08-06-2012, 11:27 AM
Project Report on IPAS: Implicit Password Authentication System
[attachment=503]
Abstract
Authentication is the first line of defense against
compromising confidentiality and integrity. Though traditional
login/password based schemes are easy to implement, they
have been subjected to several attacks. As an alternative, token
and biometric based authentication systems were introduced.
However, they have not improved substantially to justify the
investment. Thus, a variation to the login/password scheme,
viz. graphical scheme was introduced.
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database.
IMPLICIT PASSWORD AUTHENTICATION SYSTEM
In this section, we propose our Implicit Password
Authentication System. IPAS is similar to the PassPoint
scheme with some finer differences. In every “what you
know type” authentication scheme we are aware of, the
server requests the user to reproduce the fact given to the
server at the time of registration. This is also true in
graphical passwords such as PassPoint. In IPAS, we
consider the password as a piece of information known to
the server at the time of registration and at the time of
authentication, the user give this information in an implicit
form that can be understood only by the server. We explain
this through a Mobile Banking case-study.
CONCLUSION AND FUTURE DIRECTIONS
In this paper, we have proposed a new Implicit Password
Authentication System where the authentication information
is implicitly presented to the user. If the user “clicks” the
same grid-of-interest compared with the server, the user is
implicitly authenticated. No password information is
exchanged between the client and the server in IPAS. Since
the authentication information is conveyed implicitly, IPAS
can tolerate shoulder-surfing and screen dump attack, which
none of the existing schemes can tolerate. The strength of
IPAS lies in creating a good authentication space with a
sufficiently large collection of images to avoid short
repeating cycles.
[attachment=503]
Abstract
Authentication is the first line of defense against
compromising confidentiality and integrity. Though traditional
login/password based schemes are easy to implement, they
have been subjected to several attacks. As an alternative, token
and biometric based authentication systems were introduced.
However, they have not improved substantially to justify the
investment. Thus, a variation to the login/password scheme,
viz. graphical scheme was introduced.
INTRODUCTION
Authentication is a process of determining whether a
particular individual or a device should be allowed to access
a system or an application or merely an object running in a
device. This is an important process which assures the basic
security goals, viz. confidentiality and integrity. Also,
adequate authentication is the first line of defense for
protecting any resource. It is important that the same
authentication technique may not be used in every scenario.
For example, a less sophisticated approach may be used for
accessing a “chat server” compared to accessing a
corporate database.
IMPLICIT PASSWORD AUTHENTICATION SYSTEM
In this section, we propose our Implicit Password
Authentication System. IPAS is similar to the PassPoint
scheme with some finer differences. In every “what you
know type” authentication scheme we are aware of, the
server requests the user to reproduce the fact given to the
server at the time of registration. This is also true in
graphical passwords such as PassPoint. In IPAS, we
consider the password as a piece of information known to
the server at the time of registration and at the time of
authentication, the user give this information in an implicit
form that can be understood only by the server. We explain
this through a Mobile Banking case-study.
CONCLUSION AND FUTURE DIRECTIONS
In this paper, we have proposed a new Implicit Password
Authentication System where the authentication information
is implicitly presented to the user. If the user “clicks” the
same grid-of-interest compared with the server, the user is
implicitly authenticated. No password information is
exchanged between the client and the server in IPAS. Since
the authentication information is conveyed implicitly, IPAS
can tolerate shoulder-surfing and screen dump attack, which
none of the existing schemes can tolerate. The strength of
IPAS lies in creating a good authentication space with a
sufficiently large collection of images to avoid short
repeating cycles.