PASSWORDS

A NEW SECURITY PRIMITIVE

BASED ON
HARD AI PROBLEMS

By
Gopinath.R
(1BY14SCS08)
M.Tech (CSE),BMSIT

Under the Guidance of:

Mr. Ravi Kumar B.N

Asst. Professor , Dept of CSE, BMSIT

AGENDA

Introduction

Background

Captcha as Graphical Password

Recognition Based CaRP

Security Analysis

Applications

Conclusion

INTRODUCTION

Using hard Artificial Intelligence problems for Security is an exciting

new paradigm.
Under this paradigm, the most notable primitive is Captcha, which
distinguishes human users from computers by presenting a challenge,
i.e., a puzzle .
Captcha is now a standard Internet security technique to protect
online email and other services from being abused by bots.
A new security primitive based on hard AI problems, namely, a novel
family of graphical password systems integrating Captcha technology,
called as CaRP.
CaRP is click-based graphical passwords, where a sequence of clicks
on an image is used to derive a password.

BACKGROUND
Graphical

Passwords

Recall Based Techniques

A user is asked to reproduce something that he created or selected earlier
during the registration stage
Recognition Based Techniques
A user is presented with a set of images and the user passes the
authentication by recognizing and identifying the images he selected
during the registration stage.
Cued-recall Technique
An extra cue is provided to users to remember and target specific
locations within a presented image.
4

 Captcha
Completely Automated Public Turing test to tell Computers &
Humans Apart.
It is a program that is a challenge response to test to separate humans from
computer programs.

TYPES:
Text Captcha
The Text Captcha relies on character recognition
Image-Recognition Captcha (IRC)
The IRC relies on recognition of non-character objects.

TEXT BASED
simple, normal questions :

what is the sum of three & thirty-five ?

If today is Saturday, what is day after tomorrow?

Which of mango, table & water is a fruit?

Very effective, needs a large question bank.

Cognitively challenged ,users find it hard.

6

IMAGE-RECOGNITION CAPTCHA
1.BONGO

User has to solve a pattern recognition problem.

Has to tell the distinct characteristic between two sets of figures.

Then tell to which set a given figure belongs to.

2.PIX

Uses a large database of labelled images.

It shows a set of images, user has to recognize the common feature
among those.
Eg :- pick the common characteristic among the following 4 pictures
= aeroplane.

 Captcha

in Authentication

It was introduced to use both Captcha and password in

authentication protocol, called as Captcha-based Password
Authentication (CbPA) protocol.
The CbPA-protocol requires solving a Captcha challenge after
inputting a valid pair of user ID and password.

CAPTCHA AS GRAPHICAL
PASSWORDS- CARP
A New Way to Thwart Guessing Attacks

In a guessing attack, a password guess tested in an unsuccessful

trial is determined wrong and excluded from subsequent trials.
To counter guessing attacks, traditional approaches in designing
graphical passwords aim at increasing the effective password space.
Here we distinguish two types of guessing attacks:
Automatic guessing attacks apply a automatic trial and error process.

Human guessing attacks apply a manual trial and error process.

10

CaRP: An Overview

In CaRP, a new image is generated for every login attempt.

CaRP uses an alphabet of visual objects

(e.g., alphanumerical characters, similar animals) to generate a CaRP
image

CaRP schemes are clicked-based graphical passwords.

CaRP schemes can be classified into two categories:

Recognition
which requires recognizing an image and using the recognized objects
as cues to enter a password.
Recognition-recall
combines the tasks of both recognition and cued-recall

11

USER AUTHENTICATION
WITH
CARP SCHEMES
A typical way to apply CaRP schemes in user authentication is as
follows.

12

Flowchart of basic CaRP authentication.

The authentication server AS stores a salt s and a hash value

H(,s) for each user ID .

Upon receiving a login request, AS generates a CaRP image.

The coordinates of the clicked points are recorded and sent to AS

along with the user ID.

AS maps the received coordinates onto the CaRP image, and

recovers a sequence of visual object IDs .

Then AS retrieves salt s of the account, calculates the hash value

of with the salt.

Authentication succeeds only if the two hash values match.

13

RECOGNITION BASED CARP

1.Click Text

Click Text is a recognition-based CaRP scheme built on top of text

Captcha.
A Click Text password is a sequence of characters in the
alphabet, e.g. =AB#9CD87, which is similar to a text password.

14

Click-Text image with 33 characters

2.Click Animal

Click Animal is a recognition-based CaRP scheme built on top of

Captcha Zoo ,with an alphabet of similar animals such as dog,
horse, cat, etc.

Its password is a sequence of animal names such as

= Turkey, Cat, Horse, Dog,.

Captcha Zoo with horses circled red.

A Click Animal image

15

3.Animal Grid

Animal Grid is a combination of Click Animal and CAS.

Click-A-Secret (CAS) wherein a user clicks the grid cells in his
password.
To enter a password, a Click Animal image is displayed first.
After an animal is selected, an image of n n grid appears, with
the grid-cell size equaling the bounding rectangle of the selected
animal.

16

A ClickAnimal image

6 6 grid

SECURITY ANALYSIS

Security of Underlying Captcha

As a framework of graphical passwords, CaRP does
not rely on any specific Captcha scheme.
If one Captcha scheme gets broken, a new robust
Captcha scheme can be used to construct a new CaRP
scheme

17

Automatic online guessing attcks

In automatic online guessing attacks, the trial and error
process is executed automatically whereas dictionaries
can beconstructed manually

18

APPLICATIONS

CaRP can be applied on touch-screen devices .

Many e-banking systems uses Captchas in user logins that
requires solving a Captcha challenge for every online login
attempt.
CaRP increases spammers operating cost and thus helps
reduce spam emails.
If CaRP is combined with a policy to throttle the number of
emails sent to new recipients per login session, leads to
reduced outbound spam traffic.
19

CONCLUSION

CaRP is both a Captcha and a graphical password scheme.

A desired security property that other graphical password schemes
lack.
CaRP is also resistant to Captcha relay attacks, and, if combined
with dual-view technologies shoulder-surfing attacks.
CaRP can also help to reduce spam emails sent from a Web email
service

More efforts will be attracted by CaRP than ordinary Captcha.

CaRP does not rely on any specific Captcha scheme.

20

REFERENCES
[1] Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu Captcha as
Graphical PasswordsA New Security Primitive Based on Hard AI
Problems VOL. 9, NO. 6, JUNE 2014
[2] R. Biddle, S. Chiasson, and P. C. van Oorschot, Graphical passwords:
Learning from the first twelve years, ACM Compute Surveys, vol. 44, no. 4,
2012.
[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, The design and
analysis of graphical passwords, in Proc. 8th USENIX Security Symp., 1999,
pp. 115.
[4] H. Tao and C. Adams, Pass-Go: A proposal to improve the usability of
graphical passwords, Int. J. Netw. Security , vol. 7, no. 2, pp. 273 292,
2008.
[5] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon,
PassPoints: Design and longitudinal evaluation of a graphical password
system, Int. J. HCI, vol. 63, pp. 102127, Jul. 2005.

21

Thank you!!!

22