Article Title: Article Title: “Token-based Graphical “Token-based Graphical

Password Authentication”Password Authentication”

Authors:John Charles GyorffyAndrew F. TappendenJames Miller

Presenter: Patrick Centanni

International Journal of Information Security, 2011

Security IssuesSecurity Issues• Three Types of Malware:

1.) Information Stealing2.) Activity Altering3.) Entire System Compromising

Problems with Problems with Conventional Conventional

PasswordsPasswords• LOW-ENTROPY

PASSWORDS:• Users tend to pick passwords

that are easy to remember.• 86% of passwords are case-

insensitive and do not use special characters, meaning that users tend to rely on a stable of about 36 characters (as opposed to the 95 available to them).

• YOU GOT ONE, YOU GOT ‘EM ALL.

• TOO MANY PASSWORDS!

The Goals of an Improved The Goals of an Improved

Password SystemPassword System• To significantly decrease the

likelihood of a user’s login credentials being stolen.

• To fortify the security of user accounts by increasing the entropy (degree of randomness) associated with login passwords.

• To use one easy-to-remember password for everything.

• To combat malware, in particular information stealing malware.

What About Password What About Password Vaults, Though?Vaults, Though?

• A password vault indexes a user’s various passwords with their corresponding URLs, fetching the passwords when needed.

• This type of system may actually put the user in an even worse bind than having a single password compromised.

• “The encryption is only as strong as the main password into the vault.”

Previous WorkPrevious Work• Passfaces

Problem: Excessive Login Time, Potential for Shoulder Surfing

• Eye-tracing Password Systems& Pressure-based Click Point Systems Problem: Poor Password Recall

Rates

The Proposed SolutionThe Proposed Solution• A system that employs a graphical password.• The software for the authentication system

resides on a Trojan and virus-resistant embedded device.

• User selects a personal image and selects points on the image.

• Image is hashed and provided as input to a cryptosystem that returns a password.

• Points selected are stretched into a long alphanumeric password, with a high degree of entropy and uniqueness.

Where Does The Where Does The System Reside?System Reside?

*Uses a special client web browser on a low-cost USB device with read-only, protected flash memory.

*No sensitive information stored on the drive.

Only data on the drive are:1.) graphical password chosen by user

2.) unique set of true random numbers generated at the time of production

Increasing EntropyIncreasing Entropy• Users typically select

words or dates for alphanumeric passwords, which clearly decreases entropy.

• Entropy increases significantly when using images:

• The sample set of all possible images a user could select is HUGE.

• The password developed by the system also includes a set of unique random numbers.

How The System How The System WorksWorks

What The Interface What The Interface Looks LikeLooks Like

Password Space Password Space DifferenceDifference

A staggering testimonial for the implementation of graphical-based passwords:

Alphanumerical Password Space (95 characters):

6.6 x 1015

But don’t forget, users typically only rely on 36 characters, so this

reduces the password space significantly.

Graphical Password Space (8 points):

1.1 x 1018

Cryptography Cryptography TerminologyTerminology

• Message: The data to be encrypted.

• Cryptographic hash function: A function that generates a unique (collision-free) value for the data to be encrypted.

• Message Digest: The hashed value used for encryption (in this case, the generated password).

Contents of Hash Contents of Hash MessageMessage

• 128 bytes:o The 8 characters selected by the user for 8 byteso 8 x-coordinates, 8 y-coordinates, 2 bytes each for 32

bytes.o Behind each click point is a diameter of 10 pixels.o These are averaged, and a four-byte value for each pixel

is found: 3 bytes for the color, 1 byte for alpha/opacity channel. This makes a total of 32 bytes.

o The remaining 56 bytes come from a histogram image hash.

The Message Digest The Message Digest FormulaFormula

• H∗(H(image)+CP+RNG) = P256

oWhere:• H is the histogram image hash.• CP is the user-entered click-point

data.• RNG values are randomly generated,

and are the only values stored on the USB device.

ResultsResults• Hamming Distance: The number of positions in

which two strings differ.

SummarySummary* Three-tiered approach to system security:

1.) The token: the USB device, itself.2.) The graphical password to log in to the device.3.) A separate graphical password to perform secure transactions over the Internet.

* This system cannot deal with system compromising malware since the system’s software originates on a user-level device.

Future WorkFuture Work• The possibility of using this technology on smart

phones and tablets (have to decrease the dimension of the image).

QuestionsQuestions

References for Images References for Images Used in this Used in this PresentationPresentation

"Bank Vault." Wikipedia. Wikimedia Foundation, 15 Jan. 2014. Web. 23 Jan. 2014.

"Cryptographic Hash Function." Wikipedia. Wikimedia Foundation, 14 Jan. 2014. Web. 23 Jan. 2014.

"Giving You The Password Secret to Success." MyJobKiller. N.p., n.d. Web. 23 Jan. 2014.

Gyorffy, John C., Andrew F. Tappenden, and James Miller. "Token-based Graphical Password Authentication." International Journal of Information Security 10.6 (2011): 321-36. Academic Search Complete. Web. 16 Jan. 2014.

"Malware | Microtech." Microtech RSS. N.p., n.d. Web. 23 Jan. 2014.

"Password Protection: How to Create Strong Passwords." PCMAG. N.p., n.d. Web. 23 Jan. 2014.

"Revelations on Passwords. Did You Get a Pass from PCI DSS!" OmegaSecure. N.p., n.d. Web. 23 Jan. 2014.

"Tablets and Smart Phones Harbor More Bacteria and Germs." Smacus. N.p., n.d. Web. 23 Jan. 2014.

"TECH Glitz." Top 25 Most Popular (Worst) Passwords of 2012. N.p., n.d. Web. 23 Jan. 2014.

"Top 3 Questions About Small Business Blogging." Local Marketing Advice from SuperMedia. N.p., n.d. Web. 23 Jan. 2014.