Professional Documents
Culture Documents
†,*
Nitin, **Durg Singh Chauhan, ***Vivek Kumar Sehgal, *Ankit Mahanot, *Pallavi Singh, *Sohit
Ahuja, *Utkarsh Shrivastava, *Manisha Rana, *Vineet Punjabi, *Shivam Vinay, and aNakul
Sharma
†,*
Member IEEE and Department of CSE and IT, **Professor and Vice Chancellor,
***
Member IEEE and Department of ECE, aHCL Technologies, Noida, INDIA
*,**,***
Jaypee University of Information Technology, Waknaghat, Solan–173215, HP, INDIA
†
{ delnitin, pdschauhan, vivekseh, ankit1986, pallavi.singh150287, sohit22, utkarsh12,
manisharana47, vineetpunjabi.juit and shivamvinay}@gmail.com, anakul_sharma@hcl.in
*This Image Based Authentication System has been developed for Jaypee University of Information Technology (JUIT). It has been developed
using Scripting languages. It is uses PHP (ver. 5) and MySQL and AJAX has also been used extensively.
576
Next key in row is BC (Refer Equation (4)), which security of the system yet keeping the system user-
is the shared key between AS and TGS. Key BC is friendly.
used to encrypt the following data – a) username, b)
AC. Key BC cannot be revealed by user, because it is
shared between AS and TGS. On receiving the keys
from AS, user sends TGS key BC as it is. User also
appends the service it wants to avail; in addition to the
session time encrypted with the secret key user is
sharing with TGS. TGS now creates the shared secret
key; it is going to share with the service. TGS sends
previously calculated C (Refer Equation (3)) and the
nonce Nc to the service, S. S computes,
D = gv mod n (6)
v being the private key of the service. S in turn, sends
D (Refer Equation (6)), Nc and a new nonce Nd to
TGS. TGS now generates the shared secret key by
computing,
CD = g mod n (7)
and sends the same to S, together with the nonce Nd.
Next, TGS responds to user by sending the service,
user had requested for along with the shared secret key
AD, which is determined by TGS, encrypted with the Figure 2. AJAX Implementation in JUIT-IBA. The
key AC. It also sends key AD appended to the above module is a part of JUIT-IBA system.
username A, encrypted with the shared secret key CD
(Refer Equation (7)). The second part of the message While ‘r’ and ‘c’ should be chosen such that image
cannot be revealed by the user, since the key CD is grid that appears to the user should not be visible in
only shared between TGS and the service. Finally user one eye-span i.e. a user must scroll up or down/ left or
sends the second part of the message to the service as it right to view the entire image grid. The system divides
is. it’s users into three levels namely beginner, moderate
and advanced (in hierarchy from lowest level to
2.2. AJAX Explanation highest level). As the user proceeds up the hierarchy, it
becomes difficult for the intruder to get his/her
AJAX, shorthand for Asynchronous JavaScript and password. This is because the system provides 3 image
XML, is a web development technique [16, 17]. The sets (i.e. 3 x 40 = 120 images) for a beginner from
intent is to make web pages feel more responsive by which he/she can select 5 images (max.); further the
exchanging small amounts of data with the server system provides 4 image sets (i.e. 4 x 40 = 160 images)
behind the scenes, so that the entire web pages does not for an intermediate level user, from which he/she can
have to be reloaded each time the user makes a change. select 9 images (max.) as his/her password while for an
In AJAX, the browser allows the JavaScript to call the advanced user, it has 5 image sets (i.e. 5 x 40 = 200
server without pasting the entire page back to the images) and from these he/she can select up to 13
server, but instead retrieves small amount of data images. This maximum limit for selection of images as
dynamically and updates the parts of the page. your password set is not based on any mathematical
calculation.
2.3. Image Set Generation and Selection The Images selected to form an image set:
1. should not be easily describable
This section deals with another important part in the 2. should be easy to remember
security of IBA - the selection of images in an image 3. should be unique and abstract
set and generation of image set itself. Image set is a 4. should differ in color schemes and
collection of ‘n’ images arranged into ‘r’ rows and ‘c’ structure
columns. For JUIT-IBA system, n=40 arranged into 4 We use a random display of images within an image
rows (r=4) and 10 columns (c=10). It’s the discretion set i.e. within an image set, images are arranged
of the designers to choose ‘n’, ‘r’ and ‘c’. Several randomly and their position is no where related to
factors should be considered while choosing n, r and c. previous image set that was generated.
‘n’ should be chosen such that it should increase the Now we move onto selection of images. As mentioned
577
earlier the user is first asked for username after which 3.1.2. Shoulder Attack
he/she is given the first image set. Since the images are
arranged randomly, his password image will appear in For Shoulder Attack (Refer Figure (5)). To counter
random position & not fixed position. Though the this attack the images that have been selected to be
arrangement of the image sets is same i.e. first Image displayed in the image grid are all very abstract images
set Number 1 will appear to user followed by Image which are not describable easily. Also while selecting
Set 2 and so on. But images within the image set will an image; it is not highlighted, so the attacker does not
shuffle every time. Considering the security aspect, the get a clue as to which image was selected. Most of the
JUIT - IBA system doesn’t change the mouse cursor display screens use a resolution of 800x600 pixels. The
when taken over any image. Normally we see when Image grid in JUIT-IBA is designed in such a way that
you roll-over the mouse over some image or link; it at any given instant all the 40 images of a particular
changes itself to a hand (in Microsoft Windows). Also image set are not visible to the onlooker.
there is no special mark on the images that you have
currently selected. This way, no third person will be
able to make out the password.
578
One complete row and almost two and a half columns IBA system has a time limit imposed on each of its
are hidden in a single display. This further reduces the image grid page and the session expires after certain
risk of shoulder attack. To further confuse the attacker, time. This means that the attacker must start from
the images have been chosen in such a way that each scratch after the session expires.
image has atleast one closely resembling image in the
grid. This again helps in preventing shoulder attack.
579
Table 1
Comparison of JUIT-IBA with UFL-IBA
Feature JUIT-IBA UFL-IBA
Indication on selected images (in your password set) No Yes
Visibility of entire image set. No Yes
Resemblance of one image with some other image in the same grid Yes No
0.005
0.0045
0.004
0.0035
0.003 Internet(Low Traffic)
Time
Figure 8. The timing analysis diagram showing the loading of images with the different traffics at different interval
of time.
4. Conclusions [3] Rachna Dhamija and Adrian Perrig, “Déjà vu: A user
study Using Images for Authentication,” Proceedings of
the 9th Usenix Security Symposium, August 2000.
Image Based Authentication systems combined with [4] Win van Eck, “Electromagnetic Radiation from Video
strong protocol (Kerberos Protocol) assures a scope for Display Units: An Eavesdropping Risk?,” Computers &
secured systems in the future. Such systems provide a Security, vol. 4, pp. 269-286, 1985.
secure channel of communication between the [5] Markus G. Kuhn, “Electromagnetic Eavesdropping
communicating entities. The ease of using & Risks of Flat-Panel Displays,” Proceedings of the 4th
remembering images as a password also support the Workshop on Privacy Enhancing Technologies, May
scope of these systems. As we have seen in this paper, 2004.
JUIT-IBA system proves it's toughness against today’s [6] William Stallings, “Cryptography and Network
Cryptanalytic algorithms & other basic hacking Security,” Pearson Education.
[7] Andrew S. Tanenbaum and Maarten Van Steen,
mechanisms. Apart from the security factor, the run “Distributed Systems,” Pearson Education.
performance of the system is most apt for today's [8] http://www.w3schools.com/ajax/default.asp.
internet configuration. Hence on the basis of security [9] http://www.php.net.
(Kerberos with shared keys) performance, time [10] http://www.cise.ufl.edu.
performance & ease of usage of such systems, we can [11] http://en.wikipedia.org/wiki/Diffie-Hellman.
conclude this paper by saying that IBA Systems hold a [12] http://www.Kerberos.info.
vital position in the future of network security. [13] http://en.wikipedia.org/wiki/Kerberos.
[14] Enterprise Network Security Guidelines: Prevention and
Response to Hacker Attacks by Faulkner Information
5. References Services (Digital - Jun 1, 2001).
[15] Security in Distributed and Networking Systems
[1] Richard E. Newman, Piyush Harsh, and Prashant (Computer and Network Security) by Yang Xiao
Jayaraman, “Security Analysis of and Proposal for (Hardcover - Sep 30, 2007).
Image Based Authentication,” 2005. [16] Beginning Ajax with PHP: From Novice to Professional
[2] David Melcher, “The persistence of visual memory for by Lee Babin (Paperback - Oct 16, 2006)
scenes,” Nature, 412(6845) pp. 401, July 2001. [17] Beginning Ajax (Programmer to Programmer) by Chris
Ullman and Lucinda Dykes (Paperback - Mar 19, 2007).
580