1. Kanishka Khandelwal
Final Year,
Dept of Computer Science and engineering,
Jadavpur University
2. Authentication
Existing Systems
Proposed 3D password system
3D Virtual environment
Expected Functionalities
The Idea
System Implementation
Objects Required
Security Analysis
Applications
Conclusion
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
3. Who you are to whom you claimed to be?
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
4. What you know (knowledge based).
What you have (token based).
What you are (biometrics).
What you recognize (recognition based).
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
5. Textual passwords
Graphical passwords
Biometrics
Token based
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
6. Most common authentication technique used
in Computer world
Two conflicting requirements: passwords
should be easy to remember and hard to
guess
Kept very simple say a word from the
dictionary or their pet names , girlfriends etc
Klien cracked 25% of the passwords using a
very small sized but well formed dictionary.
Drawback- Guessable!
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
7. Biometrics consists of methods for uniquely
recognizing humans based upon one or more
intrinsic physical or behavioral traits
Drawbacks-
Intrusiveness to privacy
Biometrics cannot be revoked
Resistance to exposure of retinas to IR rays
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
8. Users can recall and recognize pictures more
than words.
Password space is less than or equal to
textual password space.
Vulnerable to Shoulder attack
Process of selecting a set of pictures from the
picture database can be tedious and time
consuming for the user
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
9. Vulnerable to loss or theft or duplication
User has to carry the token whenever access
required
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
10. The 3-D password is a multifactor
authentication scheme.
The 3D password combines all existing
authentication schemes into one three-
dimensional virtual environment.
Users have the freedom to select whether the
3D password will be solely recall, biometrics,
recognition, or token based, or a combination
of two schemes or more
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
11. The following requirements are satisfied
Secrets are easy to remember and very
difficult for intruders to guess
Secrets are not easy to write down on paper
and difficult to share with others
Secrets can be easily revoked or changed.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
12. The three-dimensional virtual environment
consists of many items or objects.
Each item has different responses to actions
The user actions, interactions and inputs
towards the objects or towards the three-
dimensional virtual environment creates the
user’s 3D password.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
13. The user can decide his own authentication schemes.
The 3D environment can change according to users
request.
It would be difficult to crack using regular techniques.
Can be used in critical areas such as Nuclear Reactors,
Missile Guiding Systems etc.
Added with biometrics and card verification, the scheme
becomes almost unbreakable.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
14. large number of possible passwords because of the
high number of possible actions and interactions
towards every object and towards the three
dimensional virtual environment.
The authentication can be improved since the
unauthorized persons will not interact with the
same object as a legitimate user would. We can
also include a timer. Higher the security higher the
timer. Say after 20 seconds a weak password will
be thrown out.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
15. The user navigates through a three
dimensional virtual environment
The combination and the sequence of the
user’s actions and interactions towards the
objects in the three dimensional virtual
environment constructs the user’s 3D
password.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
16. For example, the user can enter the virtual
environment and type something on a computer
that exists in (x1 , y1 , z1 ) position, then enter a
room that has a fingerprint recognition device
that exists in a position (x2 , y2 , z2 ) and
provide his/her fingerprint. Then, the user can
go to the virtual garage, open the car door, and
turn on the radio to a specific channel. The
combination and the sequence of the previous
actions toward the specific objects construct the
user’s 3D password
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
17. A computer with which the user can type.
A fingerprint reader that requires the user’s
fingerprint.
A light bulb
A biometric recognition device.
A television or radio where channels can be
selected.
A car that can be driven.
Any graphical password scheme.
Any real life object.
Any upcoming authentication scheme.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
18. The action towards an object (assume a
fingerprint recognition device) that exists in
location (x1, y1 , z1 ) is different from the
actions toward a similar object (another
fingerprint recognition device) that exists in
location (x2 , y2 , z2 ). Therefore, to perform the
legitimate 3D password, the user must follow the
same scenario performed by the legitimate user.
This means interacting with the same objects
that reside at the exact locations and perform the
exact actions in the proper sequence
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
19.
Let us consider a 3D virtual environment space of
size G ×G × G. The 3D environment space is
represented by the coordinates (x, y, z) ∈ [1, . . . , G]
×[1, . . . , G] ×[1, . . . , G ]. consider a user who
navigates through the 3D virtual environment that
consists of an office and a meeting room . Let us
assume that the user is in the virtual office and the
user turns around to the door located in (10, 24, 91)
and opens it . Then, the user closes the door. The
user then finds a computer to the left, which exists in
the position (4, 34, 19), and the user types “FALCON.”
The initial representation of user actions in the
3Dvirtual environment can be recorded as follows
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
20. (10, 24, 91) Action = Open the car door.
(10, 24, 91) Action = Close the car door.
(4, 34, 19) Action = Typing, “F”.
(4, 34, 18) Action = Typing, “A”.
(4, 34, 17) Action = Typing, “L”.
(4, 34, 16) Action = Typing, “C”.
(4, 34, 15) Action = Typing, “O”.
(4, 34, 14) Action = Typing, “N”.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
22. The Size of the 3D Password Space
-We noticed that by increasing the number of
objects in the three-dimensional virtual
environment, the 3D password space
increases exponentially.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
24. 3D Password Distribution Knowledge
- Knowledge about the user’s selection of
three-dimensional passwords is not
available
- knowledge about the design of a three-
dimensional virtual environment is required
by the attacker
- the attacker must have knowledge about
every single authentication scheme
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
25. The 3D password can have a password space
that is very large compared to other
authentication schemes, so the 3D
password’s main application domains are
protecting critical systems and resources
Critical server
Nuclear and military facilities .
Airplanes and jet fighters
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
26. In addition, 3D passwords can be used in less
critical systems
A small virtual environment can be used in
the following systems like
ATM
Personal Digital Assistance
Desktop Computers & laptop logins
Web Authentication
Security Analysis
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
27. A virtual art gallery that consist of 36 pictures and 6 computers
where users can navigate and interact with virtual objects by
either typing or drawing.
http://www.youtube.com/watch?v=4bvMo1NiyX0
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
30. 1.The user can decide his own authentication schemes. If he's
comfortable with Recall and Recognition methods then he can
choose the 3d authentication just used above.
2.The authentication can be improved since the un authorized
persons will not interact with the same object as a legitimate
user would. We can also include a timer .Higher the security
higher the time.
3.The 3D environment can change according to users request.
4.It would be difficult to crack using regular techniques .Since all
the algorithms follow steps to authenticate ,the scheme has no
fixed number of steps .Hence to calculate all those possibilities
and decipher them is not easy.
5.Can be used in critical areas such as Nuclear Reactors, Missile
Guiding Systems etc.
6.Added with biometrics and card verification ,the scheme
becomes almost unbreakable.
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
31. A Novel 3D Graphical Password Schema -
Fawaz A Alsulaiman and Abdulmotaleb El
Saddik
http://www.authorstream.com/Presentation/
kkarthikeyan08-895930-3d-password/
http://www.technospot.net/blogs/what-is-
3d-password-scheme-3/
Kanishka Khandelwal,Dept of Comp Sc. and Engg,J.U. 5/10/2012
Having knowledge about the most probable textualpasswords is the key behind dictionary attacks. Anyauthentication scheme is affected by the knowledgedistribution of the user’s secretsKnowledge about the user’s selection of three-dimensionalpasswords is not available, up to now, to the attacker.Moreover, having different kinds of authentication schemesin one virtual environment causes the task to be more difficultfor the attacker. However, in order to acquire suchknowledge, the attacker must have knowledge about everysingle authentication scheme and what are the most probablepasswords using this specific authentication scheme. Thisknowledge, for example, should cover the user’s mostprobable selection of textual passwords, different kinds ofgraphical passwords, and knowledge about the user’sbiometrical data. Moreover, knowledge about the design of athree-dimensional virtual environment is required in order forthe attacker to launch a customized attack.