Professional Documents
Culture Documents
Mobile Devices*
Qibin Sun1, Zhi Li2, Xudong Jiang3 and Alex Kot3
1
Institute for Infocomm Research, 119613, Singapore
2
Dept of EE, Stanford University, CA 94305-9515, USA
3
School of EEE, Nanyang Technological University, 639798, Singapore
*This work is supported by the A-STAR SERC Mobile Media TSRP Grant No 062 130 0056.
978-1-4244-1684-4/08/$25.00 ©2008 IEEE 2973
Component Analysis), a set of Eigen matrix is then or observing the full interactions between Alice and the
obtained. The input face is, after some preprocessing and MV.
face normalization, then projected onto this set of Eigen
In [7], inspired by a classic mnemonics - Method of
matrix to obtain an Eigen vector F pertaining to this given
Loci, we proposed a novel association-based IBA scheme.
face. On the other hand, the system generates a random
The principal idea rests on the human cognitive ability of
number (RDN) then a random matrix from user’s login
association-based memory. The mnemonic efficacy is
request. This random matrix R is then orthogonalized by
enforced by creating “bounds” between the password
the Gram-Schmidt process. The output of the dot product
elements, which is analogous to splitting a telephone
of F and R is finally quantized by presetting thresholds to
number into chunks to aid memorization.
generate the robust bit-string which could be served as the
user’s password. The idea is illustrated in Fig. 1. A more In the user registration phase, Alice is required to pick a
detailed description about robust face hashing is given in desirable background image. The image is partitioned into
[8]. some small regions, each partition being a locus. Define
the locus alphabet as the set of all the loci L={l1, l2, …,
In [8], it has shown that a stable 40 bits could be
l|L|}. Also define an object alphabet O={o1, o2, …, o|o|} and
extracted from input face data with a nearly zero false
a color alphabet C={c1, c2, …, c|c|}. The object alphabet
alarm. In Section 3, we will ride on this observation for
consists of clip-arts images of objects, such as images of a
our system design and further improve the system security
cup, a bike, a cats etc. The color alphabet consists of
(password entropy and shoulder-surfing attack) by
colors like red, blue, green, cyan etc. To create the
introducing an interactive authentication protocol between
password profile, Alice is then required to create N
server and mobile devices.
triplets, each triplet with one element chosen from each
alphabet ijn={ln’, on’, cn’}, for 1nN. Note that Alice
usually tends to choose some “salient points” as the pass
loci, therefore, in practice, ln’ is selected from a subset
L’⊂L .
A schematic diagram of the authentication procedure is
shown in Fig. 2. The authentication phase consists of N
rounds. Triplet ijn serves as the “pass triplet” for round n,
with ln’, on’ and cn’ being the pass locus, pass object and
pass color, respectively. In round n, Alice needs to click
on the region of the background image associated with the
pass locus ln’. After the click, a window pops up, showing
a list of object elements O1⊂O, including the pass object
on’∈O1. The remaining subset O2=O1\{on’} is called the
decoy object set. Alice needs to select the pass object on’
from the list. After the selection, another window pops up,
showing a list of color elements C1⊂C, including the pass
color cn’∈C1. Similarly, the remaining subset C2=C1\{cn’}
is called the decoy color set. Alice needs to correctly select
the pass color on’. This procedure repeats for N rounds.
Alice is verified as authentic only when all the pass loci
Fig.1 The diagram of robust face hashing
are correctly clicked, and all the pass objects and pass
2.2 Graphic password based on association colors are correctly selected.
2974
In the authentication procedure, two levels of Step 3: After Alice receives the RDN and BG, she
association are created – association between the locus and captures her face by her phone camera. A 40 bits one-time
the object, and association between the object and its face hash bit-string could then be extracted from her face
color. By using mnemonics technique similar to the image by the RDN.
Method of Loci, Alice could remember the associated Step 4: A standard association based graphic password
locus, object and color as a whole, rather than separately. authentication then starts. Alice needs to correctly pick up
To enhance the security, Alice is encouraged to create all her selected objects associated with correct colors she
“bizarre scenes” (e.g. a blue banana in the bath) to enhance registered to the server before. The one-time RDN is again
the mnemonics effect. used here to decide the display order of all objects and
colors. Crypto hash the selected Loci / Objects / Colors to
We argue that this association-based approach is
obtain another hash bit-string.
superior compared to the recall-based and recognition-
Step 5: Concatenate and randomize the generated face
based approach. Firstly, in the recall-based approach, the
hash bit-string and the graphic password. Send to the
problem is that Alice does not know how or where to
server as Alice’s login password.
search in memory for the item. However, in association-
Step 6: Server compares Alice’s temporary face hash with
based approach, the item is hooked to the cues that are
the received face hash and the stored hash of her graphic
available to her, thus Alice has no difficulty to retrieve
password with the received one to decide whether the
them. Secondly, since recognition-based approach only
server grants / denies Alice’s access to the server.
leaves Alice limited actions to take (e.g. merely selecting
the pass images), this approach provides very limited The reason why the server every time generates a different
password entropy. In the association-based approach, the face hash for Alice is because biometric data is very
user is given much more choices to act, and thus the critical ----once it is revealed, you cannot get it revoked.
password entropy is much larger than in the recognition- Incorporating one-time RDN will make Alice’s face hash
based approach. bit-string different every time so that even Bob intercepts
one or a few of Alice’s previous face hashes, he still has
3. PROPOSED AUTHENTICATION no idea about the one she is currently using for
SCHEME authentication.
In this section, we shall describe the basic idea of our new 3.2 Analysis
solution, based on the combination between face hashing
and association based graphic password for further system Password entropy is usually used to measure the security
security enhancement. of generated password, which conceptually means how
hard to blindly guess out the password.
3.1 Description
For simplicity, assume all passwords are evenly
In the user registration phase, Alice uses her phone distributed, the password entropy of graphic password can
camera to capture 2-3 face images and send to the then be calculated as follows [7].
server. The server then registers her face into the
secure face database associated with her computed H ( X std ) = N log 2 ( L ' O1 C1 )
(1)
unique Eigenface vector. The remaining registration is
the same process as the standard association based For a typical application, suppose the size of the salient
graphic password described in previous section. point set of an image |L’| is 30, |O1| and |C1| are both 4,
and the number of rounds is 4, the entropy is therefore
The authentication process is shown in Fig.3. Here we 35.6 bits, which is equivalent to the entropy of a 6-digit
summarize it as follows. textual password.
Step 1: Alice sends her ID and login request to the server. For a 40 bits generated face hash, its entropy is 40 bits
Step 2: The server firstly generates a one-time random assuming again its uniform distribution. Therefore the
number (RDN) particularly for Alice’s this time login. entropy of the final generated password is about 75.6 bits
Based on this RDN, the server computes a one-time face which is comparable to other crypto modules. Note that in
hash bit-string for Alice. Note that every time, the server design of a security related system, the system security
will generate a different hash bit-string for Alice for only depends on the weakest module in whole system.
security consideration which will be explained later. Note
that the server keeps this temporary hash bit-string secretly Another advantage to incorporate face into user
for verification purpose. Server then sends this RDN authentication is that we could naturally avoid the threats
together with the Alice’s registered background image from shoulder-surf attacks because everyone’s face is
(BG) to Alice. different. Therefore even Bob figures out Alice’s graphic
password, he still cannot impersonate Alice’s access. Note
2975
that in [7], to avoid shoulder-surfing attack, we have to security (both password entropy and shoulder-surfing
pay the price by reducing the password entropy. attacks). Our future work includes conducting the studies
and experiments on the robustness of face hash and to
4. COMPARISONS WITH PRIOR WORK examine the effectiveness of our methods.
5. CONCLUSION
In this paper, we proposed a novel interactive and secure
authentication scheme for mobile applications. By
incorporating human face into the graphical password, we
obtained a significant improvement in terms of system
2976