CAPTCHA AS A GRAPHICAL PASSWORD-A NEW SECURITY PRIMITIVE BASED ON
HARD AI PROBLEMS
Content
• Introduction
• Existing System
• CAPTCHA
• Graphical password schemes
• Proposed System : Captcha As Graphical Passwords
• Conclusion
Introduction
• The existing system is vulnerable to online dictionary attacks, denial-of-service attacks,
global password attacks, relay attack and shoulder-surfing attacks by which service get
compromised to attackers
• The purpose of this presentation is to develop a new security primitive based on hard AI
problems namely, a novel family of graphical password systems integrating Captcha
technology, which we call CaRP (Captcha as gRaphical Passwords).
• The Objective is to develop a new paradigm with the cryptographic primitives based on
hard math problems and to provide security for authentication services.
Existing System
Today, User authentication for network or internet based environment posed a challenging
task for system and network administrator. As , organized cyber criminals are trying hard
towards research and development of advanced hacking methods that can be used to steal
money and secured information from the general public.
To address security problem and to make a balancing act on user friendliness and
authentication complexity, Captcha and Graphical password are used
CAPTCHA : Completely Automated Public Turing test to tell Computers and Humans Apart
A CAPTCHA trademarked by Carnegie Mellon University is a type
of challenge-response test used in computing to determine whether
or not the user is human
The use of CAPTCHA thus excludes a small number of individuals
from using significant subsets of such common Web-based services
as PayPal, GMail, Orkut, Yahoo!, many forum and weblog systems,
etc
Captcha Types
• Text Captcha :It Relies on Character recognition
• Image Recognition Captcha :It Relies on recognition of non
character object
Benefits of Captcha
• Distinguishes between a human and a machine
• Makes online polls more legitimate.
• Reduces spam and viruses.
• Makes online shopping safer.
• Diminishes abuse of free email account services
Applications
Captcha are used in various web applications to identify human users and to restrict access to them.
Online polls
Protecting web registration
Search engine bots
E-Ticketing
Email spam
Preventing dictionary attacks
As a tool to verify digitized books
Improved Artificial Intelligence technology
Limitations of Captcha
• Sometimes very difficult to read.
• Are not compatible with users with disabilities
• Time-consuming to decipher.
• Technical difficulties with certain internet browsers.
• May greatly enhance Artificial Intelligence
Graphical Password Schemes
Graphical password schemes have been proposed as a possible alternative to text-based
schemes, motivated partially by the fact that humans can remember pictures better than text.
Graphical password techniques are categorized according to the task involved in memorizing
and entering passwords:
• Recognition-based scheme
• Recall-based scheme and
• Cued recall scheme
Recognition Based Techniques
Random images used by
Dhamija and Perrig
A shoulder-surfing resistant
graphical password scheme Pass-String
Passfaces Story Scheme Graphical Password Scheme
proposed by Jansen, et al
Recall Based Techniques
Draw-a-Secret (DAS)
Grid selection
A signature
Passpoint Sytem
Cued-Recall scheme
Pass-Points Cued Click Point Persuasive Cued Click Points
Benefits of Graphical Password
• Graphical password schemes provide a way of making more user-friendly passwords.
• Here the security of the system is very high.
• Like textual passwords, the dictionary attacks and brute force attacks are not possible with graphical
passwords.
• Spyware attack: Key logging or key listening spyware cannot be used to break graphical passwords.
• Social engineering: To give away graphical passwords to another person is difficult as compared to
text based password.e.g. it is very difficult to give away graphical passwords over phone.
• Setting up the phishing website to obtain graphical passwords would be more time consuming.
Limitations of Graphical Password
• Password registration and log-in process take too long.
• Require much more storage space than text based passwords.
• Shoulder surfing: As name implies, shoulder surfing means watching over
peoples shoulders as they process information. Because of their graphic
nature, nearly all graphical password schemes are vulnerable to shoulder
surfing.
CAPTCHA AS GRAPHICAL PASSWORDS
• CaRP addresses a number of security problems altogether, such as online guessing attacks,relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks.Notably, a CaRP password can be found only probabilistically by automatic online guessingattacks even if the password is in the search set.
• CaRP also offers a novel approach to address the well-known image hotspot problem inpopular graphical password systems, such as PassPoints that often leads to weak passwordchoices.
• CaRP is not a solution, but it offers reasonable security and usability and appears to fit wellwith some practical applications for improving online security.
Types of CaRP/Project Modules
• RECOGNITION-BASED CaRP
• ClickText
• ClickAnimal
• AnimalGrid
• RECOGNITION-RECALL CaRP
• TextPoints
• TextPoints4CR
RECOGNITION-BASED CaRP
Recognition-Based CaRP requires recognizing an image and using the
recognized objects as cues to enter a password. For this type of CaRP, a
password is a sequence of visual objects in the alphabet. Per view of
traditional recognition based graphical passwords, recognition-based CaRP
seems to have access to an infinite number of different visual objects.
ClickText
• Its alphabet comprises characters without any visually-confusing
characters.
• For example, Letter “O” and digit “0” may cause confusion in CaRP images, and thus
one character should be excluded from the alphabet
• A ClickText password is a sequence of characters in the alphabet,
e.g., ρ =“AB#9CD87”, which is similar to a text password.
• The ClickText image consist of 33 characters.
• User clicks ClickText image characters in password, in the same
order
ClickAnimal
• ClickAnimal Captcha scheme which uses models of
various animals
• A user clicks on any animal in a challenge image to
pass the test.
• Its password is a sequence of animal names such as ρ
= “Turkey, Cat, Horse, Dog,” For each animal, one or
more models are built.
AnimalGrid
• AnimalGrid is a combination of ClickAnimal and CAS (Click-A-Secret)
• In CAS user clicks the grid cells in her password
• To enter a password, a AnimalGrid image is displayed first. The image is divided into
small grids with the grid-cell size equaling the bounding rectangle of the selected animal.
Each grid-cell is labeled to help users identify
RECOGNITION-RECALL BASE CaRP
• Recognition-recall base CaRP combines the tasks of both recognition and cued-
recall, and retains both the recognition-based advantage of being easy for human
memory and the cued-recall advantage of a large password space
• In recognition-recall CaRP, a password is a sequence of some invariant points of
objects. An invariant point of an object (e.g. letter “A”) is a point that has a fixed
relative position in different incarnations (e.g., fonts) of the object, and thus can be
uniquely identified by humans no matter how the object appears in CaRP images.
TextPoints
Text Points is a Recognition-Recall CaRP Characters contain invariant points
of objects which offers a strong cue to memorize and locate its invariant points.
TextPoints4CR
TextPoints4CR is similar to Textpoint scheme the difference in that each
character appears only once in a TextPoints4CR image but may appear
multiple times in a TextPoints image for enhancing security.
Benefits of CaRP
• CaRP offers protection against Automatic Online Guessing Attacks on passwords.
• It also offers protection against Relay Attacks.
• It offers security against Human Guessing Attacks.
• It offers protection against Shoulder Surfing Attack.
• It offers security against spam emails sent from a Web email service.
Limitations of CaRP
• CaRP scheme is vulnerable to phishing attack because user-clicked
points are sent to the a authentication server.
• Also CaRP is vulnerable if both the image and user-clicked points can
be captured.(if client is compromised).
Application
• CaRP can be useful for touch-screen devices where typing a password is
difficult.
• CaRP is also useful for secure internet applications such as e-business, e-
commerce, e-banking etc.
• CaRP is used to reduce the spam emails. For the email service provider
which uses CaRP, a spam bot cannot log into an email account even if it
knows the password.
System Requirement
MINIMUM HARDWARE REQUIREMENTS:-• Processor - Pentium –Iv
• Speed - 1.1 Ghz
• RAM - 128 MB(min)
• Hard Disk - 1GB
• Key Board - Standard Windows Keyboard
• Mouse - Two or Three Button Mouse
• Monitor - LCD/LED
SOFTWARE REQUIREMENTS:• Operating system :Windows/Linux.
• Coding Language :PHP
• Server :Apache
• Data Base :MySQL
Conclusion
• CaRP is one step forward in the paradigm of using hard AI problems for security.
• It has both Captcha and Graphical password scheme
• CaRP forces adversaries to resort to significantly less efficient and much more costly human-based attacks.
• The past decade has seen an emergent interest in using graphical passwords as an alternative to the conventional text-based passwords.
There is a need for more in-depth research that investigates possible attack methods against graphical pass-words.