Captcha as Graphical Passwords - A New Security Primitive Based on Hard AI Problems

Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graph-ical password systems built on top of Captcha technology, which we call Captcha as graphical passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular graphical password systems, such as PassPoints, that often leads to weak password choices. CaRP is not a panacea, but it offers reasonable security and usability and appears to fit well with some practical applications for improving online security. INTRODUCTION AFundamental task in security is to create cryptographic primitives based on hard mathematical problems that are computationally intractable. For example, the problemof integer factorization is fundamental to the RSA public-key cryptosystem and the Rabin encryption. The discrete logarithm problem is fundamental to the ElGamal encryption, the DiffieHellman key exchange, the Digital Signature Algorithm, the elliptic curve cryptography and so on.Using hard AI (Artificial Intelligence) problems for security, initially proposed in [17], is an exciting new par-adigm. Under this paradigm, the most notable primitive invented is Captcha, which distinguishes human users from computers by presenting a challenge, i.e., a puzzle, beyondthe capability of computers but easy for humans. Captcha is now a standard Internet security technique to protect online email and other services from being abused by bots. CAPTCHA AS GRAPHICAL PASSWORDS A. A New Way to Thwart Guessing Attacks In a guessing attack, a password guess tested in an International Journal of Emerging Trends in Engineering Research, Vol.3. No.10, Pages : 234-240 (2015) Special Issue of ICACSSE 2015 Held on October 30, 2015 in St. Ann’s College of Engineering & Technology, Chirala, AP, India http://www.warse.org/IJETER/static/pdf/Issue/icacsse2015sp41.pdf