Enhancing Security by CAPTCHA based Image Grid Master Password

Transcription

1 International Journal of Advancements in Computing Technology Volume 2, Number 5, December 2010 Enhancing Security by CAPTCHA based Image Grid Master Password Nitin*, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin *College of Information Science and Technology, Department of Computer Science, Peter Kiewit Institute, University of Nebraska at Omaha, 1110 South 67th Street Omaha, Nebraska , United States Jaypee University of Information Technology, Waknaghat, Solan , Himachal Pradesh, India s: {aditya187,amanpreetsarora, radhikamedury, shubh.naval, juitrajat, doi: /ijact.vol2. issue5.10 Abstract Identity theft, privacy invasion, loss of key information is the major reasons for which security is breached these days. Hence, it is very essential that effective security prevention measures are taken. This paper, proposes many such hacking prevention measures with approaches to recover a hacked account. It also puts forward a novel CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) based mechanism, which can protect the crucial information even if the account is hacked. Keywords: CAPTCHA, Security, Image Grid Algorithm, Grid Generation Algorithm 1. Introduction and Motivation In this day and age, s are one the most extensively used modes of communication. People access s for personal and professional uses. In both the cases there is vital information that is being sent and received. With the advent of e-commerce, there is also a risk of losing money by fraud. account can be hacked by various means. Most widely used techniques are Keylogger software and a phishing page. Keylogger software pursues keys struck on a keyboard typically in a stealthy manner so that the person using the keyboard remains unaware that his actions are being monitored. Password is guessed by analyzing the recorded key strokes. It is mostly used on a public computer. Whereas a phishing page is a fake page looking like a website s login page. A user is allured to enter his username and password. Once the details are entered they are sent directly to the hacker. Hence, it is very necessary to take proper measures to make communication as secure as possible. We put forward the concept of an easy to remember image based Master Password, which will be used to generate a collage CAPTCHA thus making it safe from automated bots and humans. This master password is actually an image uploaded by the user, which will be presented as a collage CAPTCHA whenever required. A user will have to select his particular uploaded image i.e. the master password from the set of given images. If a wrong guess is made, the collage is generated again with changed image positions. There is a limit to maximum number of wrong attempts. Growing number of accounts being hacked and absence of any sound mechanism to recover the hacked account motivated us to look for alternative ways. Hence, we propose a few suggestions and the master password mechanism to existing Service Providers. To make it effortless for the user to memorize the password, we make use of an image as the master password. The rest of the paper is organized as follows: Section 3 and 4 provides suggestions and suggested methods and Section 5 and 6 provides Image Mining and Image Grid algorithms followed by Grid Generation Algorithm explained in Section 7 and supported by user survey explained in Section 8 followed by Conclusion and References

2 Enhancing Security by CAPTCHA based Image Grid Master Password Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin Figure 1. Initial password recovery form in Gmail. It asks for various problems and leads the user accordingly. 2. Literature Survey Figure 2. Password recovery form in Windows Hotmail. A study of various research papers was done on CAPTCHAs [1-12], security, computer networks, image mining and image segmentation. Starting with the papers and study material on computer networks and security, a study of latest security mechanisms employed by major service providers (ESPs) was done. We also logged onto major services like Yahoo, Gmail and MSN. Various loopholes were found in their password recovery systems. Presented below (Figure 1-6) are the screenshots of Gmail, Hotmail and Yahoo Mail; these were studied as part of the literature survey to discover the ubiquitous but overlooked flaws in the existing system. A case study has been done to recover a lost password on Yahoo Mail. Few flaws were found in the existing system and to overcome these flaws finally the Master Password Mechanism is suggested by us. Beginning with Figure 3, it shows the Yahoo page when the user clicks on the Forgot My Password/ID/Cannot Login link. This figure demonstrates the various ways in which to begin the password recovery process. Next to follow is Figure 4, wherein the user is asked to enter the secondary address. This part of the password recovery process has a flaw that in case the hacker changes the secondary address of the user, will not be able to retrieve his password. Figure 5 follows with security question. Here also the same problem (as discussed with previous figure) might occur that the hacker may change user s security question as well. If in case user enters the information asked in Figure 4 and Figure 5 correctly then password can finally be renewed as shown in Figure

3 International Journal of Advancements in Computing Technology Volume 2, Number 5, December 2010 Figure 3. Initial password recovery form in Yahoo. It asks for various problems and leads the user accordingly. Figure 4. An alternative address is asked for password recovery. This step is not useful in case user s secondary ID is changed by the hacker. Figure 5. A security question is asked for password recovery. This step is not useful in case user s security question is changed by the hacker or the user forgets the answers

4 Enhancing Security by CAPTCHA based Image Grid Master Password Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin Figure 6. The final step where the password is changed. Subsequently, we have studied about CAPTCHAs in which a reverse Turing test is used to thwart the automated bot attacks to crack the passwords. CAPTCHA is basically a type of challengeresponse test used in computing to ensure that the response is not generated by a computer [11]. The most common form of CAPTCHAs are randomly generated images containing codes that are to be manually entered. A machine cannot decode the intentionally distorted letters and numbers. Also we have suggested a CAPTCHA based master password. To create the Master Password, we have used image mining and image segmentation algorithms. Image mining, a broader view of data mining technique can help us find meaningful relationship among various images generated by the image mining algorithm [2]. It is more than just an extension of data mining to image domain as it requires expertise in computer vision, image processing, image retrieval, data-mining, machine learning, database, and artificial intelligence for perfect retrieval. Image mining is rapidly gaining attention among researchers in the field of data mining, information retrieval and multimedia databases because of its potential in discovering useful image patterns that may push the various research fields to new frontiers. According to the image mining technique given in the research paper, various image descriptors/region descriptors can be assigned to an individual image after successfully mining through Figure 7. A screenshot taken from showing the record of last 5 IP addresses from where the account was last accessed. It also shows the time details

5 International Journal of Advancements in Computing Technology Volume 2, Number 5, December 2010 Figure 8. This figure explains the proposed way in which Master Password could be implemented. Here Master Password is used to open a locked folder. the segmentation algorithm. These region descriptors are very useful in finding different types of images from a large database [4]. A way of image mining is to rely on the automatic/semi-automatic analysis of image content and to do the mining on the generated descriptors. For example, color, texture, shape and size can be determined automatically. Objects in an image can be determined by the similarity of those attributes. After getting a collection of images from image mining algorithm, the task to be done is to choose the relevant images that are necessary for that particular application. This is known as the Refinement Process. It uses the concept of Association Rule Mining technique of databases. For example, the support and confidence parameters can be used here for getting the relevant images. The image form of password is easy to remember than the usual textual passwords. Images also have more scope than text in real world entity as it is said that A picture is worth a thousand words, therefore, mining images for the purpose of having different combinations of master password would definitely increase the complexity of cracking the password and therefore, fulfilling the aim of the research paper. 3. Suggestions for Service Providers 3.1. Safety Measure Prior to Account being Hacked Service Providers (ESPs) maintain a record of the IP address accessing the account. It can be done at the time of creation of the account that user is asked a question (given below) From where do you access this account? 1. Home/Office 2. Public Place (Internet Cafe) 3. Both If the answer to the above question is a i.e. the account is used from home/office then there must be a fixed IP address of these places provided to user by the ISPs (Internet Service Providers). Hence those particular IP addresses are recorded in the database. In case the account is being opened consistently from a new IP address then the user is alerted by a message and is authenticated by answering a security question or entering the master password. If the answer to the above question is b then user is not warned at all even if many different IP addresses are accessing the account. He s advised to uncheck the stay signed in checkbox while logging in and logout from the account when done. Timed auto logout feature can also be used in

6 Enhancing Security by CAPTCHA based Image Grid Master Password Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin which user is automatically logged out from the session after a certain amount of time. If the answer selected is c i.e. both, then also the procedure as explained in option b shall be followed. Another safety measure could be to lock the folders/labels prevalent today in most of the services. Locking shall be done by the master password How to Retrieve an Account after it is Hacked? There are following existing ways to recover a hacked account: 1. Secondary ID: An having the information about how to reset your password is sent to user s secondary id. 2. Security Question: User can answer the security questions filled by him while creating the account in order to retrieve his password. Mobile Phone: User s new password is sent as an SMS to the mobile number mentioned in user s account. 3. However, all the above three details can be changed by the hacker; hence user cannot recover his account by merely adhering to above-mentioned ways. 4. Proposed Mechanism 4.1. Understanding a CAPTCHA A CAPTCHA [7,11] is a program that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. It is imperative these days to thwart any brute force attack launched by automated bots to prevent account. We have clubbed a CAPTCHA along with a password known as Master Password. This Master Password is actually an image uploaded by the user. With the help of 2 algorithms we create a collage CAPTCHA, containing the master password. A user will be presented this CAPTCHA to recover a hacked account, to reset password or to view the contents of any locked folder

7 International Journal of Advancements in Computing Technology Volume 2, Number 5, December Our suggested method uses an Image-Mining algorithm along with a Image Grid Algorithm. Here s the whole process in short is explained: 2. User uploads any 1 personal picture, specially of any object/pet. This image is the Master Password. 3. Image Mining Algorithm looks for similar (not exact) images and generates a pool of images. 4. Image Grid Algorithm makes a collage of these images. It will be a grid of say, 4 x 4 images consisting of 1 actual image uploaded by the user and 15 similar images from the image pool, which is generated by the Image mining algorithm. 5. This grid of images (Collage CAPTCHA) will be used to ask for the Master Password whenever it is required. 6. Master Password can be used to lock the folders or to recover a lost account. 5. Image Mining Algorithm 5.1. Segmentation Image segmentation is an initial and vital step in a series of processes aimed at overall image understanding. The image is segmented into various regions. The purpose of segmentation is to partition an image into meaningful regions with respect to a particular application. Here we segment images into regions identifiable by region descriptors. The segmentation is based on measurements taken from the image and might be greylevel, color, texture, depth or motion Searching Images based on various Region Descriptors According to the varied regions of the above mentioned image, we tend to find the related object images which are similar to it. Compare objects in one image to objects in every other image. In this algorithm we propose to find the images which are having the same objects as that of our segmented image Refining the Search Operation Based on the main region descriptor, we tend to make our search more specific by eliminating all the images found so far that are not associated with it with the help of some associations rule in data mining. Explanation of flowchart- The first step is to select an image for segmentation. The image which is uploaded as a master password is used as the input to the segmentation algorithm. Here we have uploaded a cat image as the master password (Refer Figure 9: highlighted using red box). This image is used for segmentation. Now, we segment the image into various region descriptors i.e R1,R2.Rn where Ri is the ith region descriptor. Let us assume that the cat s face is described by resgion descriptor R2 (main region descriptor) and other portions of image like background and cat s remaining body by R1 and R3 respectively. Now, we search for the different type of images based on these region descriptors from a centralized database having collection of different types of images. This would result with a collection of different types of images. Now, based on our main region descriptor i.e R2 (cat s face), we further refine our search by the help of association rule data mining technique to obtain different cat images. Here, we have assumed that after refinement is over, we will be getting around 16 images that are relevant to the main image (Master Password). Now, These images are used as the input to the Grid making algorithm [2]. 6. Image Grid Algorithm

8 Enhancing Security by CAPTCHA based Image Grid Master Password Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin 1. Set a Static Image Grid: We intend to create a grid of images, say of 6 images out of the images collected using the image mining algorithm previously explained. These images need to be cropped to a maximum height and width of 500 pixels, say. 2. Leave Margins so as to wrap the Images Nicely: Place a bit of margin on the right and bottom edges to add a bit of whitespace. 3. Align the Photographs: Image grids look best when the photographs are both vertically and horizontally centered. 4. Adding the Slider: To set up the slider, by adding some JavaScript. 7. Grid Generation Algorithm var i, j, counter=0; var a[4][4]; //selecting 16 random images from the set of 5000 images for(i=0; i<4;i++) { for(j=0; j<4;j++) a[i][j] = rand(0,4999); } im = rand(0,15); $_SESSION['mpwd'] = md5($im); //Code for generating the image grid var counter = 0; for(i=0; i<4;i++) { for(j=0;j<4;j++) { if(counter = = im) { //display the master password image of the user stored by him at the time of registration counter++; } else { //display the random images previously determined counter++; } } } The algorithm was implemented using PHP. It makes use of mt_rand() function to extract random images from a pool of 5000 images which were previously generated by the image mining algorithm. Here, randomly 16 images are selected which constitute the image grid. User s master password is also assigned a random location and is encrypted by md5() hashing algorithm. This encrypted location of user s password is stored in a session variable which is later used to check the correct answer

9 International Journal of Advancements in Computing Technology Volume 2, Number 5, December 2010 Figure 9. A sample 4 x 4 collage. It is formed from the image pool generated by the master password image of the user. 2 Algorithms were used. Each time the page is a refreshed image changes their position. 8. User Survey A user survey was conducted to test the ease and feasibility of this technique. The technique was implemented using PHP and was hosted over intranet on our webpage. A test pool of 1000 images was created to randomly generate the image grid. On every page refresh set of 16 new images was displayed out of which 1 was user s own master password image. Selected users were sent invitations to participate in the survey. The registered users chose the right answer with 90% accuracy in first attempt and with 95% accuracy in second attempt. Along with this a poll was posted over the webpage, in which around 83% of the users found this better than the text based CAPTCHAs. Also, a certain set of users were asked to crack the password without knowing the answer to check for the security of the technique. On an average, 89% of the people could not guess the answer. They tried refreshing the page and look for a common image to guess the answer but few images repeated themselves, thus making the guess work difficult. To further improve the efficiency of this method, a larger grid could be deployed. 9. Conclusion security can be enhanced by following the suggestions mentioned in the paper. Clubbing of CAPTCHA with password saves time and effort, increases the ease of use and is decently effective in thwarting both human intrusion and bot attacks. If the proposed mechanism is incorporated by existing service providers then security would be greatly enhanced. This will also build a confidence in novice users, business professionals and administrators who store key information in their accounts. Hence, an efficient way to protect and recover hacked account is put forth. Future holds great possibilities only if cyber crime is checked by augmenting internet security. 10. References [1] R. Gossweiler, M. Kamvar and S. Baluja, What s Up CAPTCHA? A CAPTCHA Based on Image Orientation, In Proceedings of the 18th international conference on WWW, pp , [2] C. Ordonez and E. Omiecinski, Image Mining: A New Approach for Data Mining, Georgia Institute of Technology, CC Technical Report; GIT-CC-98-12, pp.1-22,

10 Enhancing Security by CAPTCHA based Image Grid Master Password Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin [3] W. Hsu, M.L. Lee and J. Zhang, Image Mining: Trends and Developments, Journal of Intelligent Information Systems 19(1), pp. 7-23, [4] P. Stanchev, Using Image Mining for Image Retrieval, In Proceedings of the IASTED conference on Computer Science and Technology, pp , [5] S. Yardi, N. Feamster and A. Bruckman, Photo-Based Authentication Using Social Networks, In Proceedings of the 1st Workshop on Online Social Networks, pp.55-60, 2008 [6] Y. Rui and Z. Liu, Excuse Me, But Are You Human?,In Proceedings of the 11th ACM International Conference on Multimedia, pp , [7] L. Ahn, M. Blum, N.J. Hopper, and J. Langford, CAPTCHA: Telling humans and computers apart, In Advances in Cryptology: Lecture Notes in Computer Science, pp , [8] R. Agrawal, T. Imielinski, and A. Swami, Mining Association Rules between Sets of Items in Large Databases, In Proceedings of the ACM SIGMOD International Conference on Management of Data, pp , [9] S. Belongie, C. Carson, H. Greenspan, and J. Malik, Recognition of Images in Large Databases using a Learning Framework, Technical Report TR , U.C. Berkeley, CS Division, pp. 1-8, [10] L. Ahn, M. Blum, N.J. Hopper and J. Langford, CAPTCHA: Using Hard AI Problems for Security, Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 294, [11] L. Ahn, M. Blum and J. Langford, Telling Humans and Computer Apart Automatically, Communications of ACM 47, pp , [12] S. Li and H.Y. Shum, Secure Human-Computer Identification (Interface) Systems against Peeping Attacks (SecHCI): A Survey, Technical Report, pp.1-53,