New Enhancing E-mail Security by CAPTCHA based Image Grid … · 2015. 7. 29. · Enhancing E-mail...
Transcript of New Enhancing E-mail Security by CAPTCHA based Image Grid … · 2015. 7. 29. · Enhancing E-mail...
International Journal of Advancements in Computing Technology
Volume 2, Number 5, December 2010
Enhancing E-mail Security by CAPTCHA based Image Grid Master
Password
Nitin*, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat
Gupta and Srishti Sarin
*College of Information Science and Technology, Department of Computer Science,
Peter Kiewit Institute, University of Nebraska at Omaha, 1110 South 67th Street Omaha,
Nebraska 68182-0116, United States
E-mail: [email protected]
Jaypee University of Information Technology, Waknaghat, Solan-173234,
Himachal Pradesh, India
E-mails: {aditya187,amanpreetsarora, radhikamedury, shubh.naval, juitrajat,
srishti.sarin}@gmail.com doi:10.4156/ijact.vol2. issue5.10
Abstract Identity theft, privacy invasion, loss of key information is the major reasons for which E-mail
security is breached these days. Hence, it is very essential that effective security prevention measures
are taken. This paper, proposes many such hacking prevention measures with approaches to recover a
hacked account. It also puts forward a novel CAPTCHA (Completely Automated Public Turing Test to
tell Computers and Humans Apart) based mechanism, which can protect the crucial information even
if the account is hacked.
Keywords: CAPTCHA, E-mail Security, Image Grid Algorithm, Grid Generation Algorithm
1. Introduction and Motivation
In this day and age, e-mails are one the most extensively used modes of communication. People
access e-mails for personal and professional uses. In both the cases there is vital information that is
being sent and received. With the advent of e-Commerce, there is also a risk of losing money by e-mail
fraud. E-mail account can be hacked by various means. Most widely used techniques are Keylogger
software and a phishing page.
Keylogger software pursues keys struck on a keyboard typically in a stealthy manner so that the
person using the keyboard remains unaware that his actions are being monitored. Password is guessed
by analyzing the recorded key strokes. It is mostly used on a public computer. Whereas a phishing page
is a fake page looking like a website‟s login page. A user is allured to enter his username and password.
Once the details are entered they are sent directly to the hacker. Hence, it is very necessary to take
proper measures to make e-mail communication as secure as possible.
We put forward the concept of an easy to remember image based Master Password, which will be
used to generate a collage CAPTCHA thus making it safe from automated bots and humans. This
master password is actually an image uploaded by the user, which will be presented as a collage
CAPTCHA whenever required. A user will have to select his particular uploaded image i.e. the master
password from the set of given images. If a wrong guess is made, the collage is generated again with
changed image positions. There is a limit to maximum number of wrong attempts.
Growing number of e-mail accounts being hacked and absence of any sound mechanism to recover
the hacked account motivated us to look for alternative ways. Hence, we propose a few suggestions and
the master password mechanism to existing E-mail Service Providers. To make it effortless for the user
to memorize the password, we make use of an image as the master password.
The rest of the paper is organized as follows: Section 3 and 4 provides suggestions and suggested
methods and Section 5 and 6 provides Image Mining and Image Grid algorithms followed by Grid
Generation Algorithm explained in Section 7 and supported by user survey explained in Section 8
followed by Conclusion and References.
- 89 -
Enhancing E-mail Security by CAPTCHA based Image Grid Master Password
Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin
Figure 1. Initial password recovery form in Gmail. It asks for various problems and leads the user
accordingly.
Figure 2. Password recovery form in Windows‟ Hotmail.
2. Literature Survey
A study of various research papers was done on CAPTCHAs [1-12], e-mail security, computer
networks, image mining and image segmentation. Starting with the papers and study material on
computer networks and e-mail security, a study of latest security mechanisms employed by major
e-mail service providers (ESPs) was done. We also logged onto major e-mail services like Yahoo,
Gmail and MSN. Various loopholes were found in their password recovery systems. Presented below
(Figure 1-6) are the screenshots of Gmail, Hotmail and Yahoo Mail; these were studied as part of the
literature survey to discover the ubiquitous but overlooked flaws in the existing system.
A case study has been done to recover a lost password on Yahoo Mail. Few flaws were found in the
existing system and to overcome these flaws finally the Master Password Mechanism is suggested by
us. Beginning with Figure 3, it shows the Yahoo page when the user clicks on the Forgot My
Password/ID/Cannot Login link. This figure demonstrates the various ways in which to begin the
password recovery process. Next to follow is Figure 4, wherein the user is asked to enter the secondary
e-mail address. This part of the password recovery process has a flaw that in case the hacker changes
the secondary e-mail address of the user, will not be able to retrieve his password. Figure 5 follows
with security question. Here also the same problem (as discussed with previous figure) might occur that
the hacker may change user‟s security question as well. If in case user enters the information asked in
Figure 4 and Figure 5 correctly then password can finally be renewed as shown in Figure 6.
- 90 -
International Journal of Advancements in Computing Technology
Volume 2, Number 5, December 2010
Figure 3. Initial password recovery form in Yahoo. It asks for various problems and leads the user
accordingly.
Figure 4. An alternative e-mail address is asked for password recovery. This step is not useful in case
user‟s secondary e-mail ID is changed by the hacker.
Figure 5. A security question is asked for password recovery. This step is not useful in case user‟s
security question is changed by the hacker or the user forgets the answers.
- 91 -
Enhancing E-mail Security by CAPTCHA based Image Grid Master Password
Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin
Figure 6. The final step where the password is changed.
Subsequently, we have studied about CAPTCHAs in which a reverse Turing test is used to thwart
the automated bot attacks to crack the passwords. CAPTCHA is basically a type of challenge-
response test used in computing to ensure that the response is not generated by a computer [11]. The
most common form of CAPTCHAs are randomly generated images containing codes that are to be
manually entered. A machine cannot decode the intentionally distorted letters and numbers. Also we
have suggested a CAPTCHA based master password.
To create the Master Password, we have used image mining and image segmentation algorithms.
Image mining, a broader view of data mining technique can help us find meaningful relationship
among various images generated by the image mining algorithm [2]. It is more than just an extension
of data mining to image domain as it requires expertise in computer vision, image processing, image
retrieval, data-mining, machine learning, database, and artificial intelligence for perfect retrieval.
Image mining is rapidly gaining attention among researchers in the field of data mining, information
retrieval and multimedia databases because of its potential in discovering useful image patterns that
may push the various research fields to new frontiers.
According to the image mining technique given in the research paper, various image
descriptors/region descriptors can be assigned to an individual image after successfully mining through
Figure 7. A screenshot taken from www.gmail.com showing the record of last 5 IP addresses from
where the account was last accessed. It also shows the time details.
- 92 -
International Journal of Advancements in Computing Technology
Volume 2, Number 5, December 2010
Figure 8. This figure explains the proposed way in which Master Password could be implemented.
Here Master Password is used to open a locked folder.
the segmentation algorithm. These region descriptors are very useful in finding different types of
images from a large database [4]. A way of image mining is to rely on the automatic/semi-automatic
analysis of image content and to do the mining on the generated descriptors. For example, color,
texture, shape and size can be determined automatically. Objects in an image can be determined by the
similarity of those attributes.
After getting a collection of images from image mining algorithm, the task to be done is to choose
the relevant images that are necessary for that particular application. This is known as the Refinement
Process. It uses the concept of Association Rule Mining technique of databases. For example, the
support and confidence parameters can be used here for getting the relevant images.
The image form of password is easy to remember than the usual textual passwords. Images also
have more scope than text in real world entity as it is said that “A picture is worth a thousand words”,
therefore, mining images for the purpose of having different combinations of master password would
definitely increase the complexity of cracking the password and therefore, fulfilling the aim of the
research paper.
3. Suggestions for E-mail Service Providers
3.1. Safety Measure Prior to Account being Hacked
E-mail Service Providers (ESPs) maintain a record of the IP address accessing the e-mail account. It
can be done at the time of creation of the account that user is asked a question (given below) “From
where do you access this account?”
1. Home/Office
2. Public Place (Internet Cafe)
3. Both
If the answer to the above question is „a‟ i.e. the account is used from home/office then there must
be a fixed IP address of these places provided to user by the ISPs (Internet Service Providers). Hence
those particular IP addresses are recorded in the database. In case the account is being opened
consistently from a new IP address then the user is alerted by a message and is authenticated by
answering a security question or entering the master password.
If the answer to the above question is „b‟ then user is not warned at all even if many different IP
addresses are accessing the account. He‟s advised to uncheck the „stay signed in‟ checkbox while
logging in and logout from the account when done. Timed auto logout feature can also be used in
- 93 -
Enhancing E-mail Security by CAPTCHA based Image Grid Master Password
Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin
which user is automatically logged out from the session after a certain amount of time. If the answer
selected is „c‟ i.e. both, then also the procedure as explained in option „b‟ shall be followed. Another
safety measure could be to lock the folders/labels prevalent today in most of the e-mail services.
Locking shall be done by the master password.
3.2. How to Retrieve an Account after it is Hacked?
There are following existing ways to recover a hacked account:
1. Secondary E-mail ID: An e-mail having the information about „how to reset your password‟ is
sent to user‟s secondary e-mail id.
2. Security Question: User can answer the security questions filled by him while creating the
account in order to retrieve his password.
Mobile Phone: User‟s new password is sent as an SMS to the mobile number mentioned in user‟s
account.
3. However, all the above three details can be changed by the hacker; hence user cannot recover his
account by merely adhering to above-mentioned ways.
4. Proposed Mechanism
4.1. Understanding a CAPTCHA
A CAPTCHA [7,11] is a program that protects websites against bots by generating and grading tests
that humans can pass but current computer programs cannot. It is imperative these days to thwart any
brute force attack launched by automated bots to prevent e-mail account.
We have clubbed a CAPTCHA along with a password known as „Master Password‟. This Master
Password is actually an image uploaded by the user. With the help of 2 algorithms we create a collage
CAPTCHA, containing the master password. A user will be presented this CAPTCHA to recover a
hacked account, to reset password or to view the contents of any locked folder.
- 94 -
International Journal of Advancements in Computing Technology
Volume 2, Number 5, December 2010
1. Our suggested method uses an Image-Mining algorithm along with a Image Grid Algorithm.
Here‟s the whole process in short is explained:
2. User uploads any 1 personal picture, specially of any object/pet. This image is the Master
Password.
3. Image Mining Algorithm looks for similar (not exact) images and generates a pool of images.
4. Image Grid Algorithm makes a collage of these images. It will be a grid of say, 4 x 4 images
consisting of 1 actual image uploaded by the user and 15 similar images from the image pool,
which is generated by the Image mining algorithm.
5. This grid of images (Collage CAPTCHA) will be used to ask for the Master Password
whenever it is required.
6. Master Password can be used to lock the folders or to recover a lost account.
5. Image Mining Algorithm
5.1. Segmentation
Image segmentation is an initial and vital step in a series of processes aimed at overall image
understanding. The image is segmented into various regions. The purpose of segmentation is to
partition an image into meaningful regions with respect to a particular application. Here we segment
images into regions identifiable by region descriptors. The segmentation is based on measurements
taken from the image and might be greylevel, color, texture, depth or motion.
5.2. Searching Images based on various Region Descriptors
According to the varied regions of the above mentioned image, we tend to find the related object
images which are similar to it. Compare objects in one image to objects in every other image. In this
algorithm we propose to find the images which are having the same objects as that of our segmented
image.
5.3. Refining the Search Operation
Based on the main region descriptor, we tend to make our search more specific by eliminating all
the images found so far that are not associated with it with the help of some associations rule in data
mining.
Explanation of flowchart- The first step is to select an image for segmentation. The image which is
uploaded as a master password is used as the input to the segmentation algorithm. Here we have
uploaded a cat image as the master password (Refer Figure 9: highlighted using red box). This image is
used for segmentation.
Now, we segment the image into various region descriptors i.e R1,R2….Rn where Ri is the ith
region descriptor. Let us assume that the cat‟s face is described by resgion descriptor R2 (main region
descriptor) and other portions of image like background and cat‟s remaining body by R1 and R3
respectively.
Now, we search for the different type of images based on these region descriptors from a centralized
database having collection of different types of images. This would result with a collection of different
types of images.
Now, based on our main region descriptor i.e R2 (cat‟s face), we further refine our search by the
help of association rule data mining technique to obtain different cat images.
Here, we have assumed that after refinement is over, we will be getting around 16 images that are
relevant to the main image (Master Password). Now, These images are used as the input to the Grid
making algorithm [2].
6. Image Grid Algorithm
- 95 -
Enhancing E-mail Security by CAPTCHA based Image Grid Master Password
Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin
1. Set a Static Image Grid: We intend to create a grid of images, say of 6 images out of the images
collected using the image mining algorithm previously explained. These images need to be cropped to
a maximum height and width of 500 pixels, say.
2. Leave Margins so as to wrap the Images Nicely: Place a bit of margin on the right and bottom
edges to add a bit of whitespace.
3. Align the Photographs: Image grids look best when the photographs are both vertically and
horizontally centered.
4. Adding the Slider: To set up the slider, by adding some JavaScript.
7. Grid Generation Algorithm
var i, j, counter=0;
var a[4][4];
//selecting 16 random images from the set of 5000 images
for(i=0; i<4;i++)
{
for(j=0; j<4;j++)
a[i][j] = rand(0,4999);
}
im = rand(0,15);
$_SESSION['mpwd'] = md5($im);
//Code for generating the image grid
var counter = 0;
for(i=0; i<4;i++)
{
for(j=0;j<4;j++)
{
if(counter = = im)
{
//display the master password image of the user stored by him at the time of registration
counter++;
}
else
{
//display the random images previously determined
counter++;
}
}
}
The algorithm was implemented using PHP. It makes use of mt_rand() function to extract random
images from a pool of 5000 images which were previously generated by the image mining algorithm.
Here, randomly 16 images are selected which constitute the image grid. User‟s master password is also
assigned a random location and is encrypted by md5() hashing algorithm. This encrypted location of
user‟s password is stored in a session variable which is later used to check the correct answer.
- 96 -
International Journal of Advancements in Computing Technology
Volume 2, Number 5, December 2010
Figure 9. A sample 4 x 4 collage. It is formed from the image pool generated by the master password
image of the user. 2 Algorithms were used. Each time the page is a refreshed image changes their
position.
8. User Survey
A user survey was conducted to test the ease and feasibility of this technique. The technique was
implemented using PHP and was hosted over intranet on our webpage. A test pool of 1000 images was
created to randomly generate the image grid. On every page refresh set of 16 new images was
displayed out of which 1 was user‟s own master password image. Selected users were sent invitations
to participate in the survey. The registered users chose the right answer with 90% accuracy in first
attempt and with 95% accuracy in second attempt. Along with this a poll was posted over the webpage,
in which around 83% of the users found this better than the text based CAPTCHAs. Also, a certain set
of users were asked to crack the password without knowing the answer to check for the security of the
technique. On an average, 89% of the people could not guess the answer. They tried refreshing the
page and look for a common image to guess the answer but few images repeated themselves, thus
making the guess work difficult. To further improve the efficiency of this method, a larger grid could
be deployed.
9. Conclusion
E-mail security can be enhanced by following the suggestions mentioned in the paper. Clubbing of
CAPTCHA with password saves time and effort, increases the ease of use and is decently effective in
thwarting both human intrusion and bot attacks. If the proposed mechanism is incorporated by existing
e-mail service providers then security would be greatly enhanced. This will also build a confidence in
novice users, business professionals and administrators who store key information in their e-mail
accounts. Hence, an efficient way to protect and recover hacked e-mail account is put forth. Future
holds great possibilities only if cyber crime is checked by augmenting internet security.
10. References
[1] R. Gossweiler, M. Kamvar and S. Baluja, What‟s Up CAPTCHA? A CAPTCHA Based on Image
Orientation, In Proceedings of the 18th international conference on WWW, pp. 841-850, 2009.
[2] C. Ordonez and E. Omiecinski, Image Mining: A New Approach for Data Mining, Georgia
Institute of Technology, CC Technical Report; GIT-CC-98-12, pp.1-22, 1998.
- 97 -
Enhancing E-mail Security by CAPTCHA based Image Grid Master Password
Nitin, Amanpreet Singh Arora, Aditya Patel, Radhika Medury, Shubhrangshu Naval, Rajat Gupta and Srishti Sarin
[3] W. Hsu, M.L. Lee and J. Zhang, Image Mining: Trends and Developments, Journal of Intelligent
Information Systems 19(1), pp. 7-23, 2002.
[4] P. Stanchev, Using Image Mining for Image Retrieval, In Proceedings of the IASTED conference
on Computer Science and Technology, pp. 214-218, 2003.
[5] S. Yardi, N. Feamster and A. Bruckman, Photo-Based Authentication Using Social Networks, In
Proceedings of the 1st Workshop on Online Social Networks, pp.55-60, 2008
[6] Y. Rui and Z. Liu, Excuse Me, But Are You Human?,In Proceedings of the 11th ACM
International Conference on Multimedia, pp. 462-463, 2003.
[7] L. Ahn, M. Blum, N.J. Hopper, and J. Langford, CAPTCHA: Telling humans and computers
apart, In Advances in Cryptology: Lecture Notes in Computer Science, pp. 294-311, 2003.
[8] R. Agrawal, T. Imielinski, and A. Swami, Mining Association Rules between Sets of Items in
Large Databases, In Proceedings of the ACM SIGMOD International Conference on Management
of Data, pp. 207-216, 1993.
[9] S. Belongie, C. Carson, H. Greenspan, and J. Malik, Recognition of Images in Large Databases
using a Learning Framework, Technical Report TR 97-939, U.C. Berkeley, CS Division, pp. 1-8,
1997.
[10] L. Ahn, M. Blum, N.J. Hopper and J. Langford, CAPTCHA: Using Hard AI Problems for
Security, Proceedings of International Conference on the Theory and Applications of
Cryptographic Techniques, pp. 294, 2003.
[11] L. Ahn, M. Blum and J. Langford, Telling Humans and Computer Apart Automatically,
Communications of ACM 47, pp. 56-60, 2004.
[12] S. Li and H.Y. Shum, Secure Human-Computer Identification (Interface) Systems against
Peeping Attacks (SecHCI): A Survey, Technical Report, pp.1-53, 2003.
- 98 -