Professional Documents
Culture Documents
On
“Image Based Authentication System”
Submitted By:
Saurabh Gupta
2K19
B.Tech (ECE)
CSJMA19001390109
TO
2021-2022
UNIVERSITY INSTITUTE OF ENGINEERING & TECHNOLOGY
CERTIFICATE
It is matter of great pleasure for me to submit this project report on “Image Based
Authentication System”, as a part of curriculum for award of “Bachelor of
Technology in Electronics and Communication Engineering” at
UNIVERSITY INSTITUTE OF ENGINEERING & TECHNOLOGY, C.S.J.M
UNIVERSITY, KANPUR. I am thankful to my seminar guide Dr. Vishal
Awasthi for their constant encouragement and able guidance. I also thankful to Dr.
Vishal Awasthi, Head of Electronics & Communication Engineering
Department & Er. Parul Awasthi, Seminar incharge for her valuable support. I
take this opportunity to express our deep sense of gratitude towards those, who have
helped us in various ways, for preparing my project. At the last but not least, I am
thankful to my parents, who had encouraged & inspired me with their blessings.
SAURABH GUPTA(109)
Table of Content
LIST OF FIGURES………………………………………………………1
ABSTRACT……………………………………………………………….2
Chapter 1: INTRODUCTION……………………………………………3
Chapter 2 : AUTHENTICATION…………………………………….4-11
2.4 Summary
3.1 Introduction
3.5 Implementation
CONCLUSION…………………………………………………………..19
REFERENCES………………………………………………………….20
LIST OF FIGURES
Figure 2 . Tokens…………………………………………………………08
Figure 6 . Flowchart………………………………………………………17.
1
ABSTRACT
Username and password are the most commonly used mechanism for authentication
because of simplicity and convenience. However it suffers from few drawbacks like
selection of weak passwords by the users, users disclosing their passwords etc. This
weakens the security posture of the organizations. Hence we propose a new image
based authentication system. Research suggests that use of images may be more
effective in terms of security and ease of use for some application. This is because we,
humans are good at recognizing images than remembering password. In this paper we
describe new image based authentication system which can be used independently or
along with current character based authentication system to improve security and
usability. We implemented the said system along with current authentication system
(username and password).
2
CHAPTER 1
INTRODUCTION
It is important that the same authentication technique may not be used in every
scenario. For example, a less sophisticated approach may be used for accessing a
‘‘chat server’’ compared to accessing a corporate database. Most of the existing
authentication schemes require processing both at the client and the server end. Thus,
the acceptability of any authentication scheme greatly depends on its robustness
against attacks as well as its resource requirement both at the client and at the server
end. The resource requirement has become a major factor due to the proliferation of
mobile and hand-held devices. Nowadays with the use of mobile phones, users can
access any information, including banking and corporate databases. In this paper, we
specifically target the mobile banking domain and propose a new and intelligent
authentication scheme. However, our proposal can also be used in other domains
where confidentiality and integrity are the major security requirements.
Human factors are often considered the weakest link in a computer security system.
Point out that there are three major areas where human-computer interaction is
important: authentication, security operations, and developing secure systems. Here we
focus on the authentication problem. On the other hand, passwords that are hard to
guess or break are often hard to remember. Studies showed that since user can only
remember a limited number of passwords, they tend to write them down or will use the
same passwords for different accounts. To address the problems with traditional
username-password authentication, alternative authentication methods, such as
biometrics, have been used. In this paper, however, we will focus on another
alternative: using pictures as passwords.
Image based password schemes have been proposed as a possible alternative to text-
based schemes, motivated partially by the fact that humans can remember pictures
better than text; psychological studies supports such assumption. Pictures are generally
easier to be remembered or recognized than text. In addition, if the number of possible
pictures is sufficiently large, the possible password space of a graphical password
scheme may exceed that of text-based schemes and thus presumably offer better
resistance to dictionary attacks. Because of these advantages, there is a growing
interest in Graphical password. In addition to workstation and web log-in applications,
graphical passwords have also been applied to ATM machines and mobile devices.
3
CHAPTER 2
AUTHENTICATION
The password authentication model is the most prevalent authentication model and has
been used for decades. It is still widely used by the operating system manufacturers. In
order to authenticate, the user has to provide a username-password duo to the server.
The server then usually performs a one-way function on this combination, and
compares the result to the value it has stored and associates with the user. If server
finds a match, it deems that the user is who he avouches to be else he is not a
legitimate user.
For many standalone systems, this password model is sufficient where the user
provided
password traverses a small distance from the user workstation to the server.
Vulnerabilities that exist in this model in a standalone environment include:
On the other hand, in today’s extremely networked and distributed domain, such a
paradigm does not offer strong, reliable and legitimate authentication. The most
common targets of menacing attacks are such networked domains with alarming
4
consequences. The client server model is such an example. People use machines by
remotely logging in and accessing their services like files, printers etc. Therefore, in this
networked environment, there is a necessity of strong authentication that goes beyond
providing a simple password model to the machine.
There is a requirement of a lot more sophisticated authentication technique than that of
a simple password when the authentication of the user to the remote host (or service)
and also authentication of the remote host (or service) to the user is needed. When
transmitting passwords over the network, they should not be in clear text to avoid
getting filched. In a network, it is advisable to manage passwords with various systems
so that each user has a distinct password for every machine.
There are few systems that combine the above stated approaches. As an example, a
smart card that is something you have, requires the user to enter a personal
identification number (PIN) that is something you know to unlock it, makes a good
combination. Presumably, it is considered better to merge at least two characteristics,
because an attacker can filch either one: the entity you have is vulnerable to ordinary
pilfering, and the entity you know is compromised by sniffing if it moves over the
network but it's unusual for anyone to acquire both at the same time. This is called
strong authentication wherein a user is authenticated using at least two factors.
Automatic teller machines (ATMs) use this approach; however, it is a relatively effortless
affair for an attacker to obtain both simultaneously if he is watching you use the
machine. When you are standing by the machine trying to authenticate your identity, he
can obtain your PIN and steal your card after use. Thus the attacker knows: what you
have, card, and what you know, PIN.
5
2.3 Authentication Factors
Confidential information is a unique attribute that is known only to genuine users. Even
before computers came into existence, this information was shared either through a
spoken password or a memorized combination or a lock. But in the computer world, it is
a password, a paraphrase, or a PIN.
Authentication that is based on something you know depends on the fact that something
is hard to guess and is a secret . You need to know the secret reliably if you have to
authenticate reliably. A lot of people are not good at making up and memorizing not
easily guessable things, and they are worst at confiding secrets. A password is a
sequence of characters that is a mutual secret between the user and host. It is relatively
easy to guess if you are using short passwords but it is comparatively taxing to commit
to memory if you are using long passwords. A person will end up converting one type of
authentication to another if writes it down somewhere, that is, converting from
something you know to something you have that is discussed subsequently.
A lot of system administrators who advise their users not to jot down passwords most
likely have a few stockpiled in their wallets anyway; which brings together something
you know and something you have. Something you know is how to comprehend your
own handwriting, and the slip of paper containing the passwords is something you have.
6
Figure 1: Authenticator Factor
The major advantage of using a password is that it is fast, cheap, not so intricate to
implement, and, in practice, people don't forget them or lose the pieces of paper all that
often. For people who connect to the server from unpredictable remote locations, a
memorized combination of a username and a password is a perfect solution for them
since it travels with them. However, it is absolutely impractical to pass this combination
across the Internet in any form that can be used safely. This authentication type is weak
for two reasons.
Firstly, it is a relatively easy matter to intercept them or sniff, as there are a number of
ways available like freely available password hacking online tools etc. Its very success
depends on confidentiality and it is challenging to keep it a secret. If there is a
successful sniffing attack, then there is generally no way to detect it unless some sort of
damage is done.
7
provided that you are not revealing the secret to anyone in the near surrounding area
whenever you authenticate.
The flaws associated with this authentication model can be summarized below:
The unique attribute of “something you have” systems is that legitimate individuals
possess some particular thing. Way before computers came in existence; this particular
thing was a seal with a private insignia or a key for a lock. But in the computer world it is
a device like a smart card, or a magnetic strip card. Such items are called tokens. A
token is an object whose features are in some way confidential, and that is difficult to
duplicate.
8
Figure 2: Tokens
• A hardware device that attaches to an I/O channel (e.g., a serial line with an RS-232
connector), which can be interrogated by the system, and which must be present to
execute certain programs.
• A SIM card or a smart card having non-volatile memory to store information and a
CPU for processing.
This authentication model is so far the most challenging technique to exploit because of
the fact that it depends on a distinct physical object that the user should possess to log
on. It is extremely backbreaking to determine if a password has been stolen; on the
contrary it is relatively trouble free for the owner to find out if a token has been stolen or
got lost. It is impractical to share the token with someone and still be able to log on.
The major flaws associated with this model are summarized below:
• The danger of keys getting lost, broken, borrowed, lent, or hardware failure.
• Keys and tokens can be stolen.
• It is comparatively expensive to replace the keys and compromised locks.
• It can be difficult or impossible to automatically or remotely revise authorizations
associated with a particular token.
• It is extremely important to physically manage the tokens, that is, stored, logged, kept
secure, etc.
9
A physical feature or behavior is another distinct aspect, which is exclusive to an
individual
being authenticated. Before computers, this might have been a personal signature, a
portrait, a fingerprint, or a written description of the person’s physical appearance. But
nowadays, an individual’s distinct features are calculated, stored digitally, and
compared against an already stored pattern. Precisely, it consists of comparing some
easily accessible and reliably distinct physical attribute of a human user against the
system's stored values for that attribute. Well known techniques use a person’s voice,
fingerprints, written signature, hand shape, or eye features for authentication. Such
things are called biometrics. Biometrics that are being used frequently are shown in
Figure 3 and are summarized as follows:
• Hand geometry.
• Facial image.
• Iris scans.
• Finger prints.
• Voice recognition.
This authentication model serves as the most convenient method for individuals. A
finely
designed biometric system accepts readings from an individual and precisely carries out
the authentication. Obviously, it overcomes the flaw of portability of something you have
model, as it is a part of the person’s body.
10
Figure 3: Biometric Devices
Biometrics supports two basic core processes that together provide organizations the
ability to verify claims of identity
To support the enrollment and verification process, there are administrative and
cryptographic functions. If the user cannot show his biometric feature may be due to
injury or physical change, there should be a fallback process to take care of
authentication.
People have two views of biometric authentication. According to some, this model is a
replacement for authentication relative to the first two factors since it provides a level of
handiness, which is nonexistent in the other models. However, some believe that
biometric is a supplement and, thus is augmenting the present authentication
techniques.
In spite of possessing many benefits, a few shortcomings are very obvious. The cost of
the device plays an important role. It is comparatively expensive than the one used for
something you have model. In addition, there is an overhead of installation and
operation that is so unlike other authentication models. Besides, if it’s a remote user
then there is a danger of interception. It is relatively straightforward for an attacker to
repeat the reading to disguise as its owner. As biometric aspect is impossible to modify,
the owner has no way to reverse the damage if attacker steals the biometric readings.
In reality, it is challenging to construct a system precise enough to deny illicit users
without sporadically denying legitimate users. Physiological changes and injuries can
also invalidate biometric readings: in one case a woman working at a high-security
installation was denied entrance by the biometric device at the front door because her
pregnancy had caused changes in her retinal blood vessels.
11
2.4 Summary
Authentication is the process of verifying the identity and determining the genuineness
of an individual. It is required to control the access to the network, its resources and the
services.
Usually, it is based on the username and password combination. However, it is
vulnerable to theft. Therefore, there is a need of strong authentication. The three
authentication techniques have been identified based on something the user knows like
a password, something the user has like a token, something the user is like a biometric.
All these authentication techniques possess some flaws that make it harder for the
military personnel to authenticate truly the identity of the user.
CHAPTER 3
IMAGE BASED AUTHENTICATION
INTRODUCTION
Authentication is the process of verifying the identity of the subject. Subject can be
human user or some process. Hence authentication is the act of confirming the claims
made by the subject. Authentication system can be describe by following five
components .
12
1. Authentication data (A), which is provided by the user for verification like username
and password.
2. Complementary data(C), which is stored on the system and used to validate
authentication data provided by the user. For example password stored in the shadow
file in Unix OS.
3. Complementation function (f) provides mapping of A with C. For eg. If password are
stored as a message digest (MD) of password than f is the hash functions that creates
MD.
4. Authentication function (L) proves the identity for eg. It can be equality function for
comparison of A and C.
5. Selection function (S) allows users to create or change data in A or C. For eg.
Change password function or set password function.
Recently in some authentication systems, apart from the above mentioned factors,
locations , as well as social factors are also used for establishing identity. If only one
factor is used for establishing the identity of the user we call that as one factor
authentication. If two factors are used for establishing identity than we call that as two
factor authentication. A classical example of two factor authentication is the use of credit
or debit card and a PIN at the ATM machine. Here we use knowledge factor (PIN) and
ownership factor (credit or debit card). In this paper, we describe two level
authentication system using knowledge factors. First level is character based i.e
username and password and second level is image based.
CURRENT SYSTEM
Username password is one of the most widely used authentication system for long. In
this system, end user provides username and password at the login screen and system
verifies the same. Outcome of the system can be binary either true or false,
authenticated or not authenticated, success or failure. Alternative to username and
13
password based authentication system is biometric system and smart card based
system. Biometric system provides better security but requires an additional hardware
which increases the cost. This also raises the question about every day usability and
affordability. Also some biometric systems like iris scan are intrusive in nature to capture
authentication data. Other alternative is a smart card based system.
However smart card can be easily lost or stolen. Therefore many smart cards based
systems use knowledge based authentication systems to prevent impersonation
through loss of card or theft of card. In spite of common use and popularity of username
and password based system, it has multiple shortcomings. Since the authentication
data can be formed from a set of characters like combination of upper case, lowercase,
numerals, special characters etc, it is subjected to brute force attack or dictionary
attack. Selection of password plays a very important role for providing strength to the
security of the system. If the password selected is dictionary word like apple or some
common passwords like pass123 etc, password can be easily guessed by the attacker
and system can be easily compromised. To overcome this problem, many organizations
have password policy which enforces the rules for the formation of strong password and
regular change of password. In many situations this has failed because users simply
make a variation of old password or write down password or swap them with their
friends or family. All this solutions do not remedy the main cause of password insecurity,
which is the human limitation in terms of memory for secure passwords. Many times
people communicate or share their password with other people for multiple reasons.
This weakens the security of the organizations. To overcome this we propose new
system which uses images along with password to provide authentication.
Token based systems rely on the use of a physical device such as smartcards or
electronic-key for authentication purpose. Graphical-based password techniques have
been proposed as a potential alternative to text-based techniques, supported partially
by the fact that humans can remember images better than text. In general, the graphical
password techniques can be classified into two categories: recognition-based and recall
based graphical techniques.
14
Disadvantages:
1. Alphanumeric passwords are used widely, they have problems such as being
hard to remember, vulnerable to guessing, dictionary attack, key-logger,
shoulder surfing and social engineering.
2. The major problem of biometric as an authentication scheme is the high cost of
additional devices needed for identification process.
3. Although a recognition-based graphical password seems to be easy to
remember,which increases the usability, it is not completely secure. It needs
several rounds of image recognition for authentication to provide a reasonably
large password space, which is tedious.
PROPOSED SYSTEM
In the proposed system we use images along with the password to overcome the
problem which arises because of sharing and selection of weak passwords. Hence the
system aims to achieve following:
Authentication should not be based on precise recall of password.
Make it difficult to share or write passwords.
Provide good user experience.
Also it’s a proven fact that human user recognizes images faster as compared to recall
of words . Standing shows that people can recognize images in spite of distracters and
can retain over a period of time.
Advantages:
1. The strength of IBAS depends greatly on how effectively the authentication
information is embedded implicitly in an image and it should be easy to decrypt
for a legitimate user and highly fuzzy for a non-legitimate user.
2. No password information is exchanged between the client and the server in
IBAS, Since the authentication information is conveyed implicit l
15
Working of Image Based Authentication System
Stages of System
The proposed system has two stages: Registration stage and authentication stage.
16
Now whenever user tries to log in, user needs to provide the username password and
pass images. Pass images need not be in the same sequence as selected during
registration phase. Pass images are randomly distributed on the login rounds. Every
round may have all, some or none of the pass images. At least one round need not
have pass images to counter intersection attack.
Figure 5:
Authentication
Process
NO
If Image
Matched
with
database
YES
Figure 6: Flowchart
17
Advantages of the system
Adds one more layer of security to the existing system and hence makes
the system more secure.
Log in by sharing of password is prevented as user needs to provide the
password as well as pass images to log in. Sharing of pass images is
difficult.
Prevents brute force attack. After three unsuccessful attempts user
account gets locked. This can be unlocked by the administrators.
Prevents automated attack by the bots.
Eliminate the possibility of deducing the user’s image set by means of an
intersection attack.
Results
After implementation, users were invited to register with the system and then give
feedback about their experience and the system. We had prepared questionnaire to get
structured feedback from the users of the system. Objectives of this survey are given
below:
To assess the general awareness of the user regarding image based
authentication system.
To assess the time consumed while registering and logging with system.
To assess the ease of use of system.
To obtains user’s opinions regarding our system in comparison with other
authentication systems in terms of the speed, the ease of use etc.
To find out the reasons behind the inability by some users either to
register or to authenticate.
18
To assess some other different areas that is not covered by the objectives
above. An example of this is to assess the Random Art features of the
images.
Future Scope
The world is being mechanized and all the offices and institutions are being
computerized. So the use and need for this will not decline. Also man always like to see
all works getting more secure. Since we are living in a world of smart technologies like
smart phones, tablets, notebooks etc so may be in future more enhancement will seen
by adding more level of security but this may be headache for human. So , may be its
also be user friendly.
Implementation
The system has a very user friendly graphical user interface GUI. The main window has
options for a new user or an existing user. A user has to register before he can log into
the system. A user is registered using his first name, middle name, last name, user
name and an image. All the fields except middle name are required fields. Once the
user selects the image, it is displayed on the window for the user to verify his image.
The image is user’s choice. He can bring his own image in a storage device.
CONCLUSION
19
animals, objects rather than random art or abstract images. We implemented system
along with username and password, but it can be implemented independently also.
REFERENCES
20
[8] G. Danezis and A. Serjantov, “ Statistical Disclosure or Intersection attacks on
anonymity systems”,[Online]. Available:
http://research.microsoft.com/enus/um/people/gdane/papers/poolsda3.pdf
[9] Rachana Dhamija and Adrian Perrig, “Déjà vu: A user using images for
authentication”, [online]. Available :
https://sparrow.ece.cmu.edu/group/pub/oldpubs/usenix.pdf
[10] Hideki Koike, Tetsuji Takada, Takehito Onuki, “AwaseE: Photo-based User
Authentication System”, [online]. Available:
http://www.netaro.info/~zetaka/publications/papers/awas ee-UBICOMP2005.pdf
[11] Hideki Koike and Tetsuji Takada, “Awase-E: Image based Authentication for Mobile
Phones using User’s Favorite Images”,
[online]. Available :
http://www.netaro.info/~zetaka/publications/papers/awas ee-MobileHCI03.pdf
21
22