CAPTCHA AS A GRAPHICAL PASSWORD-A NEW SECURITY PRIMITIVE BASED ON

HARD AI PROBLEMS

Content

• Introduction

• Existing System

• CAPTCHA

• Graphical password schemes

• Proposed System : Captcha As Graphical Passwords

• Conclusion

Introduction

• The existing system is vulnerable to online dictionary attacks, denial-of-service attacks,

global password attacks, relay attack and shoulder-surfing attacks by which service get

compromised to attackers

• The purpose of this presentation is to develop a new security primitive based on hard AI

problems namely, a novel family of graphical password systems integrating Captcha

technology, which we call CaRP (Captcha as gRaphical Passwords).

• The Objective is to develop a new paradigm with the cryptographic primitives based on

hard math problems and to provide security for authentication services.

Existing System

Today, User authentication for network or internet based environment posed a challenging

task for system and network administrator. As , organized cyber criminals are trying hard

towards research and development of advanced hacking methods that can be used to steal

money and secured information from the general public.

To address security problem and to make a balancing act on user friendliness and

authentication complexity, Captcha and Graphical password are used

CAPTCHA : Completely Automated Public Turing test to tell Computers and Humans Apart

A CAPTCHA trademarked by Carnegie Mellon University is a type

of challenge-response test used in computing to determine whether

or not the user is human

The use of CAPTCHA thus excludes a small number of individuals

from using significant subsets of such common Web-based services

as PayPal, GMail, Orkut, Yahoo!, many forum and weblog systems,

etc

Captcha Types

• Text Captcha :It Relies on Character recognition

• Image Recognition Captcha :It Relies on recognition of non

character object

Benefits of Captcha

• Distinguishes between a human and a machine

• Makes online polls more legitimate.

• Reduces spam and viruses.

• Makes online shopping safer.

• Diminishes abuse of free email account services

Applications

Captcha are used in various web applications to identify human users and to restrict access to them.

Online polls

Protecting web registration

Search engine bots

E-Ticketing

Email spam

Preventing dictionary attacks

As a tool to verify digitized books

Improved Artificial Intelligence technology

Limitations of Captcha

• Sometimes very difficult to read.

• Are not compatible with users with disabilities

• Time-consuming to decipher.

• Technical difficulties with certain internet browsers.

• May greatly enhance Artificial Intelligence

Graphical Password Schemes

Graphical password schemes have been proposed as a possible alternative to text-based

schemes, motivated partially by the fact that humans can remember pictures better than text.

Graphical password techniques are categorized according to the task involved in memorizing

and entering passwords:

• Recognition-based scheme

• Recall-based scheme and

• Cued recall scheme

Recognition Based Techniques

Random images used by

Dhamija and Perrig

A shoulder-surfing resistant

graphical password scheme Pass-String

Passfaces Story Scheme Graphical Password Scheme

proposed by Jansen, et al

Recall Based Techniques

Draw-a-Secret (DAS)

Grid selection

A signature

Passpoint Sytem

Cued-Recall scheme

Pass-Points Cued Click Point Persuasive Cued Click Points

Benefits of Graphical Password

• Graphical password schemes provide a way of making more user-friendly passwords.

• Here the security of the system is very high.

• Like textual passwords, the dictionary attacks and brute force attacks are not possible with graphical

passwords.

• Spyware attack: Key logging or key listening spyware cannot be used to break graphical passwords.

• Social engineering: To give away graphical passwords to another person is difficult as compared to

text based password.e.g. it is very difficult to give away graphical passwords over phone.

• Setting up the phishing website to obtain graphical passwords would be more time consuming.

Limitations of Graphical Password

• Password registration and log-in process take too long.

• Require much more storage space than text based passwords.

• Shoulder surfing: As name implies, shoulder surfing means watching over

peoples shoulders as they process information. Because of their graphic

nature, nearly all graphical password schemes are vulnerable to shoulder

surfing.

CAPTCHA AS GRAPHICAL PASSWORDS

• CaRP addresses a number of security problems altogether, such as online guessing attacks,relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks.Notably, a CaRP password can be found only probabilistically by automatic online guessingattacks even if the password is in the search set.

• CaRP also offers a novel approach to address the well-known image hotspot problem inpopular graphical password systems, such as PassPoints that often leads to weak passwordchoices.

• CaRP is not a solution, but it offers reasonable security and usability and appears to fit wellwith some practical applications for improving online security.

Types of CaRP/Project Modules

• RECOGNITION-BASED CaRP

• ClickText

• ClickAnimal

• AnimalGrid

• RECOGNITION-RECALL CaRP

• TextPoints

• TextPoints4CR

RECOGNITION-BASED CaRP

Recognition-Based CaRP requires recognizing an image and using the

recognized objects as cues to enter a password. For this type of CaRP, a

password is a sequence of visual objects in the alphabet. Per view of

traditional recognition based graphical passwords, recognition-based CaRP

seems to have access to an infinite number of different visual objects.

ClickText

• Its alphabet comprises characters without any visually-confusing

characters.

• For example, Letter “O” and digit “0” may cause confusion in CaRP images, and thus

one character should be excluded from the alphabet

• A ClickText password is a sequence of characters in the alphabet,

e.g., ρ =“AB#9CD87”, which is similar to a text password.

• The ClickText image consist of 33 characters.

• User clicks ClickText image characters in password, in the same

order

ClickAnimal

• ClickAnimal Captcha scheme which uses models of

various animals

• A user clicks on any animal in a challenge image to

pass the test.

• Its password is a sequence of animal names such as ρ

= “Turkey, Cat, Horse, Dog,” For each animal, one or

more models are built.

AnimalGrid

• AnimalGrid is a combination of ClickAnimal and CAS (Click-A-Secret)

• In CAS user clicks the grid cells in her password

• To enter a password, a AnimalGrid image is displayed first. The image is divided into

small grids with the grid-cell size equaling the bounding rectangle of the selected animal.

Each grid-cell is labeled to help users identify

RECOGNITION-RECALL BASE CaRP

• Recognition-recall base CaRP combines the tasks of both recognition and cued-

recall, and retains both the recognition-based advantage of being easy for human

memory and the cued-recall advantage of a large password space

• In recognition-recall CaRP, a password is a sequence of some invariant points of

objects. An invariant point of an object (e.g. letter “A”) is a point that has a fixed

relative position in different incarnations (e.g., fonts) of the object, and thus can be

uniquely identified by humans no matter how the object appears in CaRP images.

TextPoints

Text Points is a Recognition-Recall CaRP Characters contain invariant points

of objects which offers a strong cue to memorize and locate its invariant points.

TextPoints4CR

TextPoints4CR is similar to Textpoint scheme the difference in that each

character appears only once in a TextPoints4CR image but may appear

multiple times in a TextPoints image for enhancing security.

Benefits of CaRP

• CaRP offers protection against Automatic Online Guessing Attacks on passwords.

• It also offers protection against Relay Attacks.

• It offers security against Human Guessing Attacks.

• It offers protection against Shoulder Surfing Attack.

• It offers security against spam emails sent from a Web email service.

Limitations of CaRP

• CaRP scheme is vulnerable to phishing attack because user-clicked

points are sent to the a authentication server.

• Also CaRP is vulnerable if both the image and user-clicked points can

be captured.(if client is compromised).

Application

• CaRP can be useful for touch-screen devices where typing a password is

difficult.

• CaRP is also useful for secure internet applications such as e-business, e-

commerce, e-banking etc.

• CaRP is used to reduce the spam emails. For the email service provider

which uses CaRP, a spam bot cannot log into an email account even if it

knows the password.

System Requirement

MINIMUM HARDWARE REQUIREMENTS:-• Processor - Pentium –Iv

• Speed - 1.1 Ghz

• RAM - 128 MB(min)

• Hard Disk - 1GB

• Key Board - Standard Windows Keyboard

• Mouse - Two or Three Button Mouse

• Monitor - LCD/LED

SOFTWARE REQUIREMENTS:• Operating system :Windows/Linux.

• Coding Language :PHP

• Server :Apache

• Data Base :MySQL

Conclusion

• CaRP is one step forward in the paradigm of using hard AI problems for security.

• It has both Captcha and Graphical password scheme

• CaRP forces adversaries to resort to significantly less efficient and much more costly human-based attacks.

• The past decade has seen an emergent interest in using graphical passwords as an alternative to the conventional text-based passwords.

There is a need for more in-depth research that investigates possible attack methods against graphical pass-words.