Image based authentication

IMAGE BASED AUNTHENTICATION

HUMAN AUTHENTICATION

What you are (biometric)

What you have (token)

What you know (password)

PROBLEMS WITH PASSWORDS

Finger attacks

Word of mouth transfer

Dictionary attacks

Image Based Authentication (IBA) can solve all of these

WHAT IS IBA BASED ON?

IBA is based on a user’s successful identification of his image password set. After the username is sent to the authentication module, it responds by displaying an image set, which consists of images from the user’s password set mixed with other images. The user is authenticated by correctly identifying the password images.

DEFINITIONS Image Space(IS): the set of all images used by

IBA system.

Individual Image Set (IIS) – the set of images that a user (u) chooses to authenticate himself.

Key Image – any image in a user's IIS.

Presentation Set (PS) – the set of images presented to a user from which the key images must be selected for a given authentication attempt.

ARCHITECTURE Authentication User Agent (AUA) Authentication Server (AS)

The communication between them is encrypted using authenticated Diffie-Hellman.

The AS is assumed to be a part of the Trusted Computing Base.

BASIC PROTOCOL Image Set Selection Alice selects ‘n’ images (n is set by the

administrator, Bob) Bob stores the image set at the AS

Presentation Subsets Bob picks one image from IISa and some

other images from IS-IISa for each PS_i. Alice picks the IISa image from each PS_i.

BASIC PROTOCOL- AUTHENTICATE

A→B: Username= Alice B→A: Presentation set for Round 1, PS1. A→B: Identified image. B→A: Presentation set for Round 2, PS2. A→B: Identified image. …... B→A: Presentation set for Round R, PSR. A→B: Identified image. If all R steps are successful, Bob

authenticates Alice.

ATTACKS

Image Based Authentication is not foolproof.

There are four points of vulnerability:1. Information stored on the AS.2. Information Sent between the AS and AUA.3. The output at the AUA.4. The input at the AUA.

KEYSTROKE LOGGING: AUA INPUT Eve can observe or log Alice’s Key stroke and

later authenticate herself as Alice.

COUNTER: Display the images in random order. Keystrokes are only meaningful for this PS in this display order.

SHOULDER SURFING: AUA OUTPUT LOGGING Eve can observe Alice’s screen ( during the

authentication process) and later authenticate herself as Alice.

Counter: Display the image when the mouse is over it. Otherwise gray out the image. If input is hidden, then which image is

selected is not known- Only get PS_i’s.

OTHER ATTACKS: Brute Force Attack

Frequency Correlation Attack Intersection Attack Logic Attack

Countering Frequency Correlation Attack Decoy Screen Image Buckets Fixed PS per Key Image

IMPLEMENTATION ISSUES:

Image Set Storage : Password schemes normally store only the hash of a user’s password. By compromising the server, the attacker cannot recover the password. In our scheme, the server cannot merely store the hash. The server needs to know the image set itself in order to present the authentication screens. If a server is compromised, it will be possible to retrieve the image set of every user. However, many authentication schemes depend heavily on the impenetrability of the Trusted Computing Base and they have been widely deployed.

OVERVIEW CAPTCHA stands for Completely Automated Public Turing Test to tell Computers and Humans Apart.

CAPTCHA is an automated test that can distinguish between machines and humans alike.

It differentiates between humans and bot by setting some task that is easy for most humans to perform but is more difficult and time consuming for current bots to complete.

APPLICATIONS OF CAPTCHA: Preventing Comment Spam in Blogs. Protecting Website Registration. Protecting Email Addresses From Scrapers. Online Polls. Preventing Dictionary Attacks. Worms and Spam.

FOLLOWING ARE THE TWO TYPES OF IMAGE BASED CAPTCHA:

1. PIX: Create a large Database of labeled images. Pick a concrete object. Pick more random images of the object from

the image database. Distort the images Ask user to pick the object for a list of words.

2. BONGO

Visual Puzzle

Computer can generate and display, but not solve

Bongo is based on a visual pattern recognition problem.

As Figure below shows, a Bongo CAPTCHA uses two sets of images; each set has some specific characteristic. One set might be boldface, for example, while the other is not. The system then presents a single image to the user who then must specify the set to which the image belongs.  

3. Pessimal Print

Pessimal Print works by pseudo randomly combining a word, font, and a set of image degradations to generate images like the ones in Figure.

CONCLUSIONImage-based authentication techniques, although currently

in their infancy, might have a wider applicability in future.

We perceive it be a more user-friendly technique that

helps to increase the password quality tremendously

compared to a text-based approach. In this seminar we have

proposed a simple yet secure authentication technique.

We have also identified various issues related with such a

system and proposed a novel concept of Image Buckets in

overcoming some shortcomings.

Its better to be safe than sorry!!