SURVEY

1.1 COMPUTER SECURITY

Computer security[1] can be defined as the protection afforded to an automated information
system in order to attain the applicable objectives of preserving the integrity, availability and
confidentiality of information system resources.

1.2 NETWORK SECURTIY

Network Security consists of the policies and practices adopted to prevent and monitor
unauthorized access, misuse, modification, or denial of a computer network and network accessible
resources. The most common and simple way of protecting a network resource is by assigning it a
unique name and a corresponding password.

During this time when the Internet provides essential and is being increasingly used as a tool for
commerce, security becomes a tremendously important issue to deal with. One essential aspect for
secure communications is that of cryptography.

1.3 CRYPTOGRAPHY
Cryptography[2] is the science of writing in secret code and is an ancient art. The first
documented use of cryptography in writing dates back to circa 1900 B.C. Cryptography is the method of
transferring private information and data through open network communication. In cryptography, it is
started with unencrypted data, referred to as plaintext. Plaintext is encrypted into ciphertext, which is in
turn decrypted into usable plaintext.

The five primary functions of cryptography are Privacy/confidentiality, Authentication, Integrity,

Non-repudiation and Key exchange. There are three types of Cryptographic Algorithms[2] SKC, PKC and
Hash Functions.

1.3.1 Secret Key Cryptography (SKC)

This was the only kind of encryption publicly known until June 1976. A single key is used both for
encryption and decryption. The sender uses the key to encrypt the plaintext and sends the ciphertext to
the receiver. The receiver applies the same key to decrypt the message and recover the plaintext.
Because a single key is used, it is also called as symmetric encryption.

1.3.2 Public-Key Cryptography(PKC)

Public key cryptography has been said to be the most significant new development in
cryptography last 300-400 years. PKC employs two keys that are mathematically related. One key is used
to encrypt the plaintext and the other key is used to decrypt the ciphertext. Because a pair of keys is
required, this approach is called asymmetric cryptography. In PKC, one of the keys is designated the
public key and may be advertised as widely as the owner wants. The other key is designated the private
key and is never revealed to another party.

Page 1
1.3.3 Hash Functions
Hash functions, also called message digests and one-way encryption. It is a mathematical
function that converts a numerical input value into another compressed numerical value. The input to
the hash function is of arbitrary length but output is always of fixed length. Values returned are called
message digest. Some of the Hash Algorithms are Message Digest Algorithm, Secure Hash Algorithm,
RACE, Integrity Primitives Evaluation Message Digest, Hash of Variable Length, Whirlpool, Tiger etc.

Fig 1: Secret Key Cryptography, Public Key Cryptography Fig 2: Hash Function

A digital envelope comprises an encrypted message and an encrypted session key. The digital
signature is formed in two steps, first, computing the hash value, next, encryption of the hash value with
the private key. The receiver applies hash function to the senders original message, which the receiver
has already decrypted.

1.4 AUTHENTICATION
The convenient method to provide network security is Authentication[3]. Authentication is the
act of confirming the truth of an attribute of a single piece of data claimed true by an entity. It might
involve confirming the identity of a person by validating their identity documents, verifying the
authenticity of a website with a digital certification etc. Widely used authentication protocols are Secure
Sockets Layer, IP SEC, Secure Shell, Kerberos.

The way in which someone may be authenticated fall into three categories, based on what are
known as factors of authentication: something the user knows(knowledge factor), something the user
has (ownership factor) and something the user is or does(inherence factor).

Types of authentication[3]
1. Single-factor authentication: Only a single component of the three categories of factors is used
to authenticate an individuals identity.
2. Two-factor authentication: When elements representing two factors are required for
authentication, the term two factor authentication is applied. (e.g. bankcard and PIN).
3. Multi-factor authentication: Instead of using two factors, multiple authentication factors are
used to enhance security. This enhances the security of a transaction.
4. Strong authentication: This is defined as layered authentication approach relying on two or
more authenticators to establish the identity of an originator or receiver of information.

Page 2
1.4.1 PASSWORDS
Passwords[4] are the most widely used form of authentication. Users provide an identifier, a
typed in word or phrase or perhaps a token card, along with a password. In many systems the passwords
are not stored as plaintext but are encrypted. The traditional method used is textual passwords. These
types of passwords are string of letters and digits. But it has several vulnerabilities.

One-time password(OTP)
To avoid problems associated with password reuse, OTP[4] were developed. There are two
types, a challenge-response password and a password list. The challenge-response password responds
with a challenge value after receiving a user identifier. The response is then calculated from either the
response value or select from a table based on the challenge. The OTP makes use of lists of passwords
which are sequentially used by the person wanting to access a system. The values are generated so that
it is very hard to calculate the next value from the previously presented values.

Textual Passwords are set in such a way so that it is easy to remember but they are vulnerable
to various attacks like dictionary attack, easy to guess, key loggers, shoulder surfing, social engineering,
spyware attack, hidden camera. So alternative to textual password, a technique proposed is graphical
password.

1.4.2 GRAPHICAL PASSWORD

Beginning around 1999, numerous graphical password schemes have been proposed. Like
textual passwords, graphical passwords are knowledge-based authentication mechanisms where users
enter a shared secret as evidence of their identity. In this technique the images or shapes are used
because people can remember images easily than text, the psychological studies support such
assumption. Graphical password techniques[5] were originally described by Blonder.

Graphical password methods can be of classified into four general categories: Drawmetric (Draw
based), Locimetric (Position based), Cognometric (Chosen Position) and Hybrid Schemes. Hybrid
schemes combine two or more of the other categories.

Fig 4: Graphical Password Methods

Graphical Password Techniques

Graphical techniques[5] are categorized as Recognition Based System and Recall-Based System

Page 3
 1. Recognition Based System
In this system, for registration the user has to select the certain number of images from a set of
random images in an order as a password, and for authentication the user has to identify those images
in a same order. The schemes under this are:

Jansen et al. Method[7]: In this scheme images of size 40x40 were shown in 5x6 matrix on the
basis of selected theme, user have to select images from the matrix with the help of stylus. A numerical
sequence based on image selection is registered to form a password. At login time user has to recognize
same images in same sequence at login time.

Fig 5: Jansen et al method- Sea and shore theme, Dhamija and Perrig Scheme, Passface Scheme

Dhamija and Perrig Scheme[5]: In this scheme, during registration the user has to pick the
several pictures according to choice from a set of random pictures in a sequence and during
authentication the user has to identify those same pictures in a sequential manner.

Passface Scheme[5]: In this scheme, human faces are used as password. In this, a grid of nine
human faces is used. In these nine faces one is known to the user and remaining are decoys. The user
has to recognize that known face among the nine faces. And this is continued until all the four faces are
identified.

Sobrado and Birget Scheme[5]: Sobardo and Birget developed a method to prevent shoulder
surfing attack. In this scheme system display a number of pass-objects among other objects, user click
inside the convex hull bounded by pass-objects.

Hong et al. Method[7]: The user has to enter a string corresponding to each variation of pass-
icons. At login time user is challenged with recognizing the pass-icons from n grid login screen. Once the
icon has been correctly identified user has to enter string corresponding to the variation of particular
pass-icon.

Fig 6: Sobrado Birget scheme Fig 7: Hong et al Method Setting pass-icons and Login Screen

Page 4
 Akul and Devisettys[7]: User has to identify correct pass-image. It is similar to dhamiga and
perrig. The only difference is that it store 20 byte hash code produced by SHA-1 hash function. It takes
less memory but space occupied is still larger.

2. Recall-Based System
In this system a user is asked to reproduce something that he created or selected earlier during
the registration stage. It has two categories: a) Pure Recall Based Techniques b) Cued Recall Based
Techniques
a. Pure Recall Based Techniques: In this user is not provided a clue to recall a password. Some
schemes belonging to this technique are:

Passdoodle Technique[6]: It is handwritten design or text, usually drawn with stylus onto touch
sensitive screen.

Draw-A-Secret(DAS) Scheme[5]: Here user will draw a simple picture on 2D grid. The coordinates
of the grids are occupied by the picture are stored in the order of drawing. During authentication, the
user will be told to re-draw the picture in the same sequence.

Signature Scheme[5]: Here, during registration user will record signature as a password and
authentication is conducted by having the user drawing their signature using mouse.

Blonder Technique[6]: In this user is presented with a predetermined image with predetermined
areas (tap regions). To create a password user has to click those tap regions in a particular order. For
authentication, user has to click the approximate areas of those tap regions in the predefined sequence.

Grid Selection[8]: This consists of Drawing grid and DAS password. The selection grid is a fine
grained grid from which user selects a drawing grid, to zoom in on, in which they may enter password.

Fig 8: Passdoodle, DAS, Signature Scheme, Blonder Scheme, Grid Selection

b. Cued Recall Based Techniques: In this user is provided a clue to recall a password registered
earlier. Some schemes belonging to this technique are:

Pass-point technique[6]: Here a picture could be any natural picture or painting but at the same
time should be rich enough in order to have many possible click points. Here no need of predefined click
points. The user can click on any place on the image to create a password. The tolerance around each
chosen pixel is calculated. For authentication, user has to click within the tolerances of chosen click
points in a correct order.

Page 5
 Background DAS (BDAS) technique[6]: Here, the background image is added to original DAS as
an improvement. So background image is a clue here. Password is a free form drawing that a user
creates on a grid under laid with a background image of their choice. The background image is used to
draw a password. For authentication user has to recreate a same drawing on the grid with background
image.

Qualitative DAS technique[8]: In this scheme, a stroke is mapped to its starting cell and the
sequence of qualitative direction changes. So the user need to remember the starting cell index and the
correct direction order of each stroke.

Fig 9: Pass-point scheme, A Sample BDAS, A QDAS Sample

Cued Click Points(CCP)[7]: Unlike pass point rather than making multiple clicks on single image
user has to make click on multiple images. The images come in sequence one after the other. An image
appearing next is determined by the click made in the previous image.

Jiminy[8]: In this scheme, users are provided with templates based on color that contain several
holes. The user first selects an image, chooses a colored template, picks a specific location inside the
image, then clicks on the position to place the template and record the password. During login, the
users must select the right template, place it on the correct location on the image then enter the
characters visible through the holes.

VisKey[7]: SFR company developed a scheme for mobile devices. User has to select an image
from the images stored in the device and tap on the spots in sequence this sequence is registered. To
login user has to tap at same spots as and should be in registered sequence.
VisKey

v-Go[7]: Passlogix has proposed a v-Go scheme, here user has to select a background image and
user can perform various actions with items present in image like clicking, dragging etc. Click on items is
detected with the help of invisible boundaries on them.

Fig 10: CCP Scheme, Jiminy, Vis-Key scheme, v-Go Scheme

Page 6
1.4.3 CAPTCHA(Completely Automated Public Tuning tests to tell Computer and Human Apart)
Captcha[5] is a program that generates and grades tests that are human solvable, but beyond
the capabilities of current computer programs. Captcha is used to test whether the user is computer or a
human by creating a task easy for humans but difficult to machines. Captcha mainly include 3 types:
text-based, image-based and sound-based.

Captcha as gRaphical Password (CaRP) technique[5]

This is a combination of Captcha and gRraphical Passwords. CaRP is a click based graphical
password where a sequence of clicks on an image is used to derive a password. In CaRP a new image is
generated for every login attempt even for the same user. CaRP uses an alphabet of visual objects to
generate CaRP image.

CaRP Schemes are classified into two categories:

a. Recognition Based CaRP[5]

In this scheme a password is a sequence of visual objects in the alphabet. There are 3
techniques under this scheme are ClickText, ClickAnimal and AnimalGrid.

b. Recognition-Recall CaRP[5]
This combines the tasks of both recognition based and cued-recall and retains the advantages of
both. The password is a sequence of some invariant point of object which is a point that has a fixed
relative position in different incarnations of object and thus uniquely identified by humans. For
authentication first user has to identify the object and then click the invariant points on the object
matching the password.
There are two techniques under this scheme are TextPoint, TextPoints4CR.

Fig 11: ClickText Image Fig 12: ClickAnimal Image Fig 13: A ClickAnimal Image and 6X6 grid Fig 14: TextPoint

1.4.4 Recent Graphical Password Techniques

These techniques are resistant to all attacks to some extent.

Pair-Based Authentication Technique[6]: The user registers by entering a username and a

password with minimum length 8. It is called as secret pass. During login, the user has to enter the
correct username and then a grid of 6X6 size is displayed containing alphabets and numbers. Here user
has to form the pairs of secret pass. Then by using these secret pass pairs and interface the session
password is generated. At every login the interface changes and session password changes accordingly.

Page 7
 Hybrid Textual Authentication technique[6]: Here user has to first enter a username and then
has to rate colors from 1 to 8 randomly and can remember it. During login, after entering username the
login interface based on colors selected by users is displayed consisting of color grid of 8X8 size with 4
pairs of colors. According to color pair, the number in the intersection of the row and column of the
number grid is the part of session password.

Fig 15: Pair-Based technique Fig 16: Hybrid Textual technique: Color ratings and login interface

Image Pass Technique[6]: It is recognition based graphical password technique. User has to
select a valid username and then can select the particular number of images as a password from a set of
30 images. The selected images are displayed on selected password panel on top-right corner of image.
During authentication after entering valid username, user has to select the valid images on a grid of 4X3
is displayed.

Fig 17: Password selection, current selection panel, authentication for Image Pass Technique

Human selection of mnemonic phrase-based passwords[9]: A mnemonic password is one where

a user chooses a memorable phrase and uses a character(often the first letter) to represent each word
in the phrase.

A multiple click based graphical authentication system[10]: In this the authentication system is
presented by introducing the multi-level authentication technique which generates the password in
multiple levels to access the services.

NAVI(Novel Authentication with Visual Information) a Novel graphical password scheme[11]: For
this scheme a Movie CAPTCHA method with Amdol Completion is used. The password is marked as
route on a predefined map call Geo-Points. The user logs in using user id and password has be entered
i.e., Geo-Points is to be marked. If the password is wrong the log in fails. Captcha validation is done
where it distinguishes between human and bots-program.

Page 8
 Awase-E[12]: This is a novel recognition-based image authentication system. The features of the
system are that it uses users personal photo collection, and it also introduces a no answer case in a
verification of an authentication trial. Awase-E with personal photos are easy to memorize and recall for
a long period of time, and its level is almost same as an authentication with a 4 digit number.

Use Your Illusion Authentication[13]: Distorted images are used to maintain the usability of
graphical password schemes. Here the user selects their own graphical password images, the selected
images are distorted using a non-photorealistic rendering algorithm that eliminates most details in the
image, while preserving some feasures. To authenticate, the user must choose her own distorted images
from a set of distracter images.

Fig 18: NAVI Scheme, Awase-E, Use Your illusion

Image and Audio Based Authentication[14]: This method uses Captcha as graphical password
scheme. The user logs in with user id and password. Then an image has been selected for security
purpose. In that image, randomly positioned viewport is used for creating a password. From this image
pixel has been selected. In registration process, by clicking anyone pixel point on the image, the
information will be stored in database. By using cued click points and random password generation, the
sound can be added to the image in particular pixel points.

Click-Draw based Graphical Password[15]: It has two operation steps: image selection ans secret
drawing. Image selection: User selects several images from an image pool. Then users have to further
select one image for click-drawing their secrets. To authenticate users should re-select the same same
images in the correct order and futher select the one right image for click-drawing their secrets.

Fig 19: Image and Audio based scheme Fig 20: Step of image selection, three images that are stored and used in
the image pool, 7 which was drawn by user in secret drawing step(3)

Page 9
Secret Drawing: The image selected for click-draw is portioned into a NxN table. The click-draw action
requires users to use series of clicks to construct their secret drawing. During authentication, users
should re-draw their secrets accurately.

REFERENCES

[1] William Stalling, Network Security Essentials: Applications and Standards.

[2] Gray C. Kessler, An Overview of Cryptography, Handbook on Local Area Networks(Auerbach,
Sept. 1998) 14 November 2016 .
[3] Authentication, http://www.google.com.
[4] Richard Duncan, An Overview of Different Authentication Methods and Protocols, SANS
Institute InfoSec Reading Room, October 2001.
[5] Aakanksha Gokhale and Vijaya Wagnmare, A Study of various Password Authentication
Techniques, Kharghar, Navi Mumbai, Maharashtra, Inida.
[6] Aakanksha Gokhale and Vijaya Wagnmare, Graphical Password Authentication Technique: A
Review, Kharghar, Navi Mumbai, Maharashtra, Inida.
[7] Harsh Kumar Sarohi and Farhat Ullah Khan, Graphical Password Authentication Schemes:
Current Status and Key Issues, Amity University, India.
[8] Haichang Gao, Wei Jia, Fei Ye and Licheng Ma, A Survey on the use of Graphical Password in
Security, Xidian University, Xian, P.R. China.
[9] Cynthia Kuo, Sasha Romanosky and Lorrie Crano, Human Selection of Mnemonic Phrase-based
Paswwords, ResearchGate, Conference Paper, SOUPS 2006, Pittsburg, Pennsylvania, USA,
January 2006.
[10] S. Yamini and D. Maheshwari, A Multiple Click Based Graphical Authentication System,
ResearchGate, Article January 2014.
[11] N. Preethi, B.J. Jayareshma and N. Kumar, A Movie CAPTCHA Method Using Amoda Completion
for Navi Based Authentication in Network Security, Vels University, Tamil Nadu, Chennai,
ResearchGate, Article 2004.
[12] Tetsuji TAKADA, Tekehito ONUKI and Hideki KOIKE, Awase-E: Recognition-based Image
Authentication Scheme using Users Personal Photographs, Tokyo, Japan, RegisterGate,
Conference Paper, December 2006.
[13] Eiji Hayashi, Nicolas Christin, Rachna Dhamija, Adrian Perrig, Use Your Illusion: Secure
Authentication Usable Anywhere, RegisterGate, Conference Paper, January 2008.
[14] R.Saranya, S. Usha, S. Vigneshwari, M. Vidhya, IJARTET, RegisterGate, Article March 2016.
[15] Yuxin Meng, Designing Click-Draw Based Graphical Password Scheme for better
Authentication, City University of Hong Kong, Hong kong, China, RegisterGate, Conference
Paper, June 2012.

Page 10