23
IMAGE BASED AUNTHENTICATION

Image based authentication

  • Upload
    -

  • View
    3.291

  • Download
    36

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Image based authentication

IMAGE BASED AUNTHENTICATION

Page 2: Image based authentication

HUMAN AUTHENTICATION

What you are (biometric)

What you have (token)

What you know (password)

Page 3: Image based authentication

PROBLEMS WITH PASSWORDS

Finger attacks

Word of mouth transfer

Dictionary attacks

Image Based Authentication (IBA) can solve all of these

Page 4: Image based authentication

WHAT IS IBA BASED ON?

IBA is based on a user’s successful identification of his image password set. After the username is sent to the authentication module, it responds by displaying an image set, which consists of images from the user’s password set mixed with other images. The user is authenticated by correctly identifying the password images.

Page 5: Image based authentication

DEFINITIONS Image Space(IS): the set of all images used by

IBA system.

Individual Image Set (IIS) – the set of images that a user (u) chooses to authenticate himself.

Key Image – any image in a user's IIS.

Presentation Set (PS) – the set of images presented to a user from which the key images must be selected for a given authentication attempt.

Page 6: Image based authentication

ARCHITECTURE Authentication User Agent (AUA) Authentication Server (AS)

The communication between them is encrypted using authenticated Diffie-Hellman.

The AS is assumed to be a part of the Trusted Computing Base.

Page 7: Image based authentication

BASIC PROTOCOL Image Set Selection Alice selects ‘n’ images (n is set by the

administrator, Bob) Bob stores the image set at the AS

Presentation Subsets Bob picks one image from IISa and some

other images from IS-IISa for each PS_i. Alice picks the IISa image from each PS_i.

Page 8: Image based authentication

BASIC PROTOCOL- AUTHENTICATE

A→B: Username= Alice B→A: Presentation set for Round 1, PS1. A→B: Identified image. B→A: Presentation set for Round 2, PS2. A→B: Identified image. …... B→A: Presentation set for Round R, PSR. A→B: Identified image. If all R steps are successful, Bob

authenticates Alice.

Page 9: Image based authentication

ATTACKS

Image Based Authentication is not foolproof.

There are four points of vulnerability:1. Information stored on the AS.2. Information Sent between the AS and AUA.3. The output at the AUA.4. The input at the AUA.

Page 10: Image based authentication

KEYSTROKE LOGGING: AUA INPUT Eve can observe or log Alice’s Key stroke and

later authenticate herself as Alice.

COUNTER: Display the images in random order. Keystrokes are only meaningful for this PS in this display order.

Page 11: Image based authentication

SHOULDER SURFING: AUA OUTPUT LOGGING Eve can observe Alice’s screen ( during the

authentication process) and later authenticate herself as Alice.

Counter: Display the image when the mouse is over it. Otherwise gray out the image. If input is hidden, then which image is

selected is not known- Only get PS_i’s.

Page 12: Image based authentication

OTHER ATTACKS: Brute Force Attack

Frequency Correlation Attack Intersection Attack Logic Attack

Countering Frequency Correlation Attack Decoy Screen Image Buckets Fixed PS per Key Image

Page 13: Image based authentication

IMPLEMENTATION ISSUES:

Image Set Storage : Password schemes normally store only the hash of a user’s password. By compromising the server, the attacker cannot recover the password. In our scheme, the server cannot merely store the hash. The server needs to know the image set itself in order to present the authentication screens. If a server is compromised, it will be possible to retrieve the image set of every user. However, many authentication schemes depend heavily on the impenetrability of the Trusted Computing Base and they have been widely deployed.

Page 14: Image based authentication
Page 15: Image based authentication

OVERVIEW CAPTCHA stands for Completely Automated Public Turing Test to tell Computers and Humans Apart.

CAPTCHA is an automated test that can distinguish between machines and humans alike.

It differentiates between humans and bot by setting some task that is easy for most humans to perform but is more difficult and time consuming for current bots to complete.

Page 16: Image based authentication

APPLICATIONS OF CAPTCHA: Preventing Comment Spam in Blogs. Protecting Website Registration. Protecting Email Addresses From Scrapers. Online Polls. Preventing Dictionary Attacks. Worms and Spam.

Page 17: Image based authentication

FOLLOWING ARE THE TWO TYPES OF IMAGE BASED CAPTCHA:

1. PIX: Create a large Database of labeled images. Pick a concrete object. Pick more random images of the object from

the image database. Distort the images Ask user to pick the object for a list of words.

Page 18: Image based authentication
Page 19: Image based authentication

2. BONGO

Visual Puzzle

Computer can generate and display, but not solve

Bongo is based on a visual pattern recognition problem.

Page 20: Image based authentication

As Figure below shows, a Bongo CAPTCHA uses two sets of images; each set has some specific characteristic. One set might be boldface, for example, while the other is not. The system then presents a single image to the user who then must specify the set to which the image belongs.  

Page 21: Image based authentication

3. Pessimal Print

Pessimal Print works by pseudo randomly combining a word, font, and a set of image degradations to generate images like the ones in Figure.

Page 22: Image based authentication

CONCLUSIONImage-based authentication techniques, although currently

in their infancy, might have a wider applicability in future.

We perceive it be a more user-friendly technique that

helps to increase the password quality tremendously

compared to a text-based approach. In this seminar we have

proposed a simple yet secure authentication technique.

We have also identified various issues related with such a

system and proposed a novel concept of Image Buckets in

overcoming some shortcomings.

Its better to be safe than sorry!!

Page 23: Image based authentication