International Journal of Advanced Technology & Engineering Research (IJATER)

ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 92

3D PASSWORD: MINIMAL UTILIZATION OF
SPACE AND VAST SECURITY COUPLED WITH
BIOMETRICS FOR SECURE AUTHENTICATION
Ms. Nidhi Maria Paul, Student, Nagarjuna College of Engineering and Technology; Ms. Monisha Shanmugham, Student, Nagarjuna College of
Engineering and Technology

Abstract

Existing systems of authentication are plagued by many
weaknesses. Commonly, textual passwords are used to secure
data or user accounts. However these can be cracked by the
application of various brute-force algorithms as the maximum
password length is fixed and there are a finite number of
possibilities which exist. Presently existing graphical
passwords have password space which is lesser than or equal
to the textual password space. The 3D password authentication
scheme is based on a combination of multiple sets of factors.
A 3D virtual environment is presented to the user where he
navigates and interacts with a multitude of objects which are
present. The order in which actions and interactions are
performed with respect to the objects constitutes the users 3D
password. The 3D password key space is built on the basis of
the design of the 3D virtual environment and the nature of the
objects selected. The advantage of the 3D password is that it
can combine many existing systems of authentication,
providing an extremely high degree of security to the user.
Biometrics can be coupled with the 3D password to further
increase the degree of security, making it extremely secure
and suitable for applications in which information security is
of essence. Several techniques like face recognition,
fingerprint recognition, hand geometry, iris recognition, and
palm print, vascular pattern recognition can be used. Pins and
passwords may be forgotten and token based identification
methods such as passports and driver licenses may be forged,
stolen, or lost. Thus the biometric system of identification
enjoys a new interest. It can even be applied in the most basic
level such as for a user on a home system as it is based on
recall on recognition and is easy to use.

1. Introduction

1.1 History
Users commonly use textual passwords, but do not take their
recommendations into account. They are inclined to select
words of significance from dictionaries, making then liable to
dictionary or brute force attacks. [3]

The fundamental principle behind graphical passwords is that
users would find it easier to remember and identify pictures as
compared to words. However, this paradigm faces a number of
complications. Some graphical passwords require a long time
to be executed, and more importantly, they can easily be noted
or observed when the user is in the process of authentication,
making it vulnerable to shoulder surfing attacks. Many
graphical passwords are still under research and development
in the need of further enrichments as well as usability studies
before they can be deployed in various markets. A number of
graphical passwords also have a password space that is lesser
than or equal to the textual password space. Other forms of
authentication also taken into account what is possessed by the
user in addition to what is known by them, a common example
being token based systems that are used in banking. These are
nevertheless susceptible to fraud, loss or theft.

1.2 3D Password Scheme

The 3D password is a paradigm which is based on a
combination of multiple sets of factors. The system of
authentication presents a 3D virtual environment to the user
where in the user navigates and interacts with the multitude of
objects that may be present. The order in which actions and
interactions are performed with respect to the objects
constitutes the users 3D password. The 3D password key
space is built on the basis of the design of the 3D virtual
environment and the nature of the objects selected. The
advantage of the 3D password is that it can combine many
existing systems of authentication, providing an extremely
high degree of security to the user. [2] This particular
authentication scheme has the following necessities: [1]

1) The scheme is not solely based on recall or
recognition. It is a combination of recall, recognition,
biometrics as well as token-based authentication
schemes.
2) Users should have the freedom to choose the
specifications of the 3D password, whether it will be
exclusively recall, biometric or token based, a
combination containing two or more schemes, etc.
This is important as different users have different
needs, they may not want to carry cards, or to present
biometric data while others may have weak memories.
In turn, this assures greater acceptability.
3) The scheme should contain secrets, ones that are
simple for the intended user to remember and complex
for intruders to guess. These should be complicated
for example, difficult to break down into a sequence
of steps and record on a piece of paper.
These secrets must be flexible, the user must be allowed to
change or remove them.
International Journal of Advanced Technology & Engineering Research (IJATER)


ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 93
1.3 Biometrics

Biometrics or biometric authentication is used to identify
human beings on the basis of their characteristics or traits. It
is commonly used as a form of identification and access
control. Biometrics identifiers are the different characteristics
which can be measured that can be used to identify
individuals. There are two categories of biometric identifiers;
these include physiological and behavioral characteristics.
Biometric functionality encapsulates a variety of different
aspects. Selecting the use of a particular biometric for a
specified application must take several factors into
consideration.
1) Universality: Every person using the system should
posses the trait.
2) Uniqueness: The trait must be unique to each
individual who uses the system such that they can be
distinguished from one and another.
3) Permanent: The trait should be permanent and
invariant over time.
4) Measurability (Collectability): This refers to the ease
with which the trait can be acquired or measured.
5) Performance: This refers to the accuracy, speed and
robustness of the technology that is being used.
6) Acceptability: This encompasses how ready
individuals are to have their trait captured and
assessed.
7) Circumvention: This measures how easy it is for a
trait to be emulated by making use of an artifact or a
substitute.
It is unlikely that a single biometric system will meet the
needs of all applications. Figure 1 below shows the basic
block diagram of a biometric system.


Figure 1: Basic block diagram of a biometric system.

Biometric systems can operate in two modes, the first being
verification mode and the second being identification mode. In
verification mode, the system compares a captured biometric
with a template which has been stored in a biometric database
such that the user can be successfully authenticated. This
involves three steps, the first of which involves reference
models for all the users to be generated and stored within the
database. After this, the samples are matched with the
reference models in order to generate the genuine scores. The
final step is testing. This may involve the use of a smart card,
username or identification number such as a PIN indicating
which template must be used for comparison.
In the identification mode, the system executes a one-to-many
comparison with the biometric database such that the identity
of an unknown individual can be established. The process of
identification will be successful if while comparing the
biometric sample to the template the result falls within a
previously set threshold. If the process of identification is a
success, it may also be identified as a positive recognition. In
this case, the user need not provide any information on the
template to be used. However, in the case of a failure, it is a
negative recognition and the system must implicitly or
explicitly determine whether the user is who they deny to be.
The latter can be achieved only through the use of biometrics
as in this case, the use of personal recognition such as
passwords, PINs and keys are ineffective.
The first time a biometric system is accessed by a
user is known as enrollment. During this process, information
from the individual is captured and saved. In successive uses,
biometric information is detected and matched with the
information that has been stored at the time of enrollment.
Security during the stages of storage as well as retrieval is of
essence in order to make sure that the biometric system is
robust. The first block (sensor) acts as the interface between
the real world and the biometric system, it is responsible for
acquiring all the required data. Mostly, it is an image
acquisition system, but it may change according to the
characteristics that are desired by the user. The second block
deals with all the pre-processing, it must remove artifacts from
the sensor, enhance the given input, such as removal of the
background noise. The third block extracts all these necessary
features. This step is of great importance as it must be
accurate. A vector of numbers or images is compiled to create
a template, which is a synthesis of characteristics that have
been extracted from the source. Parts of the biometric
measurement that are not utilized within the comparison
algorithm are discarded from the template so as to decrease
the file size and protect the identity of the user who has
enrolled.
If enrollment is being performed, the template is
saved either on the card or in the database or both. While a
matching phase is being performed, the template that has been
obtained is transferred to a matcher which compares it to other
existing templates and estimates the distance between them
using an algorithm. The matching program that is used will
analyze the template with the input. An output will be present
for any specified use or purpose. The selection of biometrics
in any practical application should depend on the
characteristic requirements and the user requirements. The 3D
password scheme is an excellent paradigm in which
biometrics can be coupled, as together they can provide a very
strong, or impermeable level of security.
International Journal of Advanced Technology & Engineering Research (IJATER)


ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 94
2. MATERIALS AND METHODS:

Here the designs of two 3D environments are specified, the
first one being a chess game and the second being a rotating
cube.In the chess game, the password is based on placing
the chess pieces in predefined positions on the chess board
and in the case of the rotating cube, the password is
constructed base on rotating the cube right, left, up and
down in addition to the option of inserting one of the input
images on different sides of the cube.

2.1. Environment 1 Chess:

When a new user enters the environment, the user must
initially enter all his details in the registration form. The user
must then click on the environment1 button to select the chess
environment. Figure 2[1] below shows an environment for a
chess game, having a total of 32 objects, out of which 16 are
red and 16 are white. It also encloses seven buttons all
together namely, New button, Record button, Stop button,
Play button, Confirm button, Close button and Swap button,
and one Checkbox option. Each button works as specified
below [1]:



Figure 2: Enviornment1 (Chess)

New button: Clicking this button initializes all the objects
(white and red). Prior to clicking this button, the
environment is completely empty.

Swap button: This button is used in order to change the
position of the red and white objects. In simple words, it
exchanges the positions of the white and red objects
respectively.

Record button: Before creating the 3D password, the user
must click this button, as a result of which the sequence of
actions and interactions are stored as the 3D password as a
string. In the event that the record button has not been clicked
initially, nothing is recorded and an error occurs when the user
slicks the stop button.
Stop button: This button is used to end the sequence of
actions and interactions. Clicking this button stops
recording the users movements and the recorded acti ons
and interactions are saved as a 3D password in the form
of a string.

Play button: Thi s but t on can be used by t o user t o
check the acti ons and int eract i ons that have been
per formed aft er pr essing the st op butt on. Once thi s
but t on i s cli cked, the user can see a pl ayback of the
acti ons and int eracti ons whi ch have been st or ed as a
3D passwor d.

Confirm button: This button confirms the 3D password.
Once this button is clicked, the user cannot change the 3D
password. The user can however, change his/her password
prior to clicking this button by selecting the new button.

Close button: Once clicked, the environment is closed and
control returns to the registration form.

2.2 Environment 2 Cube:

The second environment presented in this paper is that of a
cube. Figure 3 shows a snapshot of environment2. When this
environment is selected, the cube is placed at an initial
position of (400, 240, 0) co-ordinates with respect to the x, y
and z axis. In addition to this point in the environment,
another point known as the camera point is fixed. The camera
position is set at the co-ordinates (400, 240,-500) on the x, y
and z axis respectively. It is a reference point, or the point
from which the user can see the sequence of actions and
interactions that are being performed on the cube.

There are mainly four actions that can be performed within
this environment, each being further divided into six sub
actions and as well as an input action which is used to load
an image onto each side of the cube. The four main actions
are described below [1]:

Move Cube: This is a main move cube action having the
following six sub actions, Left, Right, Up, Down, In, Out. A
c l i ck on ea ch of t h e s e but t on s t r a n s l a t e s t he
c u be by 45 co-ordinates with respect to the which button is
clicked. The maximum number of times each button can be
clicked is six. Clicking the button for a seventh time will
result in an error message to the user indicating that the
maximum limit has been crossed.

Rotate Cube: This main action has the following sub actions,
rotate cube x-direction, y-direction, z- direction and x-
direction, -y-direction, -z-direction. A single click on one of
these buttons will rotate the cube in a 45 direction with
respective to which button is clicked. The maximum number
of times each button can be clicked is six. Clicking the button
for a seventh time will result in an error message to the user
indicating that the maximum limit has been crossed.

International Journal of Advanced Technology & Engineering Research (IJATER)


ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 95
Move Camera: The sub actions are Left, Right, Up, Down,
In, Out. When the user single clicks on these buttons then the
camera or reference point moves 45 co-ordinates with
respective to the button which is clicked. The maximum
number of times each button can be clicked is six. Clicking
the button for a seventh time will result in an error message
to the user indicating that the maximum limit has been
crossed.

Turn Camera: The sub actions specified by this button are
Left, Right, Up, Down, CW (Clockwise), CCW (Counter
clock -Wise) direction. A cl i ck on e a ch of t h e s e
bu t t on s t r a n s l a t e s t h e cu be by 45 co-ordinates
with respect to which button is clicked. The maximum
number of times each button can be clicked is six. Clicking
the button for a seventh time will result in an error message
to the user indicating that the maximum limit has been
crossed.

Load Image: This allows the user to load an image on each
side of the cube strengthening the password. Any number
of actions and interactions can be performed and to save
the 3D password, the user must click on the close button.


Figure 3: Snapshot of Enviornment2 Cube

3. RESULTS & DISCUSSION

3.1 3-D password space sizes

To decide the 3-D password space its required to count all
possible 3-D password that have certain number of
action interaction and inputs towards all objects that are
present in the environment. Now we proceed to
calculate the password space for the two environments
which are specified in this environment.

3.1.1 Enviornment-1 (Chess):

In the suggested scheme we are calculating the password
space taking into consideration that the user wants to move
a single chess piece at a time when the environment is in
view. Assume that we are starting with a chess board that
is set up for the start of a game. . Each player has 16
pieces. Consider the scenario where white starts first,
white has a total number of 20 moves that he/she can
possible make.

1. The white player may move any pawn
forward by one or two positions.
2. The white player can move either knight in
two different ways.

The white player chooses one of those 20 moves and
makes it. The equation for calculating the password space
is [1]:


n=Lmax

(L
max
, G) = (m + g (AC))
n

n=l

Here,
m All possible actions and interaction towards all existing
objects. In the case of our example, the value is 20.
g(AC) The count of the total number of actions and inputs
towards the environment. In our example, the action is only
one i.e. moving the object and the interactions are 3
(moving pawn forward, moving either knight in two
different ways). So the value of g(AC) is 3.
G (GGG) Number of actions, interactions and inputs,
for consideration action is only one i.e. move, interactions
are 3 and inputs are nil. So the value of G is 3.
Lmax The maximum length of password. Here L
max =
17. Then the possible password space for our consideration is
[1]:

n=17
(17, 3) = (20+ 3)
n

n=1

= 3.7714x10
43

The above value gives the total amount of space in bytes that
is requires to store the password for environment1.

3.1.2 Enviornment-2 (Cube):

In environment-2 the suggested scheme creates the password
by moving, rotating and performing zoom operations on the
cube. In order to create the codeword there are four different
actions i.e., moving cube, rotating cube, moving camera,
rotating camera along the x, y, z axis. And for each action
user can perform the six different interactions.

The terms to calculate password space for environment -2 are
[1]:
G (G GG) number of actions, interactions and
International Journal of Advanced Technology & Engineering Research (IJATER)


ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 96
inputs.
Number of actions = 4 (moving cube, rotating cube, moving
camera, rotating camera)
Number of interactions = 6
Number of inputs = 6 (Placing an image on each side of cube)

So, G = GGG = 466 = 144

m All possible actions and interactions towards all
existing objects in environment.

For Proposed scheme environment is, for each action we
have total 36 interactions so total possible interactions are m
= 1679616.

Lmax Specifies the maximum length of password, for this
environment by taking the input i.e. the images on each side
of cube having the name six characters wide then the value
for Lmax is 111.
g (AC) Count of total number actions and interactions
towards virtual environment.

For this environment it is 24 (6 4) Now, the password
space for this environment is [1]:
n=Lmax
(L
max
, G) = (m + g (AC))
n
n=1
After placing the values


n=111
(111, 144) = (1679616 + 24)
n
n=1

The value obtained gives the total amount of space required in
bytes to store passwords for environment-2.

3.1.3 Enviornment-2 (Cube without any
image input):

Let us calculate the password space without taking into
consideration the image input.

Hence,

G (G GG) Number of actions, interactions and inputs.
Number of actions = 4 (moving cube, rotating cube, moving
camera, rotating camera)
Number of interactions = 6
Input = Nil

So, G = GG = 46 = 24

m All possible actions, interactions towards all existing
objects in environment. For our environment is, for each
action we have total 36 interactions so total possible
interactions are,

m = 1679616

Lmax maximum length of password, for this environment,
Lmax is 8

g (AC) count of total number actions and interactions
towards hypothetical environment. For this environment it is
24 (6 4).

Now, the password space for this environment is
[1]:

n=Lmax
(Lmax, G) = (m + g (AC))
n

n=1

After placing the values,

n=8
(8, 24) = (1679616 + 24)
n
n=1

= 1.4744610
20

The above value gives the total amount of space in bytes that
would be required to store the 3D password for environment2
without an input.

3.2 Comparison: Text and 3D password
This section compares textual passwords with the suggested
scheme. The comparison is between the length of textual
password and the action and interactions with 3-D objects in
virtual environment. In the following table, the textual
password length has been taken as one character and a
single action which is present in enviornment1 and
enviornment2. The following table shows the comparison
between the length of text and 3-D password for virtual
environment1 and enviornment2 [1].











International Journal of Advanced Technology & Engineering Research (IJATER)


ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 97
Table 1. Comparison between Text and 3D Password




























No. of
Action/
Charact
er
Encrypte
d 3D
Password
Size of
Env-1 in
Byte
Encrypted
Text
Password
size in Byte
Encrypte
d 3D
Password
Size of
Env-2 in
Byte
Encrypted 3D
Password Size
of Env-2 with
no image in
Byte
1 23 2 18 8
2 39 3 19 8
3 55 4 22 8
4 71 6 23 8
5 87 7 24 8
6 103 8 26 8
7 119 10 28 8
8 135 12 31 8
9 151 13 34 8
10 167 14 36 8
11 188 15 39 8
12 202 16 42 8
13 218 18 44 8
14 236 19 39 8
15 247 20 43 8
16 263 22 47 8
17 283 23 51 8
18 300 24 55 8
19 319 26 59 8
20 340 27 63 8
No. of
Action/
Charact
er
Encrypte
d 3D
Password
Size of
Env-1 in
Byte
Encrypted
Text
Password
size in Byte
Encrypted
3D
Password
Size of
Env-2 in

Byte
Encrypted 3D
Password
Size of Env-2
with no
image in Byte
21 354 28 50 8
22 370 30 55 8
23 391 32 60 8
24 402 33 66 8
25 418 34 71 8
26 428 35 76 8
27 439 36 82 8
28 468 38 60 8
29 476 39 67 8
30 487 40 74 8
31 522 42 80 8
32 530 43 87 8
33 546 44 94 8
34 572 46 100 8
35 604 47 71 8
36 612 49 79 8
37 620 50 87 8
38 628 52 95 8
39 652 53 103 8
40 660 54 111 8
International Journal of Advanced Technology & Engineering Research (IJATER)


ISSN No: 2250-3536 Volume 2, Issue 4, July 2012 98
Table 1 shows the comparison of password space required
for text and 3-D password for enviornment1, enviornment2
and environment2 with no images. The proposed scheme is
compared with 40 different records by taking length of text
password from one character to forty characters and single
action to forty actions on 3-D objects in environment1 and
enviornment2 [1].

3.3 Performance result in Graphs:

Figure 4 shows that the blue line shows the password space
required for 3-D Env-1 and the yellow line password space
for Env-2 with images and the green line shows the
password space required for Env-2 with no images
whereas the pink line shows the password length for text
password[1].

4. Conclusion

In 3D password system as number of series of action and
interaction in the hypothetical 3D environment increases
then the length of the codeword also increases. The amount
of memory that is required to store a 3D password is large
when compared to a textual password. This paper presents
two environments in which the space required to store the
3D password is reduced. The first environment is a chess
game in which user creates the 3D password by moving the
chess pieces in valid places on chessboard. The second
environment is a cube in which user constructs the 3D
password by moving the cube left, right, up, down and by
turning around the axis of the cube along with choice of
placing the input images on each side of cube. In the second
environment cube without any image input, a user can
perform a greater number of actions and interactions as
compared with first environment and it is noticed that the
region necessary to store the 3D password is comparatively
very less, and the password created i s very strong.

Figure 4: Comparison of text and 3D password for Env-1
and Env-2.


5. Acknowledgments

We would like to thank our lecturers, Mr. John J. P and Mr.
Subramanya S. G for their support and encouragement in
preparing this paper.

6. References

[1] Prof. Sonkar S.K.; Dr. Ghungrad S.B., Minimum Space
and Huge Security in 3D Password Scheme, International
Journal of Computer Applications (0975-8887), Volume 29-
No.4, September 2011
[2] Alsulaiman, F.A.; El Saddik, A., "Three- for Secure,"
IEEE Transactions on Instrumentation and measurement,
vol.57, no.9, pp 1929-1938.Sept. 2008

[3] D. V. Klein, Foiling the cracker: A survey of, and to
passwords security, in Proc. USENIX Security, pp.14

[4] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and
A.D. Rubin, The design and analysis of graphical
passwords, in Proc. 8
th
USENIX Security
Symp, Washington DC, Aug.1999, pp.1-14.

[5] X. Suo, Y. Zhu, and G. S. Owen, Graphical passwords:
A survey, in Proc. 21st Annual. Computer Security
Appl. Conf., Dec. 59, 2005, pp. 463472.

[6] D. Weinshall and S. Kirkpatrick, "Passwords Youll
Never Forget, but Cant Recall," in Proceedings of
Conference on Human Factors in Computing Systems
(CHI). Vienna, Austria: ACM, 2004, pp. 1399-1402.
[7] L. Sobrado and J.-C. Birget, "Graphical passwords," The
Rutgers Scholar, An Electronic Bulletin for
Undergraduate Research, vol. 4, 2002.

[8] D. Hong, S. Man, B. Hawes, and M. Mathews, "A
password scheme strongly resistant to spyware," in
Proceedings of International conference on security and
management. Las Vergas, NV, 2004.

[9] S. Man, D. Hong, and M. Mathews, "A shouldersurfing
resistant graphical password scheme," in Proceedings of
International conference on security and management.
Las Vegas, NV, 2003.

[10] Two Factor Authentication for the Enterprise,
http://realuser.com/realuser.
[11] Biometrics, http://en.wikipedia.org/wiki/Biometrics