ANNA UNIVERSITY: CHENNAI 600 025

CHAPTER 1INTRODUCTION1.1 SYNOPSISUsing hard AI (Artificial Intelligence) problems for security, under this paradigm, the most notable primitive invented is Captcha, which distinguishes human users from computers by presenting a challenge, i.e., a puzzle, beyond the capability of computers but easy for humans. Captcha is now a standard internet security technique to protect online email and other services from being abused by bots.We introduce a new security paradigm based on hard AI problems, namely, a novel family of graphical password systems integrating Captcha technology, which we call CaRP (Captcha as graphical Passwords). CaRP is click-based graphical passwords, where a sequence of clicks on an image is used to derive a password. Unlike other click-based graphical passwords, images used in CaRP are Captcha challenges, and a new CaRP image is generated for every login attempt. The notion of CaRP is simple but generic. CaRP can have multiple instantiations. In theory, any Captcha scheme relying on multiple-object classification can be converted to a CaRP scheme. We present exemplary CaRPs built on both text Captcha and image-recognition Captcha. One of them is a text CaRP wherein a password is a sequence of characters like a text password, but entered by clicking the right character sequence on CaRP images.

CHAPTER 2LITERATURE SURVEY2.1 CAPTCHA AS GRAPHICAL PASSWORDS A NEW SECURITY PRIMITIVE BASED ON HARD AI PROBLEMS Author: Bin B. Zhu, Jeff Yan, Guanbo Bao3, Maowei Yang, Ning Xu - IEEE Transactions on Information Forensics and Security, Apr 2014 In this project, a new security primitive based on hard AI problems, namely, a novel family of graphical password systems built on top of Captcha technology, is called as CaRP (Captcha as gRaphical Passwords). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, cross-site scripting attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the password is in the search set. CaRP also offers a novel approach to addressing the well-known image hotspots problem in popular graphical password systems such as Pass Points that often leads to weak password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security.[1]2.2 SURVEY OF DIFFERENT TYPES OF CAPTCHA Author : Ved Prakash Singh, Preet Pal, International Journal of Computer Science and Information Technologies, 2014A CAPTCHA may come in various forms like text based or image based CAPTCHA. The bot operation is similar to reverse turing test where the program acts like judge and the other person acts like user. If the user fails this test then he/she is considered to be a machine otherwise the user is considered to be an authentic user or a human being. CAPTCHA is a defensive system that acts as a tool to check web Bots from exploiting online services on the internet including free e-mail providers, wikis, blogs etc. It is a HIP system that is widely used to secure the internet based applications. It is also called as a challenge response test which gives a challenge to the users, when the user gives correct answer he is considered as human otherwise a web bot. CAPTCHA is an authentication process based on challenge-response authentication. CAPTCHA provides a mechanism with the help of which a users can protect themselves for spam and password decryption by taking a simple test. In this test a user will see either an image or a text which are normally distorted. The user is supposed to enter the pattern exactly as shown to him if the CAPTCH is based on text. If the CAPTCHA is based on image the user is supposed to enter the correct name of the image which correctly symbolizes CAPTHCAs means presenting a challenge response test to the users or humans.They are classified based on what is distorted that is whether characters, digits, or images. Some types of CAPTCHAs are given below:1. CAPTCHAs based on text2. CAPTCHAs based on image3. CAPTCHAs based on audio4. CAPTCHAs based on video5. CAPTCHAs based on puzzle [2]

2.3 CAPTCHA BASED ON HUMAN COGNITIVE FACTOR Author : Mohammad Jabed Morshed Chowdhury , Narayan Ranjan Chakraborty, International Journal of Advanced Computer Science and ApplicationsA CAPTCHA is an automatic security mechanism used to determine whether the user is a human or a malicious computer program. It is a program that generates and grades tests that are human solvable, but intends to be beyond the capabilities of current computer programs. CAPTCHA should be designed to be very easy for humans but very hard for machines. Unfortunately, the existing CAPTCHA systems while trying to maximize the difficulty for automated programs to pass tests by increasing distortion or noise have consequently, made it difficult for potential users. To address the issue, this paper addresses an alternative form of CAPTCHA that provides a variety of questions from mathematical, logical and general problems which only human can understand and answer correctly in a given time. The proposed framework supports diversity in choosing the questions to be answered and a user-friendly framework to the users. A user-study is also conducted to judge the performance of the developed system with different background. [3]

2.4 GRAPHICAL PASSWORDS: LEARNING FROM THE FIRST TWELVE YEARSAuthor : R. Biddle, S. Chiasson, and P. C. Van Oorschot, ACM Computing Surveys, vol. 44, 2012.Starting around 1999, a great many graphical password schemes have been proposed as alternatives to text-based password authentication. We provide a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. The paper first catalogues existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. We then review usability requirements for knowledge-based authentication as they apply to graphical passwords, identify security threats that such systems must address and review known attacks, discuss methodological issues related to empirical evaluation, and identify areas for further research and improved methodology.

Beginning around 1999, a multitude of graphical password schemes have been proposed, motivated by the promise of improved password memorability and thus usability, while at the same time improving strength against guessing attacks. Like text passwords, graphical passwords are knowledge based authentication mechanisms where users enter a shared secret as evidence of their identity. However, where text passwords involve alphanumeric and/or special keyboard characters, the idea behind graphical passwords is to leverage human memory for visual information, with the shared secret being related to or composed of images or sketches. [4]

2.5 PICTURE CAPTCHAS WITH SEQUENCING: THEIR TYPES AND ANALYSISAuthor : Aditya Raj, Ashish Jain, Tushar Pahwa, Abhimanyu Jain, International Journal of Digital Society (IJDS) 2010CAPTCHAs currently in use have been broken and rendered ineffective as a result of continuous evolution in CAPTCHA breaking. Thus, there is a need to employ stronger CAPTCHAs to keep these breaking attacks at bay while retaining ease of implementation on websites and ease of use for humans. In this paper, Sequenced Picture Captcha (SPC) is introduced . Each CAPTCHA list comprises of object pictures, each of which may be accompanied by a Tag. The user is required to determine the logical sequence of the displayed object pictures based on the Tags. Two generation schemes are identified - one in which object pictures indicate an inherent sequencing and one in which explicit Tags are displayed for determining the sequencing. SPC is a picture CAPTCHA which consists of object pictures and possibly their tags which appear in the form of text-based CAPTCHAs.[5]

2.6 A NEXT GENERATION OF THE CAPTCHA : 3D CAPTCHA Author : Imsamai, M., Phimoltares, S, Information Science and Applications (ICISA)Nowadays, the Internet is now becoming a part of our everyday lives. Many services, including Email, search engine, and web board on Internet, are provided with free of charge and unintentionally turns them into vulnerability services. Many software robots or, in short term, bots are developed with purpose to use such services illegally and automatically. Thus, web sites employ human authentication mechanism called Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to counter this attack. Unfortunately, many CAPTCHA have been already broken by bots and some CAPTCHA are difficult to read by human. In this project, a new CAPTCHA method called 3D CAPTCHA is proposed to provide an enhanced protection from bots. This method based on assumption that human can recognize 3D character image better than Optical Character Recognition (OCR) software bots. [6]

2.7 PURELY AUTOMATED ATTACKS ON PASSPOINTS-STYLE GRAPHICALPASSWORDSAuthor: P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe, IEEE Trans. Info. Forensics and Security, vol. 5, 2010We introduce and evaluate various methods for purely automated attacks against Pass Points-style graphical passwords. For generating these attacks, we introduce a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns (e.g., five points all along a line). Some of our methods combine click-order heuristics with focus-of-attention scan-paths generated from a computational model of visual attention, yielding significantly better automated attacks than previous work. One resulting automated attack finds 7%-16% of passwords for two representative images using dictionaries of approximately 226entries (where the full password space is 243). Relaxing click-order patterns substantially increased the attack efficacy albeit with larger dictionaries of approximately 235entries, allowing attacks that guessed 48%-54% of passwords (compared to previous results of 1% and 9% on the same dataset for two images with 235guesses). These latter attacks are independent of focus-of-attention models, and are based on image-independent guessing patterns. Our results show that automated attacks, which are easier to arrange than human-seeded attacks and are more scalable to systems that use multiple images, require serious consideration when deploying basic PassPoints-style graphical passwords. [7]

2. 8 A LOW-COST ATTACK ON A MICROSOFT CAPTCHA Jeff Yan, Ahmad Salah EI Ahmad, School of Computing ScienceCAPTCHA is now almost a standard security technology. The most widely deployed CAPTCHAs are text-based schemes, which typically require users to solve a text recognition task. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. New character segmentation techniques of general value to attack a number of text CAPTCHAs, including the schemes designed and deployed by Microsoft, Yahoo and Google. In particular, the Microsoft CAPTCHA has been deployed since 2002 at many of their online services including Hotmail, MSN and Windows Live. Designed to be segmentation resistant, this scheme has been studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. As a result, we estimate that this CAPTCHA could be instantly broken by a malicious bot with an overall (segmentation and then recognition)success rate of more than 60%. On the contrary, the design goal was that automated attacks should not achieve a success rate of higher than 0.01%. CAPTCHAs that are carefully designed to be segmentation resistant are vulnerable to novel but simple attacks. [8]

2.9 DESIGN OF GRAPHICAL PASSWORD Author : Ian jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin, USENIX Security Symposium

Design of graphical password exploits the features of graphical input displays to achieve better security than text based passwords. Graphical input devices enable the user to decouple the position of inputs from the temporal order in which those inputs occur, and we show that this decoupling can be used to generate password schemes with substantially larger (memorable) password spaces. In order to evaluate the security, a novel way is devised to capture a subset of the memorable passwords that is the design of graphical passwords. This is primarily motivated by devices such as personal digital assistants (PDAs) that graphical input capabilities via a stylus or a mouse.[9]

2.10 RECAPTCHA Author : Luis von Ahn, Ben Maurer, Colin McMillen, David Abraham, Manuel Blum, Google groupRecaptcha is a free service to protect websites from spam and abuse. Recaptcha uses an advanced risk analysis engine and adaptive captchas to keep automated software from engaging in abusive activities on your site. It does this while letting the valid users pass through with ease. Recaptcha offers more than just spam protection. Every time our captchas are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.Scanned text is subjected to analysis by two differentoptical character recognitionprograms. Their respective outputs are then aligned with each other by standard string-matching algorithms and compared both to each other and to an English dictionary. Any word that is deciphered differently by both OCR programs or that is not in the English dictionary is marked as "suspicious" and converted into a CAPTCHA. The suspicious word is displayed, out of context, sometimes along with a control word already known. If the human types the control word correctly, then the response to the questionable word is accepted as probably valid. If enough users were to correctly type the control word, but incorrectly type the 2nd word which OCR had failed to recognize, then the digital version of documents could end up containing the incorrect word. The identification performed by each OCR program is given a value of 0.5 points, and each interpretation by a human is given a full point. Once a given identification hits 2.5 points, the word is considered valid. Those words that are consistently given a single identity by human judges are later recycled as control words.If the first three guesses match each other but do not match either of the OCRs, they are considered a correct answer, and the word becomes a control word.When six users reject a word before any correct spelling is chosen, the word is discarded as unreadable

CHAPTER 3SYSTEM ANALYSIS3.1 EXISTING SYSTEMThe problems of knowledge-based authentication, typically text-based passwords, are well known. Users often create memorable passwords that are easy for attackers to guess, but strong system-assigned passwords are difficult for users to remember. These security primitives are based on hard mathematical problems. A password authentication system should encourage strong passwords while maintaining memorable. Results show that PCCP (Persuasive Cued Click-Points) is effective at reducing hotspots and avoiding patterns formed by click-points within a password, while still maintaining usability. Graphical images used as password tend to follow predictable patterns that are easier for attackers to exploit.

3.1.1 DISADVANTAGES OF EXISTING SYSTEM1. Existing system have the security primitives that are based on hard mathematical problems.2. Existing system is vulnerable to bots ,online guessing attacks, relay attacks, cross-site scripting attacks,

3.2 PROPOSED SYSTEMUsing hard AI problems for security is emerging as an exciting new paradigm, but has been under explored. We propose that new authentication schemes allow user choice while influencing users towards stronger passwords. In our system, creature grid and click text easier to use than pass points and a combination of text password and graphical image. Both Creature grid and click text are better memorable password than the conventional text passwords. It offers reasonable security and usability and appears to fit well with some practical applications for improving security. A common goal of the system is to maximize the size of the effective password space and also provides security from vulnerable like bots, human guessing attacks and dictionary attacks. When user choice is involved, this also becomes a usability issue since users will be responsible for selecting their password.

3.2.1 ADVANTAGES OF PROPOSED SYSTEM 1. This system has an important usability goal to support users in selecting passwords of higher security, in the sense of being from an expanded effective security space. 2. Existing system is based on hard AI problems which uses CaRP scheme, encouraging users to select more random, and hence more difficult to guess, click-points.3. Proposed system protects secured data from bots ,online guessing attacks, relay attacks, cross-site scripting attacks, and malwares.

CHAPTER 4SYSTEM REQUIREMENT SPECIFICATION4.1 SOFTWARE REQUIREMENTSOperating System:Windows XP / 7 - 32 Bit VersionLanguage:C#, .NETWeb Technology:Window ApplicationBack End:MS-SQL Server 2012Dot Net Framework:V 4.0Documentation Tool:MS-Word 2003Development Tool:MS-Visual Studio 2012

4.2 HARDWARE REQUIREMENTSRAM: 1 GB and aboveProcessor:Dual core and aboveHard Disk :80 GB and above

4.3 EXTERNAL INTERFACE REQUIREMENTS4.3.1 User Interfaces1. User Interfaces are Graphical User Interfaces in this product.2. Users are communicated with Buttons to clear the content or send data to the destination.3. User can enter the data through the textbox.4. User can interact with text area to enter the multiple line of text.4.3.2 Hardware InterfacesEthernetEthernet on the AS/400 supports TCP/IP, Advanced Peer-to-Peer Networking (APPN) and advanced program-to-program communications (APPC). ISDNYou can connect your AS/400 to an Integrated Services Digital Network (ISDN) for faster, more accurate data transmission. An ISDN is a public or private digital communications network that can support data, fax, image, and other services over the same physical interface. Also, you can use other protocols on ISDN, such as IDLC and X.25. 4.3.3 Software Interfaces This software is interacted with the TCP/IP protocol. This product is interacted with the Socket and listening on unused ports. This product is interacted with the Server Socket and listening on unused ports. This product is interacted with I.D.E 2.04.3.4 Communications InterfacesThe TCP/IP protocol will be used to facilitate communications between the client and server.

4.4 OTHER NONFUNCTIONAL REQUIREMENTS4.4.1 Performance RequirementsThe maximum satisfactory response time to be experienced most of the time for each distinct type of user-computer interaction, along with a definition of most of the time. Response time is measured from the time that the user performs the action that says "Go" until the user receives enough feedback from the computer to continue the task. It is the user's subjective wait time. It is not from entry to a subroutine until the first write statement. If the user denies interest in response time and indicates that only the result is of interest, you can ask whether "ten times your current estimate of stand-alone execution time" would be acceptable. If the answer is "yes," you can proceed to discuss throughput. Otherwise, you can continue the discussion of response time with the user's full attention. The response time that is minimally acceptable the rest of the time. A longer response time can cause users to think the system is down. You also need to specify rest of the time; for example, the peak minute of a day, 1 percent of interactions. Response time degradations can be more costly or painful at a particular time of the day.

4.4.2 Safety RequirementsThe software may be safety-critical. If so, there are issues associated with its integrity level. The software may not be safety-critical although it forms part of a safety-critical system. For example, software may simply log transactions. If a system must be of a high integrity level and if the software is shown to be of that integrity level, then the hardware must be at least of the same integrity level. There is little point in producing 'perfect' code in some language if hardware and system software (in widest sense) are not reliable. If a computer system is to run software of a high integrity level then that system should not at the same time accommodate software of a lower integrity level. Systems with different requirements for safety levels must be separated. Otherwise, the highest level of integrity required must be applied to all systems in the same environment.

4.4.3 Security Requirements

Do not block the some available ports through the windows firewallTwo machines should be connected with LAN setting.

4.4.4 Software Quality Attributes

Functionality: are the required functions available, including interoperability and security.Reliability: maturity, fault tolerance and recoverability.Usability: how easy it is to understand, learn and operate the software system.Efficiency: performance and resource behavior.Maintainability: how easy is it to modify the software?Portability: can the software easily be transferred to another environment, including install ability.

CHAPTER 5SOFTWARE DESCRIPTION5.1. FEATURES OF DOT NETMicrosoft .NET is a set of Microsoft software technologies for rapidly building and integrating XML Web services, Microsoft Windows-based applications, and Web solutions. The .NET Framework is a language-neutral platform for writing programs that can easily and securely interoperate. There's no language barrier with .NET: there are numerous languages available to the developer including Managed C++, C#, Visual Basic and Java Script. The .NET framework provides the foundation for components to interact seamlessly, whether locally or remotely on different platforms. It standardizes common data types and communications protocols so that components created in different languages can easily interoperate.

.NET is also the collective name given to various software components build upon the .NET platform. These will be both products (Visual Studio.NET andWindows.NET Server, for instance) and services (like passport, .NET My Services, and so on).

5.2 THE.NET FRAMEWORKThe CLR is described as the "execution engine" of .NET. It provides the environment within which the programs run.

DOT NET Framework has two main parts:1. The Common Language Runtime (CLR).2. Hierarchical set of class libraries.The most important features are1. Conversion from a low-level assembler-style language, called Intermediate Language (IL), into code native to the platform being executed on.2. Memory management, notably including garbage collection.3. Checking and enforcing security restrictions on the running code.4. Loading and executing programs, with version control and other such features.The following features of the .NET framework are also worth description:

Managed Code

The code that targets .NET and which contains certain extra Information - "metadata" - to describe itself. While both managed and unmanaged code can run in the runtime, only managed code contains the information that allows the CLR to guarantee, for instance, safe execution and interoperability.

Managed Data

With Managed Code comes Managed Data. CLR provides memory allocation and garbage collection. Some .NET languages use Managed Data by default, such as C#, Visual Basic.NET and JScript.NET, whereas others, namely C++ do not.

Targeting CLR can, depending on the language youre using, impose certain constraints on the features available. As with managed and unmanaged code, one can have both managed and unmanaged data in .NET applications - data that doesn't get garbage collected but instead is looked after by unmanaged code.

Common Type System

The CLR uses something called the Common Type System (CTS) to strictly enforce type-safety. This ensures that all classes are compatible with each other, by describing types in a common way. CTS define how types work within the runtime, which enables types in one language to interoperate with types in another language, including cross-language exception handling. A well as ensuring that types are only used in appropriate ways, the runtime also ensures that code doesn't attempt to access memory that hasn't been allocated to it.

Common Language Specification

The CLR provides built-in support for language interoperability. To ensure that you can develop managed code that can be fully used by developers using any programming language, a set of language features and rules for using them called the Common Language Specification (CLS) has been defined. Components that follow these rules and expose only CLS features are considered CLS-compliant.

The Class Library

.NET provides a single-rooted hierarchy of classes, containing over 7000 types. The root of the namespace is called System; this contains basic types like Byte, Double, Boolean, and String, as well as Object. All objects derive from System. Object. As well as objects, there are value types. Value types can be allocated on the stack, which can provide useful flexibility.

There are also efficient means of converting value types to object types if and when necessary. The set of classes is pretty comprehensive, providing collections, file, screen and network I/O, threading, and so on, as well as XML and database connectivity.

The class library is subdivided into a number of sets (or namespaces), each providing distinct areas of functionality, with dependencies between the namespaces kept to a minimum.

CHAPTER 6SYSTEM DESIGN6.1 SYSTEM ARCHITECTURE DIAGRAM

LoginChoose ResourcesCaRP Generation Authentication

RegistrationCreate PasswordClick TextCreature GridDBResource 1Resource 2

Fig 6.1 System Architecture Diagram

6.2 DATA FLOW DIAGRAM

The Data Flow diagram is a graphic tool used for expressing system requirements in a graphical form. The DFD also known as the "bubble chart" has the purpose of clarifying system requirements and identifying major transformations that to become program in system design. Thus DFD can be stated as the starting point of the design phase that functionally decomposes the requirements specifications down to the lowest level of detail. The DFD consist of series of bubbles joined by lines. The bubbles represent data transformations and the lines represent data flows in the system. A DFD describes what that dataflow in rather than how they are processed. So it does not depend on hardware, software, data structure or file organization.

Level 0

UserCaRPServer

Fig 6.2.1 Data Flow Diagram Level 0

Level 1

UserCaRP Scheme(Click Text)User RegistrationPasswordGeneration

Fig 6.2.2 Data Flow Diagram Level 1

Level 2

UserClick Text CaptchaGenerationClick your password on imageAuthenticate& Validation

Fig 6.2.3 Data Flow Diagram Level 2

Level 3

CaRP Scheme (Creature Grid)Grid CreatureGenerationEnter Creature PasswordUserRegistrationUser

Select password on click creature

Select password on creature gridHashing ProcessCreature GridGeneration

Fig 6.2.4 Data Flow Diagram Level 3

Level 4

CaRP Scheme(Creature Grid)Login Phase

Authentication & verificationSelect password on Creature gridCreature GridGenerationSelect password on click CreatureEnter Creature PasswordUserGrid CreatureGeneration6.2.5 Data Flow Diagram Level 4

6.3 USE CASE DIAGRAM

Click Text Captcha GenerationCreature Grid Captcha GenerationAuthentication

Fig6.3 Use Case Diagram

6.4 SEQUENCE DIAGRAMFig 6.4 Sequence Diagram

6.5 COLLABORATION DIAGRAM

6. Creature Pwd()8. Click Creature onimage7. Click Creature captchaGeneration()4. Hashing()3. Click TextOnImage()2. Click TextCaptchaGeneration()1. Click Text Pwd()PasswordCaRPAuthenticationClick TextCreature Grid5. Validate()

Fig

6.5 Collaboration Diagram

6.6 ACTIVITY DIAGRAM

Creature Password GenerationPassword GenerationClick TextCaptcha GenerationCreature Grid GenerationClick Creature on imageCARPHashingValidationHashingValidationSelect Creature Grid on imageClick TextCaptchaCreature GridCaptchaClick Creature CaptchaClick Text on imageFig 6.6 Activity Diagram.7 CLASS DIAGRAM

Click Text CaptchaUser NamePasswordClick Text GenerationCaptcha Generation()Login()Registration()AuthenticationUser NamePasswordHashingHashing()Verification()Click Creature CaptchaUser NamePasswordClick Creature GenerationApply FeaturesCaptcha Generation()Login()Registration()Mail Sending ProcessFromToSubject AttachmentSendMail()

Fig 6.7 Class Diagram

CHAPTER 7MODULES7.1 LIST OF MODULES1. Click Text2. Click Creature3. Creature Grid4. User Authentication with CaRP Schemes

7.2 MODULE DESCRIPTION1. Click TextClickText is a recognition-based CaRP scheme built on top of text Captcha. A ClickText image is generated by the underlying Captcha engine as if a Captcha image were generated except that all the alphabet characters should appear in the image. During generation, each characters location is tracked to produce a ground truth for the location of the character in the generated image. The authentication server relies on the ground truth to identify the characters corresponding to user-clicked points.

2. Click Creature

Click Creature is a recognition-based CaRP scheme built on top of Captcha-Creature, with an alphabet of many creatures etc. Its password is a sequence of creature names such as P = Horse, Butterfly, Lion, Dog, Peacock . After 3D models of creatures are distorted and the resulting 2D creatures are then arranged on a cluttered background. This make it hard for computers to automatically recognize creatures in the generated image, yet humans can easily identify different instantiations of creatures.

3. Creatures Grid

CaRP should have a sufficiently-large effective password space to resist human guessing attacks. Creature Grids password space can be increased by combining it with a grid-based graphical password, with the grid depending on the size of the selected creature. Click-A-Secret (CAS) wherein a user clicks the grid cells in her password. Creature Grid is a combination of Click Creature and CAS. The number of grid-cells in a grid should be much larger than the alphabet Size.

4. User Authentication with CaRP Schemes

Like other graphical passwords, we assume that CaRP schemes are used with additional protection such as secure channels between clients and the authentication server. The authentication server (AS) stores a salt (s) and a hash value H (P, S) for each user ID, where is the password of the account and not stored. Upon receiving a login request, (AS) generates a CaRP image and records the locations of the objects in the image, and sends the image to the user to click her password. Then (AS) retrieves salt (S) of the account, calculates the hash value of (P) with the salt, and compares the result with the hash value stored for the account. Authentication succeeds only if the two hash values match.

CHAPTER 8CONCLUSIONCaRP is both a Captcha and a graphical password scheme. The notion of CaRP introduces a new family of graphical passwords, which adopts a new approach to counter online guessing attacks: a new CaRP image, which is also a Captcha challenge, is used for every login attempt to make trials of an online guessing attack computationally independent of each other. A password of CaRP can be found only probabilistically by automatic online guessing attacks including brute-force attacks, a desired security property that other graphical password schemes lack. Hotspots in CaRP images can no longer be exploited to mount automatic online guessing attacks, an inherent vulnerability in many graphical password systems. CaRP forces adversaries to resort to significantly less efficient and much more costly human-based attacks. In addition to offering protection from online guessing attacks, CaRP is also resistant to relay attacks, cross-site scripting attacks, and dictionary guessing attacks.

REFERENCES

1. Bin B. Zhu, Jeff Yan, GuanboBao, Maowei Yang, Ning Xu - Captcha as Graphical Passwords A New Security Primitive Based on Hard AI Problems IEEE transactions on Information Forensics and Security , Apr 20142. Ved Prakash Singh, Preet Pal Survey of Different Types of CAPTCHA International Journal of Computer Science and Information Technologies, Vol. 5 (2) , 20143. Mohammad Jabed Morshed Chowdhury , Narayan Ranjan Chakraborty - CAPTCHA Based on Human Cognitive Factor , International Journal of Advanced Computer Science and Applications, Vol. 4, 20134. R. Biddle, S. Chiasson, and P. C. Van Oorschot, Graphical Passwords: Learning from the first twelve years, ACM Computing Surveys, vol. 44, 2012.5. Aditya Raj, Ashish Jain, Tushar Pahwa, Abhimanyu Jain, Picture Captchas with Sequencing: Their Types and Analysis, International Journal of Digital Society (IJDS) 20106. Imsamai, M., Phimoltares, S, A Next Generation of the Captcha : 3D Captcha, Information Science and Applications (ICISA), 20107. P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe, Purely automated attacks on PassPoints-style graphical passwords, IEEE Trans. Info. Forensics and Security, vol. 5, 20108. Jeff Yan, Ahmad Salah, EI Ahmad, A Low-Cost Attack on a Microsoft Captcha , School of Computing Science, 20089. Ian jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin The Design and Analysis of Graphical Password USENIX Security Symposium 1999

1

2