Seventh IEEE/ACIS International Conference on Computer and Information Science

Security Analysis and Implementation of *JUIT–Image Based Authentication

System using Kerberos Protocol

†,*
Nitin, **Durg Singh Chauhan, ***Vivek Kumar Sehgal, *Ankit Mahanot, *Pallavi Singh, *Sohit
Ahuja, *Utkarsh Shrivastava, *Manisha Rana, *Vineet Punjabi, *Shivam Vinay, and aNakul
Sharma
†,*
Member IEEE and Department of CSE and IT, **Professor and Vice Chancellor,
***
Member IEEE and Department of ECE, aHCL Technologies, Noida, INDIA
*,**,***
Jaypee University of Information Technology, Waknaghat, Solan–173215, HP, INDIA
†
{ delnitin, pdschauhan, vivekseh, ankit1986, pallavi.singh150287, sohit22, utkarsh12,
manisharana47, vineetpunjabi.juit and shivamvinay}@gmail.com, anakul_sharma@hcl.in

Abstract prove our identity-a secret key that only we should

Secure environments protect their resources against
unauthorized access by enforcing access control
mechanisms. So when increasing security is an issue
text based passwords are not enough to counter such
problems. The need for something more secure along
with being user friendly is required. This is where
Image Based Authentication (IBA) comes into play.
IBA encapsulates Kerberos Protocol, Version 5, and
provides clients a completely unique and secured
authentication tool to work on. This paper is a
comprehensive study on the subject of using images as
the password set and the implementation of Jaypee
University of Information Technology (JUIT) IBA
system called as JUIT-IBA. This tool provides a secure
channel of communication between the communicating
entities. The assortment of image set as client’s
password aims at thwarting Brute Force attacks,
Shoulder attack, and Tempest attack at the client side
while the attacks at the server side can be averted by
putting into practice Kerberos protocol. It also
describes how our system works along with the
evaluation of its performances in different computing
environments.
1. Introduction
Authentication plays an important role in protecting
resources against unauthorized use. Many
authentication processes exist from simple password
based authentication system to costly and computation
intensive biometric authentication systems [1, 2, 3, 4,
5] Passwords are more than just a key. They serve
several purposes. They authenticate us to a machine to
know. Our username identifies us and the password
validates us. But passwords have some weaknesses:
more than one person can posses its knowledge at one
time. Password thefts can and do happen on a daily
basis, so we need to protect them. Now merely using
some random alphabets grouped together with special
characters does not ensure safety. We need something
new, something different as our password to make it
secure. Besides being different it should also be easy
enough to remembered by you and equally difficult to
be hacked by someone else. This is what Image Based
Authentication system provides you with [6]. The
human brain is more adept in recalling a previously
seen image than a previously seen text [7]. In a recent
user study conducted at University of California at
Berkeley, image-based authentication (IBA) systems
have been found to be more user-friendly than the
usual text-based systems [8]. Besides being user
friendly we need to strengthen the security during
authentication also. This is done using the Kerberos
protocol [9, 10, 11, 12, 13].
2. Approach to JUIT-IBA System
2.1. Kerberos Protocol
In spite of using images as user’s password set,
which saves user from Brute Force attack, shoulder
attack also to some extent, security still remains a
subject to be focused upon. The password set used for
authentication remains secured using cryptographic
algorithms but the channel of communication between
the user’s workstation and the server can be monitored
by hackers and those trying to penetrate into the system

*This Image Based Authentication System has been developed for Jaypee University of Information Technology (JUIT). It has been developed
using Scripting languages. It is uses PHP (ver. 5) and MySQL and AJAX has also been used extensively.

978-0-7695-3131-1/08 $25.00 © 2008 IEEE 575

DOI 10.1109/ICIS.2008.93
 The protocol works as
follows. The Authentication
Server is where the user can
negotiate to claim his
identify. In the IBA tool,
after the user feeds his
username, the AS is called.
The first requirement is
that, username and AS
agree on two large
numbers, n and g such that
n is always less than g.
After deciding on n and g,
the user’s workstation
calculates,
A = g mod n (1)
where x is a private key of
the user, and sends A to the
AS (Refer Equation (1)). In
order to make the
Figure 1. Kerberos Protocol. communication more reliable, user also sends a nonce
Na (random number generated on the user’s end) to the
The instant user is confronted with the login page, the AS. So, the payload transmitted in the packet from
session starts. If user is unable to login within the userÆAS contains: a) username (should contain
specified session, his time expires and he has to re- alphanumeric character), b) Na, c) A. The AS after
login into the system. Specifying sessions, guards receiving the packet, sets up a key between the AS and
users’ against brute force attacks i.e. if some intruder is the TGS, by computing
constantly trying to break into the system by B = g mod n (2)
permutations and combinations, the time factor will y being the private key of the AS (Refer Equation (2)),
forbid him to do so. Sessions do not prevent the also generates a new nonce, Nb. The AS sends B and
intruders from monitoring the channel and thereby previously received A (From Equation 1), along with
routing the packets to unauthorized destinations. So, in Nb to TGS. AS sends A to TGS so that TGS can create
addition to sessions we append the concept of shared the shared secret key between the user and the service
secret keys. User and the service which user wants to at a later phase. TGS, calculates
avail, communicate with each other by encrypting and C = g mod n (3)
correspondingly decrypting the messages using Data and sends it to AS, along with the Nb received from
Encryption Standard algorithm [6, 12]. The 56-bit key, AS and also a newly created nonce Nc. AS now
which goes as one of the two inputs to the DES determines the shared secret key,
algorithm is provided by the secret keys, shared and BC = g (4)
decided in advance, for the transfer of services. and forwards it to TGS. For verification purpose, AS
Another matter of concern between the two also puts the nonce Nc together with BC, thereby
communicating parties is trust. The two producing a shared secret key between the AS and the
communicating entities should give assurance that they TGS. In parallel to key generation between AS and
are the ones who claimed. There comes a necessity to TGS, AS also responds to the request by user. It passes
call for a trusted third party i.e. a party between the a packet to user, which can be revealed only if the user
user and the service. The dependency between the user selects correct images from the image password set.
and the service regarding trust leads to the notion of an Consequently, the password set of the user becomes
Authentication Server (AS). This provides shared-key the shared secret key between the user and the AS.
third-party authentication in a distributed network. Once the user has successfully selected his image
Rather than trusting all workstations, we trust only a based password set, he receives a series of keys. The
central authentication server. The trusted third party is initial key is the shared secret key between user and
further decomposed into two components – the TGS. Shared secret key between user and TGS is
Authentication Server (AS) and the Ticket Granting determined by AS and is simply
Server (TGS). AC = g mod n (5)

576
 Next key in row is BC (Refer Equation (4)), which
is the shared key between AS and TGS. Key BC is
used to encrypt the following data – a) username, b)
AC. Key BC cannot be revealed by user, because it is
shared between AS and TGS. On receiving the keys
from AS, user sends TGS key BC as it is. User also
appends the service it wants to avail; in addition to the
session time encrypted with the secret key user is
sharing with TGS. TGS now creates the shared secret
key; it is going to share with the service. TGS sends
previously calculated C (Refer Equation (3)) and the
nonce Nc to the service, S. S computes,
D = gv mod n (6)
v being the private key of the service. S in turn, sends
D (Refer Equation (6)), Nc and a new nonce Nd to
TGS. TGS now generates the shared secret key by
computing,
CD = g mod n (7)
and sends the same to S, together with the nonce Nd.
Next, TGS responds to user by sending the service,
user had requested for along with the shared secret key
AD, which is determined by TGS, encrypted with the
key AC. It also sends key AD appended to the
username A, encrypted with the shared secret key CD
(Refer Equation (7)). The second part of the message
cannot be revealed by the user, since the key CD is
only shared between TGS and the service. Finally user
sends the second part of the message to the service as it
is.
2.2. AJAX Explanation
AJAX, shorthand for Asynchronous JavaScript and
XML, is a web development technique [16, 17]. The
intent is to make web pages feel more responsive by
exchanging small amounts of data with the server
behind the scenes, so that the entire web pages does not
have to be reloaded each time the user makes a change.
In AJAX, the browser allows the JavaScript to call the
server without pasting the entire page back to the
server, but instead retrieves small amount of data
dynamically and updates the parts of the page.
2.3. Image Set Generation and Selection
This section deals with another important part in the
security of IBA - the selection of images in an image
set and generation of image set itself. Image set is a
collection of ‘n’ images arranged into ‘r’ rows and ‘c’
columns. For JUIT-IBA system, n=40 arranged into 4
rows (r=4) and 10 columns (c=10). It’s the discretion
of the designers to choose ‘n’, ‘r’ and ‘c’. Several
factors should be considered while choosing n, r and c.
‘n’ should be chosen such that it should increase the
577
security of the system yet keeping the system user-
friendly.
Figure 2. AJAX Implementation in JUIT-IBA. The
above module is a part of JUIT-IBA system.
While ‘r’ and ‘c’ should be chosen such that image
grid that appears to the user should not be visible in
one eye-span i.e. a user must scroll up or down/ left or
right to view the entire image grid. The system divides
it’s users into three levels namely beginner, moderate
and advanced (in hierarchy from lowest level to
highest level). As the user proceeds up the hierarchy, it
becomes difficult for the intruder to get his/her
password. This is because the system provides 3 image
sets (i.e. 3 x 40 = 120 images) for a beginner from
which he/she can select 5 images (max.); further the
system provides 4 image sets (i.e. 4 x 40 = 160 images)
for an intermediate level user, from which he/she can
select 9 images (max.) as his/her password while for an
advanced user, it has 5 image sets (i.e. 5 x 40 = 200
images) and from these he/she can select up to 13
images. This maximum limit for selection of images as
your password set is not based on any mathematical
calculation.
The Images selected to form an image set:
1. should not be easily describable
2. should be easy to remember
3. should be unique and abstract
4. should differ in color schemes and
structure
We use a random display of images within an image
set i.e. within an image set, images are arranged
randomly and their position is no where related to
previous image set that was generated.
Now we move onto selection of images. As mentioned
earlier the user is first asked for username after which
he/she is given the first image set. Since the images are
arranged randomly, his password image will appear in
random position & not fixed position. Though the
arrangement of the image sets is same i.e. first Image
set Number 1 will appear to user followed by Image
Set 2 and so on. But images within the image set will
shuffle every time. Considering the security aspect, the
JUIT - IBA system doesn’t change the mouse cursor
when taken over any image. Normally we see when
you roll-over the mouse over some image or link; it
changes itself to a hand (in Microsoft Windows). Also
there is no special mark on the images that you have
currently selected. This way, no third person will be
able to make out the password.
3.1.2. Shoulder Attack
For Shoulder Attack (Refer Figure (5)). To counter
this attack the images that have been selected to be
displayed in the image grid are all very abstract images
which are not describable easily. Also while selecting
an image; it is not highlighted, so the attacker does not
get a clue as to which image was selected. Most of the
display screens use a resolution of 800x600 pixels. The
Image grid in JUIT-IBA is designed in such a way that
at any given instant all the 40 images of a particular
image set are not visible to the onlooker.

3. Performance of JUIT-IBA System

3.1. Attack Scenario on Client Side

This section discusses the security performance of

the JUIT-IBA system. This section also includes the
preventive measures that have been taken to prevent
these attacks and how is it better than text based
passwords.

Figure 4. Screenshot showing the same image grid as

figure 3 but at different time instant. Note the encircled
image and its position. It has changed randomly. All
other images have changed their position.

Figure 3. Screenshot showing one of the image sets.

Note the encircled image and its position.

3.1.1. Keystroke Logging

For Keystroke Logging (Refer Figure (3) and (4)).

An attacker may attempt to note down the positions of
the displayed images in an image grid but it would be
of no use as no image is displayed in its same position
inside the image grid when it is generated for the next
time.
Figure 5. Screenshot showing one of the image grid.
Note: the entire grid is not visible at one time. We need
to scroll up/down or right/left to view the entire grid.

578
One complete row and almost two and a half columns
are hidden in a single display. This further reduces the
risk of shoulder attack. To further confuse the attacker,
the images have been chosen in such a way that each
image has atleast one closely resembling image in the
grid. This again helps in preventing shoulder attack.
3.1.3. Tempest Attack
For Tempest Attack (Refer Figure (6) and (7)).
Electromagnetic emanations from a monitor can be
read by sensitive receiver equipments kept at certain
distance from it [4, 5, 6]. The attacker can extract the
color information from the images. When a user selects
an image it is not displayed on the screen but stored in
the background.
Figure 6. Screenshot showing the images that a user
has selected. Note the encircled image. It’s black &
white to hide the color information and it’s blurred
also. This prevents tempest attack.
So this insures that the attacker cannot get the color
information of the selected images. Even if the attacker
manages to extract information of the displayed image
grid he would still have to figure out the password
from that grid which is not an easy task. Now when the
user wants to see the selected images, those images are
displayed to the user as black and white as well as
blurred so as to send out no signal which can be
detected by the eavesdropper.
3.1.4 Brute Force Attack
In brute force attack, all the possible combinations
have to be tried to crack the password. Doing this on
the IBA is not possible because this means that the
attacker has to sit and try out all the combinations. The
579
IBA system has a time limit imposed on each of its
image grid page and the session expires after certain
time. This means that the attacker must start from
scratch after the session expires.
Figure 7. Screenshot showing the images that a user
has selected. Note the encircled image. When the user
moves the mouse over those images, they become
colored. This is done to provide a facility to users to
view his selected images.
3.2. Attack Scenario on Server Side
1. Single point of failure: It requires continuous
availability of a central server. When the
Kerberos server is down, no one can log in.
This can be solved by using multiple Kerberos
servers.
2. Kerberos requires the clocks of the involved
hosts to be synchronized. The tickets have
time availability period and, if the host clock
is not synchronized with the clock of
Kerberos server, the authentication will fail.
The default configuration requires that clock
times are no more than 10 minutes apart.
3.3. Comparison with UFL-IBA
The selected images are displayed on the left hand side
column and get highlighted when the mouse cursor is
moved over them. This means that they are prone to
shoulder and tempest attacks when highlighted. On the
other hand JUIT-IBA does not display the selected
images anywhere on the screen making it impossible
for the attacker to identify them. Refer Figure (8) gives
the values of the time draw against the loading of
images with the different traffics at different interval of
time.
 Table 1
Comparison of JUIT-IBA with UFL-IBA
Feature JUIT-IBA UFL-IBA
Indication on selected images (in your password set) No Yes
Visibility of entire image set. No Yes
Resemblance of one image with some other image in the same grid Yes No

0.005
0.0045
0.004
0.0035
0.003 Internet(Low Traffic)
Time

0.0025 Internet(High Traffic)

0.002 LAN (100 MBPS)
0.0015
0.001
0.0005
0
Image Image Image
Set 1 Set 2 Set 3

Figure 8. The timing analysis diagram showing the loading of images with the different traffics at different interval
of time.

4. Conclusions
Image Based Authentication systems combined with
strong protocol (Kerberos Protocol) assures a scope for
secured systems in the future. Such systems provide a
secure channel of communication between the
communicating entities. The ease of using &
remembering images as a password also support the
scope of these systems. As we have seen in this paper,
JUIT-IBA system proves it's toughness against today’s
Cryptanalytic algorithms & other basic hacking
mechanisms. Apart from the security factor, the run
performance of the system is most apt for today's
internet configuration. Hence on the basis of security
(Kerberos with shared keys) performance, time
performance & ease of usage of such systems, we can
conclude this paper by saying that IBA Systems hold a
vital position in the future of network security.
5. References
[1] Richard E. Newman, Piyush Harsh, and Prashant
Jayaraman, “Security Analysis of and Proposal for
Image Based Authentication,” 2005.
[2] David Melcher, “The persistence of visual memory for
scenes,” Nature, 412(6845) pp. 401, July 2001.
[3] Rachna Dhamija and Adrian Perrig, “Déjà vu: A user
study Using Images for Authentication,” Proceedings of
the 9th Usenix Security Symposium, August 2000.
[4] Win van Eck, “Electromagnetic Radiation from Video
Display Units: An Eavesdropping Risk?,” Computers &
Security, vol. 4, pp. 269-286, 1985.
[5] Markus G. Kuhn, “Electromagnetic Eavesdropping
Risks of Flat-Panel Displays,” Proceedings of the 4th
Workshop on Privacy Enhancing Technologies, May
2004.
[6] William Stallings, “Cryptography and Network
Security,” Pearson Education.
[7] Andrew S. Tanenbaum and Maarten Van Steen,
“Distributed Systems,” Pearson Education.
[8] http://www.w3schools.com/ajax/default.asp.
[9] http://www.php.net.
[10] http://www.cise.ufl.edu.
[11] http://en.wikipedia.org/wiki/Diffie-Hellman.
[12] http://www.Kerberos.info.
[13] http://en.wikipedia.org/wiki/Kerberos.
[14] Enterprise Network Security Guidelines: Prevention and
Response to Hacker Attacks by Faulkner Information
Services (Digital - Jun 1, 2001).
[15] Security in Distributed and Networking Systems
(Computer and Network Security) by Yang Xiao
(Hardcover - Sep 30, 2007).
[16] Beginning Ajax with PHP: From Novice to Professional
by Lee Babin (Paperback - Oct 16, 2006)
[17] Beginning Ajax (Programmer to Programmer) by Chris
Ullman and Lucinda Dykes (Paperback - Mar 19, 2007).

580