2. What you are (biometric)
What you have (token)
What you know (password)
3. Finger attacks
Word of mouth transfer
Dictionary attacks
Image Based Authentication (IBA) can solve all of
these
4. IBA is based on a user’s successful
identification of his image password set. After the
username is sent to the authentication module, it
responds by displaying an image set, which consists
of images from the user’s password set mixed with
other images. The user is authenticated by correctly
identifying the password images.
5. Image Space(IS): the set of all images used by IBA
system.
Individual Image Set (IIS) – the set of images that a
user (u) chooses to authenticate himself.
Key Image – any image in a user's IIS.
Presentation Set (PS) – the set of images
presented to a user from which the key images
must be selected for a given authentication attempt.
6. Authentication User Agent (AUA)
Authentication Server (AS)
The communication between them is encrypted
using authenticated Diffie-Hellman.
The AS is assumed to be a part of the Trusted
Computing Base.
7. Image Set Selection
Alice selects ‘n’ images (n is set by the
administrator, Bob)
Bob stores the image set at the AS
Presentation Subsets
Bob picks one image from IISa and some other
images from IS-IISa for each PS_i.
Alice picks the IISa image from each PS_i.
8. A→B: Username= Alice
B→A: Presentation set for Round 1, PS1.
A→B: Identified image.
B→A: Presentation set for Round 2, PS2.
A→B: Identified image.
…...
B→A: Presentation set for Round R, PSR.
A→B: Identified image.
If all R steps are successful, Bob authenticates
Alice.
9. Image Based Authentication is not foolproof.
There are four points of vulnerability:
1. Information stored on the AS.
2. Information Sent between the AS and AUA.
3. The output at the AUA.
4. The input at the AUA.
10. Eve can observe or log Alice’s Key stroke and later
authenticate herself as Alice.
Display the images in random order.
Keystrokes are only meaningful for this PS in
this display order.
11. Eve can observe Alice’s screen ( during the
authentication process) and later authenticate
herself as Alice.
Counter:
Display the image when the mouse is over it.
Otherwise gray out the image.
If input is hidden, then which image is selected is
not known- Only get PS_i’s.
12. Brute Force Attack
Frequency Correlation Attack
Intersection Attack
Logic Attack
Countering Frequency Correlation Attack
Decoy Screen
Image Buckets
Fixed PS per Key Image
13. Image Set Storage :
Password schemes normally store only the hash of a
user’s password. By compromising the server, the attacker
cannot recover the password. In our scheme, the server
cannot merely store the hash. The server needs to know
the image set itself in order to present the authentication
screens. If a server is compromised, it will be possible to
retrieve the image set of every user. However, many
authentication schemes depend heavily on the
impenetrability of the Trusted Computing Base and they
have been widely deployed.
14.
15. CAPTCHA stands for Completely Automated
Public Turing Test to tell Computers and
Humans Apart.
CAPTCHA is an automated test that can
distinguish between machines and humans
alike.
It differentiates between humans and bot by
setting some task that is easy for most humans
to perform but is more difficult and time
consuming for current bots to complete.
16. Preventing Comment Spam in Blogs.
Protecting Website Registration.
Protecting Email Addresses From Scrapers.
Online Polls.
Preventing Dictionary Attacks.
Worms and Spam.
17. 1. PIX:
Create a large Database of labeled images.
Pick a concrete object.
Pick more random images of the object from the
image database.
Distort the images
Ask user to pick the object for a list of words.
18.
19. 2. BONGO
Visual Puzzle
Computer can generate and display, but not solve
Bongo is based on a visual pattern recognition
problem.
20. As Figure below shows, a Bongo CAPTCHA uses
two sets of images; each set has some specific
characteristic. One set might be boldface, for
example, while the other is not. The system then
presents a single image to the user who then must
specify the set to which the image belongs.
21. 3. Pessimal Print
Pessimal Print works by pseudo randomly
combining a word, font, and a set of image
degradations to generate images like the ones in
Figure.
22. Image-based authentication techniques, although currently
in their infancy, might have a wider applicability in future.
We perceive it be a more user-friendly technique that
helps to increase the password quality tremendously
compared to a text-based approach. In this seminar we have
proposed a simple yet secure authentication technique.
We have also identified various issues related with such a
system and proposed a novel concept of Image Buckets in
overcoming some shortcomings.
Its better to be safe than sorry!!