"Bedazzled" Log-in Method Whitepaper
Author: George Hara
(http://www.filematrix.xnet.ro/ideas/whitepapers/login.htm)
Introduction
------------
Using strings of characters as passwords has always been a security issue
because they are hard to remember and can be stolen by key-loggers or
screen-text harvesters. It will still be an issue for personal computers,
but there is another method available for authentication over the Internet
(where are the highest security concerns). This method involves no special
technologies, but simply a new vision on how to bring existing technologies
together. The method is easier to use than text passwords, but it requires,
from the users, the protection of their personal computers (where they need
text-password log-in and encryption), just as they do now.
The "Bedazzled" log-in method uses a (public) user name / ID (for example,
the user's email address) and a number of images, called password images,
for authentication. The images have to be generated (by the authentication
service) during the creation of the account for which the authentication
will be later required. Each image is a small, PNG compressed, bulk of
pixels with random colors. The PNG compression is used because a true-color
image is compressed without losses, with a very high rate. In the case of
random images this doesn't help, but, as you'll read below, in the User
images section, this is the best format.
Each image should contain something like 50 * 50 true-color pixels (24
bits). This means that the total number of combinations of such a random
image is 24 ^ (50 * 50), that is over 10 ^ 3450. Basically, a particular
case is unbreakable through brute force search.
Authentication
--------------
The authentication is the classic method: the user is identified by his user
name, and then he is authenticated by comparing all images specified in the
log-in form, with the images stored on the computer which makes the
authentication. If all images are *identical*, and put in the same order (im
age 1 as password 1, image 2 as password 2...), the user is authenticated.
If they are not identical, the user is rejected.
Implementation
---------------
To make the "Bedazzled" log-in method easy to use, the password images must
be saved on the user's computer, preferably in encrypted files (see file
encryption under WindowsXP, or PGP encrypted drives).
Since the "Bedazzled" log-in method is supposed to be used over Internet, it
is necessary for the user to be able to drag-and-drop each image onto the
browser, in the log-in form. This way, the log-in form has access to the
password images, and can download them to the authentication server when the
user clicks the "Log-in" button.
As you can see, the method is very eay to use, but in order to make it even
easier, the log-in form should display a small file browser which should be
used to navigate to the password images (they should all be in the same
directory, for easy user access). The log-in form should save a cookie on
the user's computer in order to automatically open the file browser at the
same location, the next time the user attempts to authenticate himslef.
User images
------------
There is no need for the images to be random. The user could choose his own
images when he creates an authentication account, being only limited to a
specific file size (like 20 KB / image). He could simply take some images
from his computer and resize them to fit the size limit; the images should
be compressed without loss (preferably in a PNG format), just in case they
are lost but the original bigger images still exist and can be resized again
with the same algorithm (to generate the same password image).
Another method requires a small program which takes a string of characters
typed by the user, and converts them through a hash algorithm into an
apparently random image. This method makes it possible to recreate the
password images if the user remembers the string of characters, without the
need of storing any information.
TEMPEST protection
----------------------
First of all, since the user doesn't need to type anything and the password
images don't need to be displayed, the passwords are protected from TEMPEST
atacks. However, the user may need to navigate through his pictures and
choose the correct password images for each log-in form. This would create a
potential security breach.
The "Bedazzled" log-in method has intrinsic TEMPEST protection to this kind
of breach because when a monitor displays an image, the colors of each pixel
is not displayed exactly as indicated by the bits that make the picture.
Each monitor has its own way of displaying the image. Besides, users always
alter the image by chaging various parameters of the monitor's image:
brightness, contrast, color balance, color temperature, gamma.
On the other end of the TEMPEST technology, the "reader" takes a snapshot of
the image displayed by the monitor. This is like making a scan of a print of
a digital image. Though the resulting image looks similar with the original
for the human eye, the binary picture will be quite different. Actually, the
whole "reading" process makes it impossible to detect those minute details
(= changes in colors) of the original image, details that give to the owner
of the original picture a unique way to authenticate himself.
Another help comes from the fact that when the user navigates through the
images, these are displayed as thumbnails, and thus altered (if the size of
the thumbnail is smaller than the size of the original image).
Last Word
-----------
The "Bedazzled" log-in method makes key-loggers and screen-text harvesters
useless. However, there is still the danger of specially designed viruses
that would look for the password images. The only protection from such
malware I can think of, is for the log-in form to require quite a few
password images, and ask for them (using pictures of the picture order
index) in random order each time the user logs-in.
George Hara
