Image based authentication
Download as PPTX, PDF6 likes9,496 views
Image-based authentication (IBA) uses a set of user-selected images rather than a password for authentication. The IBA system displays an image set including key images mixed with other images. The user is authenticated by correctly identifying their key images. The document discusses IBA in detail, including potential vulnerabilities and methods to counter threats like observation attacks, brute force attacks, and frequency analysis attacks. It also covers the use of CAPTCHAs to distinguish humans and machines.
Image based authentication
- 2. What you are (biometric) What you have (token) What you know (password)
- 3. Finger attacks Word of mouth transfer Dictionary attacks Image Based Authentication (IBA) can solve all of these
- 4. IBA is based on a user’s successful identification of his image password set. After the username is sent to the authentication module, it responds by displaying an image set, which consists of images from the user’s password set mixed with other images. The user is authenticated by correctly identifying the password images.
- 5. Image Space(IS): the set of all images used by IBA system. Individual Image Set (IIS) – the set of images that a user (u) chooses to authenticate himself. Key Image – any image in a user's IIS. Presentation Set (PS) – the set of images presented to a user from which the key images must be selected for a given authentication attempt.
- 6. Authentication User Agent (AUA) Authentication Server (AS) The communication between them is encrypted using authenticated Diffie-Hellman. The AS is assumed to be a part of the Trusted Computing Base.
- 7. Image Set Selection Alice selects ‘n’ images (n is set by the administrator, Bob) Bob stores the image set at the AS Presentation Subsets Bob picks one image from IISa and some other images from IS-IISa for each PS_i. Alice picks the IISa image from each PS_i.
- 8. A→B: Username= Alice B→A: Presentation set for Round 1, PS1. A→B: Identified image. B→A: Presentation set for Round 2, PS2. A→B: Identified image. …... B→A: Presentation set for Round R, PSR. A→B: Identified image. If all R steps are successful, Bob authenticates Alice.
- 9. Image Based Authentication is not foolproof. There are four points of vulnerability: 1. Information stored on the AS. 2. Information Sent between the AS and AUA. 3. The output at the AUA. 4. The input at the AUA.
- 10. Eve can observe or log Alice’s Key stroke and later authenticate herself as Alice. Display the images in random order. Keystrokes are only meaningful for this PS in this display order.
- 11. Eve can observe Alice’s screen ( during the authentication process) and later authenticate herself as Alice. Counter: Display the image when the mouse is over it. Otherwise gray out the image. If input is hidden, then which image is selected is not known- Only get PS_i’s.
- 12. Brute Force Attack Frequency Correlation Attack Intersection Attack Logic Attack Countering Frequency Correlation Attack Decoy Screen Image Buckets Fixed PS per Key Image
- 13. Image Set Storage : Password schemes normally store only the hash of a user’s password. By compromising the server, the attacker cannot recover the password. In our scheme, the server cannot merely store the hash. The server needs to know the image set itself in order to present the authentication screens. If a server is compromised, it will be possible to retrieve the image set of every user. However, many authentication schemes depend heavily on the impenetrability of the Trusted Computing Base and they have been widely deployed.
- 15. CAPTCHA stands for Completely Automated Public Turing Test to tell Computers and Humans Apart. CAPTCHA is an automated test that can distinguish between machines and humans alike. It differentiates between humans and bot by setting some task that is easy for most humans to perform but is more difficult and time consuming for current bots to complete.
- 16. Preventing Comment Spam in Blogs. Protecting Website Registration. Protecting Email Addresses From Scrapers. Online Polls. Preventing Dictionary Attacks. Worms and Spam.
- 17. 1. PIX: Create a large Database of labeled images. Pick a concrete object. Pick more random images of the object from the image database. Distort the images Ask user to pick the object for a list of words.
- 19. 2. BONGO Visual Puzzle Computer can generate and display, but not solve Bongo is based on a visual pattern recognition problem.
- 20. As Figure below shows, a Bongo CAPTCHA uses two sets of images; each set has some specific characteristic. One set might be boldface, for example, while the other is not. The system then presents a single image to the user who then must specify the set to which the image belongs.
- 21. 3. Pessimal Print Pessimal Print works by pseudo randomly combining a word, font, and a set of image degradations to generate images like the ones in Figure.
- 22. Image-based authentication techniques, although currently in their infancy, might have a wider applicability in future. We perceive it be a more user-friendly technique that helps to increase the password quality tremendously compared to a text-based approach. In this seminar we have proposed a simple yet secure authentication technique. We have also identified various issues related with such a system and proposed a novel concept of Image Buckets in overcoming some shortcomings. Its better to be safe than sorry!!