Devineni Venkata Ramana & Dr.

Hima Sekhar

MIC College of Technology

Kanchikacherla, Krishna District, Pin: 521180. A.P. India.

ISO 9000:2001

Three-Dimensional Password for More Secure Authentication Secure Authentication

TECHNICAL SEMINAR REPORT

Name

D. S. ANUHYA

0 7 H 7 1 A 0 5 0 3 Class Year : : IV B.Tech II Semester

Regd. No

2010 2011

Devineni Venkata Ramana & Dr. Hima Sekhar

MIC College of Technology

Kanchikacherla, Krishna District, Pin: 521180. A.P. India.

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

CERTIFICATE

Certified that the Technical seminar entitled Three-Dimensional Password for More Secure Authentication which is a bonafide work carried out by Fawaz

A. Alsulaiman and Abdulmotaleb El Saddik, Senior Member, IEEE and presented Ms. D. S. ANUHYA, bearing register No.
07H71A0503, in partial fulfillment for the award of the degree of Bachelor of Technology in Computer Science and Engineering of Jawaharlal Nehru Technological University, Kakinada during the year 2010-2011. It is certified that all corrections/suggestions indicated for internal assessment have been incorporated in the report. The Seminar report has been approved as it satisfies the academic requirements in respect of Technical Seminar report work prescribed for the said degree.

Co-ordinator

Head of the Department

Three-Dimensional Password for More Secure Authentication By D. S. ANUHYA Roll No: 07H71A0503

ABSTRACT

Current authentication systems suffer from many weaknesses. Textual passwords are commonly used; however, users do not follow their requirements. Users tend to choose meaningful words from dictionaries, which make textual passwords easy to break and vulnerable to dictionary or brute force attacks. Many available graphical passwords have a password space that is less than or equal to the textual password space. Smart cards or tokens can be stolen. Many biometric authentications have been proposed; however, users tend to resist using biometrics because of their intrusiveness and the effect on their privacy. Moreover, biometrics cannot be revoked. In this paper, we present and evaluate our contribution, i.e., the 3-D password. The 3-D password is a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the users 3-D password. The 3-D password can combine most existing authentication schemes such as textual passwords, graphical passwords, and various types of biometrics into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space. Index TermsAuthentication, biometrics, graphical passwords, multifactor, textual passwords, 3-D passwords, 3-D virtual environment.

CONTENTS
4

1. 2. 3. 4. 5. 6.

Introduction Related Works 3-D Password Scheme Experimental results Conclusion and future works References

6 7 8 9-10 11 12

INTRODUCTION
THE DRAMATIC increase of computer usage has given rise to many security concerns. One major security concern is authentication, which is the process of validating who you are to whom you claimed to be. In general, human authentication techniques can be classified as knowledge based (what you know), token based (what you have), and biometrics (what you are Knowledge-based authentication can be further divided into two categories as follows: 1) recall based and 2) recognition based [1]. Recall-based techniques require the user to repeat or reproduce a secret that the user created before. Recognitionbased techniques require the user to identify and recognize the secret, or part of it, that the user selected before [1]. One of the most common recall-based authentication schemes used in the computer world is textual passwords. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess. Klein [2] collected the passwords of nearly 15 000 accounts that had alphanumerical passwords, and he reached the following observation: 25% of the passwords were guessed by using a small yet well-formed dictionary of 3 106 words. Furthermore, 21% of the passwords were guessed in the first week and 368 passwords within first 15 min. Klein [2] stated that by looking at these results in a system with about 50 the first account can be guessed in 2 min and 515 accounts can be guessed in the first day. Klein [2] showed that even though the full textual password space for eight-character passwords consists of letters and numbers almost 2 1014 possible passwords, it is easy to crack 25% of passwords by using only a small subset of the full password space. It is important to note that

RELATED WORKS
The graphical password schema of Blonder [6] is considered to be recall based since the user must remember selection locations Moreover, PassPoint [10] [12] is a recall-based graphical password schema, where a background picture is presented and the user is free to select any point on the picture as the users password (users PassPoint). Draw A Secret (DAS), which is a recall-based graphical password schema and introduced by Jermyn et al. [13], is simply a grid in which the user creates a drawing. The users drawings, which consist of strokes, a considered to be the users password. The size and the complexity of the grid affect the probable password space. Larger grid sizes increase the full password space. However, there are limitations in grid complexity due to human error. It becomes very hard to recall where the drawing started and ended and where the middle points were if we have very large grid sizes.

3-D PASSWORD SCHEME

In this section, we present a multifactor authentication scheme that combines the benefits of various authentication schemes. We attempted to satisfy the following requirements. 1) The new scheme should not be either recall based or recognition based only. Instead, the scheme should be a combination of recall-, recognition-, biometrics-, and token-based authentication schemes. 2) Users ought to have the freedom to select whether the 3-D password will be solely recall-, biometrics-, recognition-,or token-based, or a combination of two schemes or more. This freedom of selection is necessary because users are different and they have differe requirements. Some users do not like to carry cards. Some users do not like to provide biometrical data, and some users have poor memories. Therefore, to ensure high user acceptability, the users freed of selection is important. 3) The new scheme should provide secrets that are easy to remember and very difficult for intruders to guess 4) The new scheme should provide secrets that are not easy to write down on paper. Moreover, the scheme secrets should be difficult to share with others. 5) The new scheme should provide secrets that can be easily revoked

Fig.. Password space of the 3-D password, textual password, Passfaces , and DAS with grid sizes of 5 5 and 10 10. Length is the number of actions andinteractions for a 3-D password, the number of characters for textual passwords, the number of selections for Passfaces, and the number of points that represent the strokes for DAS. The length is up to eight (characters/actions, interactions, inputs/selections). The 3-D password virtual environment is as specified in Section V -A; bit size is the log2 of the entire probable password space

EXPERIMENTAL RESULTS
We have built an experimental 3-D virtual environment that contains several objects of two types. The first type of response is the textual password. The second type of response is requesting graphical passwords. Almost 30 users volunteered to experiment with environment. We asked the users to create their 3-D password and to sign-in using their 3-D password several times over several days. A. Experimental Virtual 3-D Environment In our experiment, we have used Java Open GL to build the 3-D virtual environment and we have used a 1.80-GHz Pentium M Centrino machine with 512-MB random access memory and ATI Mobility Radeon 9600 video card B. User Study We conducted a user study on 3-D passwords using the experimental 3-D virtual environments. The study reviewed the usage of textual passwords and other authentication schemes. The study covered almost 30 users. The users varied in age, sex, and education level. Even though it is small set of users, the study produced some distinct results [13], [15]. We observed the following regarding textual passwords, 3-D passwords, and other authentication schemes. 1) Most users who use textual passwords of 912 character lengths or who use random characters as a password have only one to three unique passwords. 2) More than 50% of users textual passwords are eight characters or less. 3) Almost 25% of users use meaningful words as their textual passwords. 4) Almost 75% of users use meaningful words or partially meaningful words as their textual passwords. In contrast , only 25% of users use random characters and letters as textual passwords. 5) Over 40% of users have only one to three unique textual passwords, and over 90% of users have eight unique textual passwords or less. 6) Over 90% of users do not change their textual passwords unless they are required to by the system.

10

7) Over 95% of users under study have never used any graphical password scheme as a means of authentication. 8) Most users feel that 3-D passwords have a high acceptability. 9) Most users believe that there is no threat to personal privacy by using a 3-D password as an authentication scheme.

CONCLUSION AND FUTURE WORK

There are many authentication schemes in the current state. Some of them are based on physical and properties , and some other authentication schemes are base on users knowledge such textual and graphical passwords .Moreover , there are some other important authentication schemes that are based on what you have, such as smart cards .Among the various authentication schemes, textual password and token-based schemes, or the combination of both, are commonly applied. However, as mentioned before, both authentication schemes are vulnerable to certain attacks. Moreover, there are many authentication schemes that are currently under study and they require additional time and effort to be applicable for commercial use .The 3-D password is a multifactor authentication scheme that combines these various authentication schemes into a single 3-D virtual environment. The virtual environment can contain any existing authentication scheme even any upcoming authentication schemes by adding it as a response to actions performed on an object. Therefore, the resulted password space becomes very large authentication schemes.

11

REFERENCES
[1] X. Suo, Y. Zhu, and G. S. Owen, Graphical passwords: A survey, in Proc. 21st Annu. Comput. Security Appl. Conf., Dec. 59, 2005, pp. 463472. [2] D. V. Klein, Foiling the cracker: A survey of, and improvement to passwords security, in Proc. USENIX Security Workshop, 1990, pp. 514. [3] NBC news, ATM Fraud: Banking on Your Money, Dateline Hidden Cameras Show Criminals Owning ATMs, Dec. 11, 2003. [4] T . Kitten , Keeping an Eye on the ATM. (2005 , Jul. 11). Available: ATMMarketPlace.com [5] BBC news, Cash Machine Fraud up, Say Banks, Nov. 4, 2006. [6] G. E. Blonder, Graphical password, U.S. Patent 5 559 961,Sep. 24, 1996. [7] R. Dhamija and A. Perrig, Dj Vu: A user study using images for authentication, in Proc. 9th USINEX Security Symp., Denver, CO,Aug. 2000, pp. 4558. [8] Real User Corporation, The Science Behind Passfaces. (2005, Oct.). [Online]. Available: http://www.realusers.com [9] D. Davis, F. Monrose, and M. K. Reiter, On user choice in graphical password schemes, in Proc. 13th USENIX Security Symp., San Diego,CA, Aug. 2004, pp. 114 [10] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon,Authentication using graphical passwords: Effects of tolerance and

12

image choice, in Proc. Symp. Usable Privacy Security, Pittsburgh, PA, Jul. 2005, pp. 112.

13