Use this URL to cite or link to this record in EThOS: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.564096
Title: Modelling the security of recognition-based graphical password schemes
Author: English, Rosanne
Awarding Body: University of Glasgow
Current Institution: University of Glasgow
Date of Award: 2012
Availability of Full Text:
Access through EThOS:
Access through Institution:
Abstract:
Recognition-based graphical passwords are a suggested alternative authentication mechanism which have received substantial attention in research literature. The literature often presents new schemes, usability studies or propose countermeasures for specific attacks. Whilst this is beneficial, it does not allow for consistent comparison of the security of recognition-based graphical password schemes. This thesis contributes a proposed solution to this problem. Presented in this thesis are models for estimating the number of attacks required before success for four aspects of the security of a recognition-based graphical password scheme. This includes two types of guessing attacks and two types of observation attacks. These models combine to provide an overall metric of the security of recognition-based graphical password schemes. Attacks to be incorporated into the metric were established by reviewing the literature and establishing the scope and context. The literature review allowed extraction of the variables of a recognition-based graphical password scheme which represent the scheme. The first aspect examined was that of guessing attacks. The first guessing attack considered was random guessing, the model for this aspect was an adaption of the frequently reported mathematical model. The second guessing attack was a newly proposed attack which prioritised images from more popular semantic categories e.g. animals. The model for this attack was constructed as a further adaption of the random guessing model based on the success rates for the attack which were established by simulations which incorporated user selected images. The observability attacks modelled were shoulder surfing and frequency attacks. The observability attack models were constructed by simulation of the attacks for a wide range of potential configurations of the recognition-based graphical password schemes. A mathematical model was fitted to the resulting data. The final metric combined these models and was evaluated against a list of metric requirements established from relevant literature. The metric results in a consistent, repeatable, and quantitative method for comparing recognition-based graphical password schemes. It can be directly applied to a subset of schemes which allows their security levels to be compared in a way not possible previously. Also presented are details on how the metric could be extended to incorporate other recognition-based graphical password schemes. The approach detailed also allows the possibility of extension to incorporate different attack types and authentication contexts. The metric allows appropriate selection of a recognition-based scheme and contributes to a detailed analysis of the security aspects of recognition-based graphical passwords.
Supervisor: Not available Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID: uk.bl.ethos.564096  DOI: Not available
Keywords: QA75 Electronic computers. Computer science ; QA76 Computer software
Share: