1 / 20

Article Title: “ Token-based Graphical Password Authentication ”

Article Title: “ Token-based Graphical Password Authentication ”. International Journal of Information Security , 2011. Authors: John Charles G yorffy Andrew F. Tappenden James Miller. Presenter: Patrick Centanni. Security Issues. Three Types of Malware: 1.) Information Stealing

trula
Télécharger la présentation

Article Title: “ Token-based Graphical Password Authentication ”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Article Title: “Token-based Graphical Password Authentication” International Journal of Information Security, 2011 Authors: John Charles Gyorffy Andrew F. Tappenden James Miller Presenter: Patrick Centanni

  2. Security Issues • Three Types of Malware: 1.) Information Stealing 2.) Activity Altering 3.) Entire System Compromising

  3. Problems with Conventional Passwords • LOW-ENTROPY PASSWORDS: • Users tend to pick passwords that are easy to remember. • 86% of passwords are case-insensitive and do not use special characters, meaning that users tend to rely on a stable of about 36 characters (as opposed to the 95 available to them). • YOU GOT ONE, YOU GOT ‘EM ALL. • TOO MANY PASSWORDS!

  4. The Goals of an Improved Password System • To significantly decrease the likelihood of a user’s login credentials being stolen. • To fortify the security of user accounts by increasing the entropy (degree of randomness) associated with login passwords. • To use one easy-to-remember password for everything. • To combat malware, in particular information stealing malware.

  5. What About Password Vaults, Though? • A password vault indexes a user’s various passwords with their corresponding URLs, fetching the passwords when needed. • This type of system may actually put the user in an even worse bind than having a single password compromised. • “The encryption is only as strong as the main password into the vault.”

  6. Previous Work • Passfaces Problem: Excessive Login Time, Potential for Shoulder Surfing • Eye-tracing Password Systems & Pressure-based Click Point Systems Problem: Poor Password Recall Rates

  7. The Proposed Solution • A system that employs a graphical password. • The software for the authentication system resides on a Trojan and virus-resistant embedded device. • User selects a personal image and selects points on the image. • Image is hashed and provided as input to a cryptosystem that returns a password. • Points selected are stretched into a long alphanumeric password, with a high degree of entropy and uniqueness.

  8. Where Does The System Reside? *Uses a special client web browser on a low-cost USB device with read-only, protected flash memory. *No sensitive information stored on the drive. Only data on the drive are: 1.) graphical password chosen by user 2.) unique set of true random numbers generated at the time of production

  9. Increasing Entropy • Users typically select words or dates for alphanumeric passwords, which clearly decreases entropy. • Entropy increases significantly when using images: • The sample set of all possible images a user could select is HUGE. • The password developed by the system also includes a set of unique random numbers.

  10. How The System Works

  11. What The Interface Looks Like

  12. Password Space Difference A staggering testimonial for the implementation of graphical-based passwords: Alphanumerical Password Space (95 characters): 6.6 x 1015 But don’t forget, users typically only rely on 36 characters, so this reduces the password space significantly. Graphical Password Space (8 points): 1.1 x 1018

  13. Cryptography Terminology • Message: The data to be encrypted. • Cryptographic hash function: A function that generates a unique (collision-free) value for the data to be encrypted. • Message Digest: The hashed value used for encryption (in this case, the generated password).

  14. Contents of Hash Message • 128 bytes: • The 8 characters selected by the user for 8 bytes • 8 x-coordinates, 8 y-coordinates, 2 bytes each for 32 bytes. • Behind each click point is a diameter of 10 pixels. • These are averaged, and a four-byte value for each pixel is found: 3 bytes for the color, 1 byte for alpha/opacity channel. This makes a total of 32 bytes. • The remaining 56 bytes come from a histogram image hash.

  15. The Message Digest Formula • H∗(H(image)+CP+RNG) = P256 • Where: • H is the histogram image hash. • CP is the user-entered click-point data. • RNG values are randomly generated, and are the only values stored on the USB device.

  16. Results • Hamming Distance: The number of positions in which two strings differ.

  17. Summary * Three-tiered approach to system security: 1.) The token: the USB device, itself. 2.) The graphical password to log in to the device. 3.) A separate graphical password to perform secure transactions over the Internet. * This system cannot deal with system compromising malware since the system’s software originates on a user-level device.

  18. Future Work • The possibility of using this technology on smart phones and tablets (have to decrease the dimension of the image).

  19. Questions

  20. References for Images Used in this Presentation "Bank Vault." Wikipedia. Wikimedia Foundation, 15 Jan. 2014. Web. 23 Jan. 2014. "Cryptographic Hash Function." Wikipedia. Wikimedia Foundation, 14 Jan. 2014. Web. 23 Jan. 2014. "Giving You The Password Secret to Success." MyJobKiller. N.p., n.d. Web. 23 Jan. 2014. Gyorffy, John C., Andrew F. Tappenden, and James Miller. "Token-based Graphical Password Authentication." International Journal of Information Security 10.6 (2011): 321-36. Academic Search Complete. Web. 16 Jan. 2014. "Malware | Microtech." Microtech RSS. N.p., n.d. Web. 23 Jan. 2014. "Password Protection: How to Create Strong Passwords." PCMAG. N.p., n.d. Web. 23 Jan. 2014. "Revelations on Passwords. Did You Get a Pass from PCI DSS!" OmegaSecure. N.p., n.d. Web. 23 Jan. 2014. "Tablets and Smart Phones Harbor More Bacteria and Germs." Smacus. N.p., n.d. Web. 23 Jan. 2014. "TECH Glitz." Top 25 Most Popular (Worst) Passwords of 2012. N.p., n.d. Web. 23 Jan. 2014. "Top 3 Questions About Small Business Blogging." Local Marketing Advice from SuperMedia. N.p., n.d. Web. 23 Jan. 2014.

More Related