMINAR

INCHARGES

_______________________
2

HEAD OF DEPARTMENT

DECLARATION

I hereby declare that the Technical Seminar report entitled

Three-Dimensional

Password

for

More

Secure

Authentication is an original work done and submitted to

Department of IT, CVR College of Engineering, an autonomous
institution, Ibrahimpatnam, in partial fulfillment of the requirement for
the award of degree in Bachelor of Technology in Information
Technology.
I assure that this project has not been submitted elsewhere for
any degree or diploma.

G.Pratyusha Reddy(11B81A1219)

ACKNOWLEDGEMENT

I express my profound sense of gratitude in all its humbleness to

my internal guideMr.Nayani Sateesh, Assoc. Professor, Department of
Information Technology, CVR College of Engineering, for his brilliant
and gracious guidance, meticulous care and unstinted co-operation
throughout the work. He spared his valuable time on the project report
with keen interest. This Technical Seminar report would not have been
taken this shape without his time, encouragement and co-operation.
I also express my thanks to the Head of the Department, Dr. U.V.
Ramana Sarma, the Principal, the teaching and non-teaching staff of
the department of Information Technology for sharing their knowledge
with me.
Finally, I thank the authority of CVR College of Engineering and
friends who have directly or indirectly helped me in this project.

ABSTRACT

Current authentication systems suffer from many weaknesses.

Textual passwords are commonly used; however, users do not follow
their requirements. Users tend to choose meaningful words from
dictionaries, which make textual passwords easy to break and
vulnerable to dictionary or brute force attacks. Many available
graphical passwords have a password space that is less than or equal
to the textual password space. Smart cards or tokens can be stolen.
Many biometric authentications have been proposed; however, users
tend to resist using biometrics because of their intrusiveness and the
effect on their privacy. Moreover, biometrics cannot be revoked. In this
paper, we present and evaluate our contribution, i.e., the 3-D
password. The 3-D password is a multifactor authentication scheme. To
be authenticated, we present a 3-D virtual environment where the user
navigates and interacts with various objects. The sequence of actions
and interactions toward the objects inside the 3-D environment
constructs the users 3-D password. The 3-D password can combine
most existing authentication schemes such as textual passwords,
graphical passwords, and various types of biometrics into a 3-D virtual
environment. The design of the 3-D virtual environment and the type
of objects selected determine the 3-D password key space.

Index
Table of Contents

Page

Introduction

Literature Survey

Discussion
1
2
3
4
5
4 Conclusion

4
8
10
12
13
16
17

Applications
Technologies Used
Design
Working
Benefits and Limitations

Future Scope

18

References

19

1.Introduction
The dramaticincrease of computer usage has givenrise to many security concerns. One
major security concernis authentication, which is the process of validating who you are to
whom you claimed to be. In general, human authenticationtechniques can be classified as
knowledge based (whatyou know), token based (what you have), and biometrics
(whatyou are).Knowledge-based authentication can be further divided into two categories
as follows: 1) recall based and 2) recognitionbased. Recall-based techniques require the
user to repeator reproduce a secret that the user created before. Recognition
basedtechniques require the user to identify and recognize thesecret, or part of it, that the
user selected before. One ofthe most common recall-based authentication schemes used
inthe computer world is textual passwords. One major drawbackof the textual password
is its two conflicting requirements: the selection of passwords that are easy to remember
and, at the same time, are hard to guess.
Many authentication systems, particularly in banking, re-quire not only what the
user knows but also what the user possesses (token-based systems). However, many
reports have shown that tokens are vulnerable to fraud, loss, or theft by using simple
techniques.
In 3-D Password Authentication System it is the users choice to select which type
of authentication techniques will be part of their 3-D password. This is achieved through
interacting only with the objects that acquire information that the user is comfortable in
providing and ignoring the objects that request information that the user prefers not to
provide. For example, if an item requests an iris scan and the user is not comfortable in
providing such information, the user simply avoids interacting with that item. Moreover,
giving the user the freedom of choice as to what type of authentication schemes will be
part of their 3-D password and given the large number of objects and items in the
environment, the number of possible 3-D passwords will increase. Thus, it becomes much
more difficult for the attacker to guess the users 3-D password.
7

2.Literature Survey

Now days the IT industries are fast going and people living in an electronic world,
where all their needs are met through internet. Obviously different authentication
mechanisms have emerged and came into existence. In this situation people started to
consent one of the human authentication methods for their secure web services. These
authentication methods are based on what you know, what you have and finally what you
are. Textual passwords are the widely used, easy to implement and common. The
password should be easy to remember, user authentication protocol should be executed
quickly and it should be secure. It is a great burden to select a good password. Selecting a
good password may face restriction on at least eight characters long and it is vulnerable
to dictionary attack if any meaningful words are used.
Token based techniques, such that ATM cards, smart cards are widely used. This is
also working with the help of knowledge-based mechanism to enhance security. With the
ATM card magnetic strips details the user should enter four digit pin number for secure
access to the transaction. Many biometric schemes have been proposed; fingerprints,
palm prints, hand geometry, face recognition, voice recognition, iris recognition, and
retina recognition are all different biometric schemes. Each biometric recognition scheme
has its advantages and disadvantages based on several factors such as consistency,
uniqueness, and acceptability.
One of the main drawbacks of applying biometrics is its intrusiveness upon a
users personal characteristic. Moreover, retina biometrical recognition schemes require
the user to willingly subject their eyes to a low-intensity infrared light. In addition, most
biometric systems require a special scanning device to authenticate users, which is not
applicable for remote and Internet users. With effect of all these, it is highly expensive to
8

implement and consume more time to authenticate. However the knowledge based
mechanism is the widely use one. It can be of text based or picture based. Ideas about
graphical password system were the starting of the graphical password era. In which
predefined image positions are selected at the registration stage. Then applying a recall
based techniques to reproduce something that selected earlier at registration stage. Later a
new method was introduced based on hash Visualization. In which the user is asked to
select number of images from a set of random pictures. Later the user will require
identifying preselected images in order to be authenticated.

3.Discussion

3.1 3-D Password Scheme

The 3-D password scheme is a multifactor authenticationscheme that combines the
benefits of various authenticationschemes. We attempted to satisfy the following
requirements.
1. The new scheme should not be either recall based orrecognition based only.
Instead, the scheme should bea combination of recall-, recognition-, biometrics-,
and
Token-based authentication schemes.
2. Users ought to have the freedom to select whether the 3-Dpassword will be solely
recall-, biometrics-, recognition-,or token-based, or a combination of two schemes
or more.This freedom of selection is necessary because users are different and they
have different requirements. Someusers do not like to carry cards. Some users do
not liketo provide biometrical data, and some users have poormemories.
Therefore, to ensure high user acceptability,the users freedom of selection is
important.
3. The new scheme should provide secrets that are easy toremember and very
difficult for intruders to guess.
4. The new scheme should provide secrets that are not easyto write down on paper.
Moreover, the scheme secretsshould be difficult to share with others.
10

5. The new scheme should provide secrets that can be easilyrevoked or changed.
Based on the aforementioned requirements, we propose ourcontribution, i.e., the 3-D
password authentication scheme.
3.23-D Password Overview
The 3-D password is a multifactor authentication scheme.The 3-D password
presents a 3-D virtual environment containingvarious virtual objects. The user navigates
through thisenvironment and interacts with the objects. The 3-D passwordis simply the
combination and the sequence of user interactionsthat occur in the 3-D virtual
environment. The 3-D passwordcan combine recognition-, recall-, token-, and biometricsbasedsystems into one authentication scheme. This can be doneby designing a 3-D virtual
environment that contains objectsthat request information to be recalled, information to
berecognized, tokens to be presented, and biometrical data to beverified.
For example, the user can enter the virtual environmentand type something on a
computer that exists in (x1, y1, z1)position, then enter a room that has a fingerprint
recognitiondevice that exists in a position (x2, y2, z2) and provide his/herfingerprint.
Then, the user can go to the virtual garage, open the car door, and turn on the radio to a
specific channel. Thecombination and the sequence of the previous actions towardthe
specific objects construct the users 3-D password. Virtual objects can be any object that
we encounter in reallife. Any obvious actions and interactions toward the real-lifeobjects
can be done in the virtual 3-D environment toward thevirtual objects. Moreover, any user
input (such as speakingn a specific location) in the virtual 3-D environment can
beconsidered as a part of the 3-D password. We can have thefollowing objects:
1.
2.
3.
4.
5.
6.
7.

A computer with which the user can type.

A fingerprint reader that requires the users fingerprint.
A biometrical recognition device.
A paper or a white board that a user can write, sign, or draw on.
An automated teller machine (ATM) that requests a token.
A light that can be switched on/off.
A television or radio where channels can be selected.
11

8. A staple that can be punched.

9. A car that can be driven.
10. A book that can be moved from one place to another.
11. Any graphical password scheme.
12. Any real-life object.
13. Any upcoming authentication scheme.
The action toward an object (assume a fingerprint recognition device) that exists in
location (x1, y1, z1) is different from theactions toward a similar object (another
fingerprint recognitiondevice) that exists in location (x2, y2, z2), where x1 _= x2,y1 _=
y2, and z1 _= z2. Therefore, to perform the legitimate3-D password, the user must follow
the same scenario performedby the legitimate user. This means interacting with the same
objects that reside at the exact locations and perform the exact actions in the proper
sequence.
3.3 3-D Password Selection and Inputs
Let us consider a 3-D virtual environment space of size G G G. The 3-D
environment space is represented by the coordinates(x, y, z) [1. . . G] [1. . . G]
[1. . . G]. Theobjects are distributed in the 3-D virtual environment withunique (x, y, z)
coordinates. We assume that the user cannavigate into the 3-D virtual environment and
interact with the objects using any input device such as a mouse, keyboard,fingerprint
scanner, iris scanner, stylus, card reader, andmicrophone. We consider the sequence of
those actions andinteractions using the previous input devices as the users 3-Dpassword.
For example, consider a user who navigates throughthe 3-D virtual environment
that consists of an office and ameeting room. Let us assume that the user is in the virtual
officeand the user turns around to the door located in (10, 24, 91) andopens it. Then, the
user closes the door. The user then finds acomputer to the left, which exists in the
position (4, 34, 18),and the user types FALCON. Then, the user walks to themeeting
room and picks up a pen located at (10, 24, 80) anddraws only one dot in a paper located
in (1, 18, 30), which is thedot (x, y) coordinate relative to the paper space is (330,
12

130).The user then presses the login button. The initial representationof user actions in
the 3-D virtual environment can be recordedas follows:

(10, 24, 91) Action = Open the office door;

(10, 24, 91) Action = Close the office door;
4, 34, 18) Action = Typing, F;
(4, 34, 18) Action = Typing, A;
(4, 34, 18) Action = Typing, L;
(4, 34, 18) Action = Typing, C;
(4, 34, 18) Action = Typing, O;
(4, 34, 18) Action = Typing, N;
(1, 18, 80) Action = Drawing, point = (330, 130).
This representation is only an example. The extensive real representation will not
be discussed in this paper. In order fora legitimate user to be authenticated, the user has to
follow thesame sequence and type of actions and interactions toward theobjects for the
users original 3-D password. Fig. 1 shows avirtual computer that accepts textual
passwords as a part of ausers 3-D password.Three-dimensional virtual environments can
be designed toinclude any virtual objects. Therefore, the first building blockof the 3-D
password system is to design the 3-D virtualenvironment and to determine what objects
the environmentwill contain. In addition, specifying the objects propertiesis part of the
system design. The design of the 3-D virtualenvironment influences the overall password
space, usability,and performance of the 3-D password system. Fig. 2 shows asnapshot of
an experimental 3-D virtual environment.To simplify the idea of how a 3-D password
works, Fig. 3shows a state diagram of a possible 3-D password authenticationsystem.
13

3.4 3-D Virtual Environment Design Guidelines

14

Designing

well-studied 3-D virtual

environment

affects

theusability,

effectiveness, and acceptability of a 3-D passwordsystem. Therefore, the first step in

building a 3-D PasswordSystem is to design a 3-D environment that reflects the
administrationneeds and the security requirements. The design of 3-Dvirtual
environments should follow these guidelines.
1. Real-life similarity: The prospective 3-D virtual environmentshould reflect what
people are used to seeing inreal life. Objects used in virtual environments should
berelatively similar in size to real objects (sized to scale).Possible actions and interactions
toward virtual objectsshould reflect real-life situations. Object responses shouldbe
realistic. The target should have a 3-D virtual environmentthat users can interact with, by
using common sense.
2. Object uniqueness and distinction: Every virtual objector item in the 3-D virtual
environment is different fromany other virtual object. The uniqueness comes fromthe fact
that every virtual object has its own attributessuch as position. Thus, the prospective
interaction withobject 1 is not equal to the interaction with object 2.
However,having similar objects such as 20 computers in oneplace might confuse
the user. Therefore, the design of the3-D virtual environment should consider that every
objectshould be distinguishable from other objects. A simplereal-life example is home
numbering. Assume that thereare 20 or more homes that look like each other and
thehomes are not numbered. It would be difficult to distinguishwhich house was visited a
month ago. Similarly,in designing a 3-D virtual environment, it should be easyfor users to
navigate through and to distinguish betweenobjects. The distinguishing factor increases
the usersrecognition of objects. Therefore, it improves the systemusability.
3.Three-dimensional virtual environment size: A 3-D virtualenvironment can depict a city
or even the world. Onthe other hand, it can depict a space as focused as a singleroom or
office. The size of a 3-D environment shouldbe carefully studied. A large 3-D virtual
environmentwill increase the time required by the user to perform a3-D password.
Moreover, a large 3-D virtual environmentcan contain a large number of virtual objects.
15

Therefore,the probable 3-D password space broadens. However, asmall 3-D virtual
environment usually contains only a fewobjects, and thus, performing a 3-D password
will takeless time.
4. Number of objects (items) and their types: Part of designinga 3-D virtual environment
is determining the typesof objects and how many objects should be placed in
theenvironment. The types of objects reflect what kind ofresponses the object will have.
For simplicity, we canconsider requesting a textual password or a fingerprintas an object
response type. Selecting the right objectresponse types and the number of objects affects
theprobable password space of a 3-D password.
5.System importance: The 3-D virtual environmentshould consider what systems will be
protected bya 3-D password. The number of objects and the typesof objects that have
been used in the 3-D virtual environmentshould reflect the importance of the
protectedsystem.

16

1.1. APPLICATIONS

3-D Password Applications :

Because a 3-D password can have a password space that isvery large compared to
other authentication schemes, the 3-Dpasswords main application domains are
protecting criticalsystems and resources. Possible critical applications include
thefollowing.
1Critical servers:Many large organizations have criticalservers that are usually
protected by a textual password.A 3-D password authentication proposes a sound
replacementfor a textual password. Moreover, entrancesto such locations are usually
protected by access cardsand sometimes PIN numbers. Therefore, a 3-D password
can be used to protect the entrance to such locations andprotect the usage of such
servers.
2Nuclear and military facilities:Such facilities shouldbe protected by the most
powerful authentication systems.The 3-D password has a very large probable
password
space, and since it can contain token-, biometrics-,recognition-, and knowledge-based
authentications in asingle authentication system, it is a sound choice for
highlevelsecurity locations.
3Airplanes and jetfighters:Because of the possible threatof misusing airplanes and
jetfighters for religio-politicalagendas, usage of such airplanes should be protected by
a powerful authentication system. The 3-D password isrecommended for these
systems.In addition, 3-D passwords can be used in less criticalsystems because the 3D virtual environment can be designedto fit any systems needs. A small 3-D virtual
environment canbe used in many systems, including the following:
1 ATMs
2 Personal Digital Assistants
3 Desktop Computers and laptop logins
17

4 Web Authentication

SECURITY ANALYSIS

1.2.

To analyze and study how secure a system is, we have toconsider how hard it is for
the attacker to break such a system.A possible measurement is based on the
information content ofa password space, which is defined in [13] as the entropy ofthe
probability distribution over that space given by the relativefrequencies of the
passwords that users actually choose. Wehave seen that textual password space may
be relatively large;however, an attacker might only need a small subset of the
fullpassword space as Klein [2] observed to successfully breaksuch an authentication
system. As a result, it is important tohave a scheme that has a very large possible
password spaceas one factorfor increasing the work required by the attackerto break
the authentication system. Another factor is to finda scheme that has no previous or
existing knowledge of the
most probable user password selection, which can also resistthe attack on such an
authentication scheme.In Section IV-A, we will discuss the size of the 3-D password
space. Then, we will study the knowledge distribution of the3-D password. Afterward,
we will analyze the possible attackson the 3-D password.
A. 3-D Password Space Size
One important factor to determine how difficult it is tolaunch an attack on an
authentication system is the size of thepassword space. To determine the 3-D
password space, we haveto count all possible 3-D passwords that have a certain
numberof actions, interactions, and inputs toward all objects that existin the 3-D
virtual environment
3-D Password Distribution Knowledge
Studying the users behavior of password selection andknowing the most probable
textual passwords are the keybehind dictionary attacks. Klein [2] used such
18

knowledge to collect a small set of 3 106 words that have a high probabilityof usage
among users. The question is how has suchinformation (highly probable passwords)
been found and why.Users tend to choose words that have meaning, such as
places,names, famous peoples names, sports terms, and biologicalterminologies.
Therefore, finding these different words from thedictionary is a relatively simple task.
Using such knowledgeyields a high success rate for breaking textual passwords.
Anyauthentication scheme is affected by the knowledge distributionof the users
secrets. According to Davis et al. [9], Passfaces[8] users tend to choose faces that
reflect their own taste onfacial attractiveness, race, and gender. Moreover, 10% of
malepasswords have been guessed in only two guesses. Anotherstudy [14] about user
selection of DAS [13] concluded thatfor their secret passwords, users tend to draw
things that havemeaning, which simplifies the attackers task.Currently, knowledge
about user behaviors on selecting their3-D password does not exist. Every user has
different requirementsand preferences when selecting the appropriate 3-D
password.This fact will increase the effort required to find a patternof users highly
selected 3-D password. In addition, since the3-D password combines several
authentication schemes intoa single authentication environment, the attacker has to
study every single authentication scheme and has to discover whatthe most probable
selected secrets are. For textual password, thehighly probable selected textual
password might be determinedby the use of dictionaries. However, there are many
authenticationschemes with undiscovered probable password space.Since every 3-D
password system can be designed accordingto the protected system requirements, the
attacker has toseparately study every 3-D password system. This is becauseobjects
that exist in one 3-D password system might not exist onother 3-D password systems.
Therefore, more effort is required to build the knowledge of most probable 3-D
passwords.
C. Attacks and Countermeasures
To realize and understand how far an authentication schemeis secure, we have to
consider all possible attack methods. Wehave to study whether the authentication
19

scheme proposed isimmune against such attacks or not. Moreover, if the

proposedauthentication

scheme

is

not

immune,

we

then

have

to

find

thecountermeasures that prevent such attacks. In this section, wetry to cover most
possible attacks and whether the attack is validor not. Moreover, we try to propose
countermeasures for suchattacks.
Brute Force Attack: The attacker has to try all possible 3-Dpasswords. This kind
of attack is very difficult for the followingreasons.1) Time required to login: The total
time needed for alegitimate user to login may vary from 20 s to 2 minor more,
depending on the number of interactions andactions, the size of the 3-D virtual
environment, and thetype of actions and interactions done by the user as a3-D
password. Therefore, a brute force attack on a 3-Dpassword is very difficult and time
consuming.2) Cost of attacks: In a 3-D virtual environment that containsbiometric
recognition objects and token-based objects,the attacker has to forge all possible
biometric informationand forge all the required tokens. The cost of forgingsuch
information is very high; therefore, cracking the3-D password is more challenging.
Moreover, the highnumber of possible 3-D password spaces (as shown inTable I)
leaves the attacker with almost no chance ofbreaking the 3-D password.
Well-Studied Attack: The attacker tries to find the highestprobable distribution of
3-D passwords. However, to launchsuch an attack, the attacker has to acquire
knowledge

of

themost

probable

3-D

password

distributions.

Acquiring

suchknowledge is very difficult because the attacker has to studyall the existing
authentication schemes that are used in the 3-Denvironment. Moreover, acquiring
such knowledge may requireforging all existing biometrical data and may require
forgingtoken-based data. In addition, it requires a study of the usersselection of
objects, or a combination of objects, that the userwill use as a 3-D password.
Moreover, a well-studied attackis very hard to accomplish since the attacker has to
perform acustomized attack for every different 3-D virtual environmentdesign. Every
system can be protected by a 3-D password thatis based on a unique 3-D virtual
environment. This environmenthas a number of objects and types of object responses
20

that differfrom any other 3-D virtual environment. Therefore, a carefullycustomized

study is required to initialize an effective attack.
Shoulder Surfing Attack: An attacker uses a camera to recordthe users 3-D password or
tries to watch the legitimate userwhile the 3-D password is being performed. This attack
is themost successful type of attack against 3-D passwords and someother graphical
passwords. However, the users 3-D passwordmay contain biometrical data or textual
passwords that cannotbe seen from behind. The attacker may be required to
takeadditional measures to break the legitimate users 3-D password.Therefore, we
assume that the 3-D password should beperformed in a secure place where a shoulder
surfing attackcannot be performed.
Timing Attack: In this attack, the attacker observes how longit takes the legitimate user to
perform a correct sign-in using the3-D password. This observation gives the attacker an
indicationof the legitimate users 3-D password length. However, thiskind of attack alone
cannot be very successful since it gives theattacker mere hints. Therefore, it would
probably be launchedas part of a well-studied or brute force attack. Timing attackscan be
very effective if the 3-D virtual environment is poorlydesigned.

21