PPT on captcha as a graphical password based on hard AI problems

1. CAPTCHA AS GRAPHICAL PASSWORDS
A NEW SECURITY PRIMITIVE BASED ON
HARD AI PROBLEMS
By
Gopinath.R
(1BY14SCS08)
M.Tech (CSE),BMSIT
Under the Guidance of:
Mr. Ravi Kumar B.N
Asst. Professor , Dept of CSE, BMSIT

2. AGENDA
 Introduction
 Background
 Captcha as Graphical Password
 Recognition Based CaRP
 Security Analysis
 Applications
 Conclusion 2

3. INTRODUCTION
 Using hard Artificial Intelligence problems for Security is an exciting
new paradigm.
 Under this paradigm, the most notable primitive is Captcha, which
distinguishes human users from computers by presenting a
challenge, i.e., a puzzle .
 Captcha is now a standard Internet security technique to protect
online email and other services from being abused by bots.
 A new security primitive based on hard AI problems, namely, a novel
family of graphical password systems integrating Captcha
technology, called as CaRP.
 CaRP is click-based graphical passwords, where a sequence of
clicks on an image is used to derive a password.
3

4. BACKGROUND
 Graphical Passwords
Recall Based Techniques
A user is asked to reproduce something that he created or
selected earlier during the registration stage
Recognition Based Techniques
A user is presented with a set of images and the user passes the
authentication by recognizing and identifying the images he
selected during the registration stage.
Cued-recall Technique
An extra cue is provided to users to remember and target specific
locations within a presented image.
4

5.  Captcha
Completely Automated Public Turing test to tell Computers &
Humans Apart.
It is a program that is a challenge response to test to separate humans
from computer programs.
TYPES:
Text Captcha
The Text Captcha relies on character recognition
Image-Recognition Captcha (IRC)
The IRC relies on recognition of non-character objects.
5

6. TEXT BASED
simple, normal questions :-
 what is the sum of three & thirty-five ?
 If today is Saturday, what is day after tomorrow?
 Which of mango, table & water is a fruit?
 Very effective, needs a large question bank.
 Cognitively challenged ,users find it hard.
6

7. IMAGE-RECOGNITION CAPTCHA
1.BONGO
 User has to solve a pattern recognition problem.
 Has to tell the distinct characteristic between two sets of figures.
 Then tell to which set a given figure belongs to.
7

8. 2.PIX
 Uses a large database of labelled images.
 It shows a set of images, user has to recognize the common feature
among those.
 Eg :- pick the common characteristic among the following 4 pictures =
“aeroplane”.
8

9.  Captcha in Authentication
 It was introduced to use both Captcha and password in
authentication protocol, called as Captcha-based Password
Authentication (CbPA) protocol.
 The CbPA-protocol requires solving a Captcha challenge after
inputting a valid pair of user ID and password.
9

10. CAPTCHA AS GRAPHICAL
PASSWORDS- CARP
A New Way to Thwart Guessing Attacks
 In a guessing attack, a password guess tested in an unsuccessful trial
is determined wrong and excluded from subsequent trials.
 To counter guessing attacks, traditional approaches in designing
graphical passwords aim at increasing the effective password space.
 Here we distinguish two types of guessing attacks:
Automatic guessing attacks apply a automatic trial and error process.
Human guessing attacks apply a manual trial and error process.
10

11. CaRP: An Overview
 In CaRP, a new image is generated for every login attempt.
 CaRP uses an alphabet of visual objects
(e.g., alphanumerical characters, similar animals) to generate a CaRP
image
 CaRP schemes are clicked-based graphical passwords.
 CaRP schemes can be classified into two categories:
Recognition
which requires recognizing an image and using the recognized objects
as cues to enter a password.
Recognition-recall
combines the tasks of both recognition and cued-recall 11

12. USER AUTHENTICATION WITH
CARP SCHEMES
A typical way to apply CaRP schemes in user authentication is as
follows.
12
Flowchart of basic CaRP authentication.

13.  The authentication server AS stores a salt s and a hash value H(ρ,s)
for each user ID .
 Upon receiving a login request, AS generates a CaRP image.
 The coordinates of the clicked points are recorded and sent to AS
along with the user ID.
 AS maps the received coordinates onto the CaRP image, and
recovers a sequence of visual object IDs .
 Then AS retrieves salt s of the account, calculates the hash value of
ρ with the salt.
 Authentication succeeds only if the two hash values match.
13

14. RECOGNITION BASED CARP
1.Click Text
 Click Text is a recognition-based CaRP scheme built on top of text
Captcha.
 A Click Text password is a sequence of characters in the alphabet,
e.g.ρ =“AB#9CD87”, which is similar to a text password.
14
Click-Text image with 33 characters

15. 2.Click Animal
 Click Animal is a recognition-based CaRP scheme built on top of
Captcha Zoo ,with an alphabet of similar animals such as dog,
horse, cat, etc.
 Its password is a sequence of animal names such as
ρ = “Turkey, Cat, Horse, Dog,….”
15
Captcha Zoo with horses circled red. A Click Animal image

16. 3.Animal Grid
 Animal Grid is a combination of Click Animal and CAS.
 Click-A-Secret (CAS) wherein a user clicks the grid cells in his password.
password.
 To enter a password, a Click Animal image is displayed first.
 After an animal is selected, an image of n × n grid appears, with the grid-
grid-cell size equaling the bounding rectangle of the selected animal.
16
A ClickAnimal image 6 × 6 grid

17. SECURITY ANALYSIS
 Security of Underlying Captcha
As a framework of graphical passwords, CaRP does not
rely on any specific Captcha scheme.
If one Captcha scheme gets broken, a new robust
Captcha scheme can be used to construct a new CaRP
scheme
17

18.  Automatic online guessing attcks
In automatic online guessing attacks, the trial and error
process is executed automatically whereas dictionaries can
beconstructed manually
18

19. APPLICATIONS
 CaRP can be applied on touch-screen devices .
 Many e-banking systems uses Captchas in user logins that
requires solving a Captcha challenge for every online login
attempt.
 CaRP increases spammer’s operating cost and thus helps
reduce spam emails.
 If CaRP is combined with a policy to throttle the number of
emails sent to new recipients per login session, leads to
reduced outbound spam traffic.
19

20. CONCLUSION
 CaRP is both a Captcha and a graphical password scheme.
 A desired security property that other graphical password schemes
lack.
 CaRP is also resistant to Captcha relay attacks, and, if combined with
dual-view technologies shoulder-surfing attacks.
 CaRP can also help to reduce spam emails sent from a Web email
service
 More efforts will be attracted by CaRP than ordinary Captcha.
 CaRP does not rely on any specific Captcha scheme. 20

21. REFERENCES
[1] Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu “Captcha as
Graphical Passwords—A New Security Primitive Based on Hard AI Problems”
VOL. 9, NO. 6, JUNE 2014
[2] R. Biddle, S. Chiasson, and P. C. van Oorschot, “Graphical passwords:
Learning from the first twelve years,” ACM Compute Surveys, vol. 44, no. 4,
2012.
[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, “The design and
analysis of graphical passwords,” in Proc. 8th USENIX Security Symp., 1999,
pp. 1–15.
[4] H. Tao and C. Adams, “Pass-Go: A proposal to improve the usability of
graphical passwords,” Int. J. Netw. Security , vol. 7, no. 2, pp. 273– 292, 2008.
[5] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon,
“PassPoints: Design and longitudinal evaluation of a graphical password
system,” Int. J. HCI, vol. 63, pp. 102–127, Jul. 2005.
21

22. Thank you…!!!
22