Scholarly article on topic 'Securing Text & Image Password Using the Combinations of Persuasive Cued Click Points with Improved Advanced Encryption Standard'

Securing Text & Image Password Using the Combinations of Persuasive Cued Click Points with Improved Advanced Encryption Standard Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Computer Science
OECD Field of science
Keywords
{Attack / Authentication / "Graphical Passwords" / "Improved Advanced Encryption Standard" / "Knowledge Based Authentication" / "Persuasive Cued Click Points" / "Usable Security"}

Abstract of research paper on Computer and information sciences, author of scientific article — Smita Chaturvedi, Rekha Sharma

Abstract Security is the main aspect for any application. The main aim is to protect the system from the illegitimate users. The online library system is considered for study and two way authentication techniques are applied on it. Two way authentication techniques are used to protect the data by using both the text and graphical passwords. Graphical password scheme is used named as persuasive cued click points (PCCP). On both the text as well as graphical password, Improved Advanced Encryption Standard (IAES) algorithm is applied to provide better security. It means system provides two step authentications with the encryption technique. In IAES, one random generated key called as SALT is added with AES key. By adding the Salt key with AES the number of combinations of attack will increase. Even if the database is compromised then also attacker cannot gain the actual text password and click points of the graphical password. Three (3) click points are provided for the user, after clicking on first area the image get expanded for the next click and so on till the third click points. Dictionary attack is removed totally.

Academic research paper on topic "Securing Text & Image Password Using the Combinations of Persuasive Cued Click Points with Improved Advanced Encryption Standard"

(8)

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedía Computer Science 45 (2015) 418 - 427

International Conference on Advanced Computing Technologies and Applications (ICACTA-

Securing Text & Image Password Using the Combinations of Persuasive Cued Click Points with Improved Advanced

Encryption Standard

Smita Chaturvedia, Rekha Sharmab*

aME Student, Computer Engineering, Kandivali (W), Mumbai, 400067, India bAssociate Professor, HOD Computer Engineering, Borivali, Mumbai, India

Abstract

Security is the main aspect for any application. The main aim is to protect the system from the illegitimate users. The online library system is considered for study and two way authentication techniques are applied on it. Two way authentication techniques are used to protect the data by using both the text and graphical passwords. Graphical password scheme is used named as persuasive cued click points (PCCP). On both the text as well as graphical password, Improved Advanced Encryption Standard (IAES) algorithm is applied to provide better security. It means system provides two step authentications with the encryption technique. In IAES, one random generated key called as SALT is added with AES key. By adding the Salt key with AES the number of combinations of attack will increase. Even if the database is compromised then also attacker cannot gain the actual text password and click points of the graphical password. Three (3) click points are provided for the user, after clicking on first area the image get expanded for the next click and so on till the third click points. Dictionary attack is removed totally.

© 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-reviewunderresponsibilityofscientificcommitteeofInternationalConferenceonAdvancedComputingTechnologiesand Applications(ICACTA-2015).

Keywords: Attack; Authentication; Graphical Passwords; Improved Advanced Encryption Standard; Knowledge Based Authentication; Persuasive Cued Click Points; Usable Security

1. Introduction

Now-a-days, all business, government and academic organizations are investing a huge amount of money, lots of time and memory of computer system for the information security. In the early days of the internet online password guessing attacks have been known, there is small academic literature on prevention techniques on online password guessing attacks. In Digital environment authentication plays a major role. For authentication purpose the graphical

* Corresponding author. Tel.: +7738700790; E-mail address: smitachaturvedi90@gmail.com

1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of scientific committee of International Conference on Advanced Computing Technologies and

Applications (ICACTA-2015).

doi:10.1016/j.procs.2015.03.172

based technique is used. The graphical password technique is developed by blonder in 1996. The purpose of this system is increasing the security space and avoiding the weakness of conventional password. There are many things that are "well know" about passwords; such as that user can't remember strong password and that the passwords they can remember are easy to guess.

The following figure 1 shows the flow of system working under PCCP and IAES technique. In figure 1, the flow of the system is shown in which five steps are there to complete the process of the system. First process is Enter User ID, in this process user has to enter his/her email Id for entering in to the system. The second process is Enter the Text Password in which the user has to enter the text password. Third step is select images for password in this the system provides two way for selecting image passwords, the first is system image and second is server image. It means the user can select as per their choice the images from the system or from the server. As the user is more comfortable with his/her system's images then he/she can choose his/her system's images. So it will be difficult for the attacker to gain the knowledge of images selected by the user. Fourth step is click on images selected by them. In this step the user has to click on the images at any three positions. The fifth and last step is Authenticated Successfully. In this step the user has to click at three parts of the images at the position like he/she had clicked at the time of registration. If the click points of login matched with the click point of registration time then the system will display "Authenticated Successfully".

Fig. 1. Flow of the System

2. Background

Graphical password is the substitute for text passwords. Graphical password is developed by Blonder in 1996. For Blonder, A graphical password arrangement displays a predetermined graphical image and requires a user to "touch" predetermined areas of the image in a predetermined sequence, as a means of entering a password. The main purpose of this method is to decrease the guessing attacks as well as encouraging users to select difficult passwords and more random which can be difficult to guess. The graphical password scheme comes under the knowledge based authentication scheme. Text passwords are difficult to remember and if it is easy to remember then it will be easily cracked. If the password is hard to guess then it will be hard to remember.The following are the graphical password techniques.

2.1. Pass Points (PP), Cued Click Points (CCP), Persuasive Cued Click Points (PCCP)

PassPoints [1], a new and more secure graphical password system. In the pass points, user is presented with the predetermined pictures in front of the users. User has to select one or more predetermined positions on the displayed picture in a particular order so that he/she can authenticate themselves to access the online library system's resource. In this system the user is given with an image (Picture). The click points on the image are used as the password for the user authentication. The user has to remember the position and order of the click points. The user's click points are not stored as such, but as an IAES encrypted value. For correct validation, discretization square is used which is

the tolerance area around the original click point. Since it is being very simple, the attack can be done very easily. The passwords consist of a sequence of click-points on a given image in PassPoints. Users may select any area of the image as click-points for their password.

In CCP, Instead of five click-points on one image, the CCP uses one click-point on five different images [2]. The next image displayed is depending on the location of the previously selected click-point; it creates a path through an image set. Sequence of images gets change as new password with different click points selected. One best feature of Cued Click Point is that authentication is valid or not it is known by the user at the end of final click point to protect against incremental guessing attacks.

The cued click point method uses a series of images for click point password creation. The location of the click point on the previous image decides the image next to show. It offers cued-recall and introduces visual cues that immediately alert valid users if they have made a mistake the user gets the next correct image. Once the user experienced with the usage of click point password, user can without any difficulties understands when he/she clicks the wrong click point, by looking at the following image. In this scheme also user is free to select the graphical password without systems interference. So the attackers can easily guess the hot spot, hotspot is the area where most of the users will tend to click. If the hacker [2] is succeeded in guessing the hot spots in the images then the hacker can log in to the system easily.

An authentication system which uses Persuasive Technology should guide and encourage users to select stronger passwords, not the system-generated passwords [6]. Persuasive Technology [2] used to motivate and influence people to behave in a craved manner. Even though the users are directed, the resulting passwords must be memorable. This persuasion makes the password intense by avoiding the hot spots in almost all the cases. Without the system guidance most of the users clicks on the hotspot in each image. In this method the system determine the user to select more random clicks, and also maintains memorability of the users. In this scheme when the image is displayed the randomly selected block called the view port only clearly seen out. All the other parts of the image are not clearly seen out, so that the user can click only inside the view port. Users are allowed to click anywhere in the view port. There is a choice for changing the viewport position also, which is called as the Shuffle button. There is a boundary on the number of times the shuffle choice to be used. While users may shuffle as often as they wanted, this considerably slows password creation. The viewport [1] and shuffle button appear only during password creation. Figure 2 shows User interface of PCCP with IAES. During after password entry, the images are displayed naturally, without shading or the viewport, and users may click any area on the images. The recall studies of the PCCP approach proved that remembrance of the graphical password is much better than the text-based passwords.

3. Modules of PCCP & AES

As In figure 3, the system architecture of PCCP & IAES is shown. There are five modules and by completion of all five modules user can successfully enter into the system for accessing the data.

Fig. 2. User Interface for PCCPIAES (Online Library System)

Registration Process, in this module the user should register them for entering into the system. Picture Selection Process, in this module the user has to select the images in front of him/her. The user can select the images from their system as well as from the server. After selecting the images the user has to click at any three positions to register themselves. System Login Process, after successfully register the user has to login into the system by entering his/her text as well as image password. IAES Encryption, the IAES encryption is applied in the text as well as image password. It means user's data can be stored securely into the database.

Final Registration Process, this process is the combination of the entire four steps and after successfully completion of all four processes the Final Registration Process is completed.

4. Persuasive Cued Click Points with Improved Advanced Encryption Standard (PCCP with IAES)

IAES algorithm is applied on the click points to remove the shoulder surfing attack and to provide the security on the click points of the user's password. In PCCP technique a user click is taken as input. From the position of the user click the image is divided as 16 parts. Each of the image part is now known as grid. The user is prompted for input as user click from the 16 grids available. This same process is repeated another 2 more times, until the total number of input from the user is three clicks.

In this, the system provides three click points only so that it won't take much time to login into the system. After selecting an image the user can upload the image for further process. User can select the images from two places either system images or server side images. As the users are more comfortable with their system images, he/she can select the images as per their choices.

PCCPIAES is much easier & less time consuming in login rather than registration process. PCCP can show three different images on one click sequentially. The coordinates recognized after a click on an image can fetch the details of the associated coordinates. The Advanced Encryption Standard Algorithm will be applied on the fetched data of the correlated images. The encrypted data will be stored in the database for authentication purpose. Following are the phases which come under PCCPIAES technique.

1. Create Phase: Create a text as well as graphical password by entering and clicking on three points on the image.

2. Confirm phase: User can confirm the password by re-entering it correctly. A new password can be processed with the earlier images or with a new image depends on the click points.

3. Ten questions: User has to answer ten questions of 10-point Likert - scale about their current password for the ease of creation & predicated memorability.

4. Login phase: Log in with their current password. If users forgot the password then he/she can choose a new image from the server or from the system.

By using the combination of all these four phases a graphical password can be successfully created.

Fig. 3. System Architecture of PCCP and IAES

The figure 4 shows the flowchart of Improved AES, total 9 rounds are shown as system uses the 128 bits key and plain text. The salt key is used to enhance the combinations of the passwords. In the first step Plain text and salt key are concatenated together and then XOR is performed with the new plain text and key for the total 9 rounds and at the end cipher text will be generated as the result. At the decryption side the process will be totally reverse in order.

4.1. Persuasive Cued Click Points

Technology of persuasion applied by an authentication system guides and encourages user to select strong passwords, but not enforce system -generated passwords. To be skilled, the users must not ignore the persuasive elements and the resulting passwords must be unforgettable. PCCP make user to select a strong password by making a weak password more tedious and much time consuming. Persuasive Technology was developed by Fogg [4] as using the technology to inspire and manipulate people to behave in a desired manner.

The path-of-least opposition for users is to select a stronger password. The rearrangement of hotspots across users is minimized since click-points are more randomly distributed. PCCP achieves this by guiding the user to generate a strong password.

4.2. Improved Advanced Encryption Standard

The Cryptography is defined as the science of analyze and decipher codes which is also known as "Act of writing in code or cipher i.e. Secret Data".[16][17] Encryption specifies the process of plain text transformed into cipher text so that only legitimate user can recognize the meaning of encrypted data. AES is one of the successful and strongest encryption algorithms.

The concept of salt key is used in AES to improve the performance of the encryption & decryption. In AES symmetric key cryptography is used. Symmetric key cryptography used the same key for both the encryption and decryption part [15] [19]. The key data for AES is 128 bits/ 192 bits/ 256 bits with the rounds of size 10, 12, 14 respectively. The size of key is also the same as the size of data of AES. Three different rounds are involved in the executionof AES. 10, 12, 14 rounds are present for AES of 128 bits, 192 bits and 256 bits respectively. In this system AES 128 bits are used with the improved features of AES. For enhancement in AES, salt key is added with the AES key. So the possible combinations of password are enhanced. For example: Data Size: 128 bits, Key Size: 128 bits, Salt Key: 8 bits. So the combinations for AES was 2A128 bits and now after adding the Salt key it is 2A (128 + Salt key). It proves that after adding the salt key in the AES the AES became the Improved AES. IAES is used for the encrypting the text as well as graphical passwords of the users.

Salt key is used in an Improved AES. A salt is random data that is used as an additional input to a one-way function that hashes a password. The primary function of salt is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow attacks. A new salt is randomly generated for each password [18], [19]. In a typical way, the salt and the password are processed and concatenated with a cryptographic hash function , and the resulting output is stored with the salt in a database. For later authentication hashing permits, while defending against compromise of the plaintext password in the event that the database is somehow compromised.

4.3. Hotspot

Hotspots are areas of the image that have a higher possibility ofbeen selected by users as password click-points. Users also are likely to select their click-points in predictable patterns [5], [2] (e.g., straight lines), which can also be exploited by attackers even without knowledge of the background image purely automated attacks against Pass Points based on image processing techniques and spatial patterns are a threat [2].

Specifically, when users create a password, the images are somewhat shaded except for a viewport (see Figure 2). The viewport and shuffle button can be seen at the time of creation of a password. While entering the password, the images are displayed naturally means without shading or the viewport, and user may click any area of the images. User must select a click-point within this highlighted viewport and should not click outside of the viewport, if not they press the shuffle button randomly to change the position of the viewport. While user may shuffle as and when requires, it constantly slows down the password creation process.

As shown in the figure 4, the range of possible attacks is shown with AES and IAES. The size of Key in AES is 128 so the possible combinations of 2A128 which is calculated in calculator which gives the output as 3.402823669209384634633743177e+38 and of Improved AES is 2A (128 + 8), the 8 bit here is used as random key for randomly generating the password which can secure the password of the user even if the password is compromised by an attacker. The combinations of 2A136 = 8.7112285931760246646623899502533e + 40. As the

combination's value is of very large so it was not possible to show graphically so it is shown as only 2 digit combinations of AES and IAES. As shown in the figure this graph shows the possible chances of attack on AES & IAES. This can see in the graph the number of attempt required for the AES is less as compared to the IAES.

5. Lab Study

The lab study conducted on Undergraduate Engineering College students. Total Thirty (30) students were present for the lab study. Before the time of registration it was already announced to the students to imagine this system is used as their bank account login. But actually this system is designed for the online library system. In this, system performed our study on 31 high resolution images; high resolution images are taken because whenever the images are clicked by the user the images get expanded after every click. One week study was performed on the PCCPIAES graphical password technique. The Students registered themselves to the PCCPIAES system and after a week they were called to login into the system. Some of them successfully login at the first trial only but some of them required 2-3 trial for login into the system.

Fig 6 shows the run time calculation of PCCP, PCCP with AES and PCCP with Improved AES. Figure 6 shows that the time taken by the PCCP technique is less than the PCCP with AES and the time taken by the PCCP with AES is more than the PCCP with Improved AES. It can be seen in the above figure 6 there is minor difference between the PCCP with AES and PCCP with Improved AES. But the complexity is increased. It means it will be difficult for the attacker to try many the combinations for the attack. As the time required by the PCCP is less than other techniques but the chances of attacks are more on the PCCP passwords. Likewise there are more chances of attacks on the PCCP with IAES as the 2A 0 combinations are increased. In figure 6 three different results are generated as per the three different configurations. Configurations are mentioned as follows:

Configuration 1: Intel® Core i5-2450M CPU @ 2.50GHZ, RAM 4 GB, 64- bit Operating System. Configuration 2: AMD C-60 APU 1.00 GHZ, RAM 2 GB, 32- bit Operating System Configuration 3: Intel P4 CPU @ 2.80 GHZ, RAM 1 GB, 32- bit Operating System

Fig. 4. Flowchart of Improved AES

Range of Possible Attacks

Possible combinations of attack

A ES Improved AES (AES with SALT)

Types of Encryption Techniques 3.4 8.7

Fig. 5. Possible Combinations of Attacks

6. Attacks

An attack can be defined as accessing information by illegitimate ways. The result can compromise possibly the Availability, Confidentiality or Integrity of the resources. The so-called CIA triad is the basis of Information Security. The attack can be active when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.

Execution Time of Three Techniques

Fig. 6. PCCP with IAES Run Time Calculation (Configuration 1,2 &3)

The Attack which can harm the password data of the user can be Dictionary Attacks, Guessing Attacks, Capture Attacks and Shoulder Surfing Attacks. Some software is used to take the user's secret data. The software's are Key loggers, Mouse loggers and screen scraper which can send captured data remotely or make it available make it available to an attacker.

7. Results & Discussions

By collecting and producing the results it is observed that by using Persuasive Cued Click Points with Advanced Encryption Standard (PCCPIAES) the time taken by the registration process is more. But after completion of registration process and login into the system twice or thrice the system will take less time for the entering into the system.

As the system provides the three clicks only, the time taken by the login process can be less. The user who is not much familiar with the computer system they can consume more time for the login process. The figure 7 shows the comparison between three (3) graphical password techniques. Three parameters have been used as Create time, Login time, Confirm time of PCCP, PCCPIAES technique. The results above shows that the time taken by the PCCPIAES for create password and confirmation for the password is less time consuming than the login time. The Result is generated on following configurations Intel® Core i5-2450M CPU @ 2.50GHZ, RAM 4 GB, 64- bit Operating System.

Figure 8 and 9 shows the Car and Pool image respectively some experiments are performed on those images to see that which are most chosen by users to select the particular image as their passwords. The spotted area of the image shown in the figure 10 & 11 shows these area are selected by many users. These areas are called as Hotspot area ofthe image.

Table 1. Comparisons of PCCP, PCCPAES & PCCPIAEStechniques

Methods/ Time (ms) Create Time Login Time Confirm Time

PCCP 50.7 16.2 15.7

PCCP + AES 24.2 22.1 12.4

PCCP + IAES 40.2 15.9 15

Comparison ofPCCP.PCCPAES & PC< I'l 1 I s

PCCP PCCP+AES PCCP+IAES Methods

Fig. 7. Comparisons of PCCP, PCCPAES & PCCPIAES

Fig. 8. The Car Image

Fig. 9. The Pool Image

Fig. 10. Hotspot Area of Car Image

Fig. 11. Hotspot Area ofPool Image

Fig. 12. Images chosen by the Users

In Figure 12 it is also observed that there are some images present on the server as well as in the system which are mostly chosen by the users and some images are there which are not at all chosen by the users.

The chances of attacks are more on the images which are most likely selected as the passwords for the users. Figure 13 shows the result of system versus server images. There are total Thirty one (31) server images and

Seven (7) system images. Total 83 records are collected in which it is observed that approximate 66 participants were interested in server images and 17 were interested in system images. The % is calculated for the system and server images respectively.

SystemArs. SeiTei Images

System I m ages Sc-ricsl 2 0,49

Server Images 79 51

Fig. 13. System Vs. Server Images

Plain Test

Cipher Texi

Fig 14. Plain and Cipher Text ofAvalanche Effect

Avalanche Effect is calculated for the AES encryption for the Text password. Some text passwords are taken for the considerations and their calculation is shown in the figure 14. If there are minor change in the password then there will be a drastically change in the cipher text. As a result of which it would be difficult for the intruder to guess the password. Avalanche effect is also tested on the key of the PCCP technique. A minor change to the key also changes the cipher text drastically. Thus through the Avalanche effect test on the password as well as the key we show that intrusion through guess game would be difficult.

The Avalanche effect is calculated by taking initially, input as the Plain Text and output as the Cipher Text and secondly, input as the Key and the output as the Cipher Text. The following figure 15 shows the Avalanche Effect.

Avalanche Effect

Avalanche Effect

Fig. 15. (a) Avalanche Effect(PlainText toCipherText) Fig. (b) AvalancheEffect(Keyto Cipher Text)

As shown in the figure 15 (a) and (b) by changing the 1, 2, and 3 bits of plain text the cipher text is changing a lot. And by changing the key the cipher text is changing. It proves that while flipping one or more bit, the cipher text changes significantly and for this reason the attacker has to try more combinations for the attack on the text password.

8. Conclusions & Future Scope

By adding the features of Persuasive Cued Click Points with Improved Advanced Encryption Standard achieves the better results in authentication system as compare to the PCCP & Advanced encryption standard.

Graphical authentication scheme is better to remember for the user. As user has to choose only one image for the authentication purpose it is easier for the user to remember and difficult for the attacker to attack because it is difficult for the attacker to see at click points area of the image. The complication of the PCCP with IAES is increased but the combinations to attack o the system also increases.

In the future scope of this system we can add different features like system can allow users to enter any number of click points in which he/she is comfortable with. In this, system are providing two ways for the image selection by the users, so one more new option can provide to the users to use web cam to capture his/her own pictures at the time of registration.

9. Acknowledgements

We thank the participants of our lab study for their valuable time and feedback. We also thank the reviewers for their worthy feedback.

References

1. Smita Chaturvedi, Rekha Sharma (2014, Aug.). Securing Image Password by Using Persuasive Cued Click Points with AES Algorithm. IJCSIT.[Online].5(4),5210-5215. Available: http://www.iicsit.com/docs/Volume%205/vol5issue04/iicsit2014050486.pdf

2. S. Chiasson, Alian Forget, Robert Biddle, P.C. van Oorschot (July. 2007) A Second Look at the Usability of Click-Based Graphical Passwords.[Online] https://cups.cs.cmu.edu/soups/2007/proceedings/pl_chiasson.pdf

3. S. Chiasson, Elizabeth Stobert, Alian Forget, Robert Biddle, and P.C. van Oorschot (Sep. 2011) Influencing Users Towards Better Passwords: Persuasive Cued Click Points [Online] http://cups.cs.cmu.edu/~aforget/Chiasson_HCI2008.pdf.

4. S. Chiasson, A. Forget, E. Stobert, P. van Oorschot, and R. Biddle (Nov. 2012) Multiple password interference in text and click-based graphical passwords. in ACM Computer and Communications Security (CCS) [Online] Available: http://hotsoft.carleton.ca/~estobert/papers/CCS2009_Interference

5. Davis, D., Monrose, F., and Reiter, M.K. On User Choice in Graphical Password Schemes. USENIX Security 2004.

6. Paul C. van Oorschot, Amirali Salehi-Abari, and Julie Thorpe (Sep. 2013) Purely Automated Attacks on PassPoints-Style Graphical Passwords IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 5, NO. 3 Available: http://www.cs.toronto.edu/~abari/papers/IEEE_Attacks_PassPoints_Graphical_Passwords.pdf

7. Sonia Chiasson, Member, IEEE, Elizabeth Stobert, Student Member, IEEE, Alain Forget, Robert Biddle, Member, IEEE, and Paul C. van Oorschot (Mar/ Apr 2012) Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 12 Available: http://hotsoft.carleton.ca/~sonia/content/Chiasson_tdsc_pccp_author_copy.pdf

8. P. R. Devale Shrikala M. Deshmukh, Anil B. Pawar. (May 2013) Persuasive Cued Click Points with Click Draw Based Graphical Password Scheme Available: http://www.ijsce.org/attachments/File/v3i2/B1528053213.pdf

9. S. Chiasson, P. van Oorschot, and R. Biddle (Sep 2007) Graphical Password Authentication Using Cued Click Points Pro c. European Symp. Research in Computer Security (ESORICS), pp. 3512-374, Available: http://www.scs.carleton.ca/sites/default/files/tr/TR-07-13.pdf

10. E. Stobert, A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, (2013) Exploring usability effects of increasing security in click-based graphical passwords, in Annual Computer Security Applications Conference (ACSAC) [Online] Available: https://cups.cs.cmu.edu/~aforget/Stobert_ACSAC2010_MPCCP.pdf

11. S. Chiasson, A. Forget, R. Biddle, and P. C. van Oorschot (Dec-2009) User interface design affects security: Patterns in click-based graphical passwords, International Journal of Information Security, Springer, vol. 11, no. 6, pp. 3117-31211, 2012.[0nline] Available: https://cups.cs.cmu.edu/~aforget/Chiasson_IntJInfSecDec2009_Patterns.pdf

12. J. Yan, A. Blackwell, R. Anderson, and A. Grant,(Sep. 2000) "The memorability and security of passwords," in Security and Usability:Designing Secure Systems That People Can Use, L. Cranor and S. Garfinkel, Eds. O'Reilly Media, 2005, ch. 7, pp. 1212-142 [Online] Available: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf.

13. S. Chiasson, P. van Oorschot, and R. Biddle,( Sep 2007) "Graphical password authentication using Cued Click Points," in European Symposium On Research In Computer Security (ESORICS), LNCS 4734, September 2007, pp. 369-374 [Online] Available: http://link.springer.com/chapter/10.1007%2F978-3-540-74835-9_24

14. L. O'Gorman ( Dec. 2003) "Comparing passwords, tokens, and biometrics for user authentication," Proceedings of the IEEE, vol. 121, no. 12, December 2003 [Online] Available: http://www.profsandhu.com/cs6393_sl3/gorman-2003.pdf

15. Hamdan. O. Alanazi, B. B. Zaidan, A. A. Zaidan, Hamid A. Jalab, M. Shabbir and Y. AI-Nabhani (March 2010) "New Comparative Study Between DES, 3DES and AES within Nine Factors", Journal of Computing, Volume 2, Issue 3, March 2010, ISSN 2151-9617. Available: https://sites.google.com/site/journalofcomputing.

16. P.Radhadevi, P. Kalpana, " Secure Image Encryption using AES", P. RADHADEVI* et al, Volume: 1 Issue: 2, ISSN: 2319-1163, page 115-117.

17. http://pic.dhe.ibm.com/infocenter/initiate/v9r5/index.jsp?topic=%2Fcom.ibm.einstall.doc%2Ftopics%2Ft_einstall_GenerateAESkey.html

18. http://en.wikipedia.org/wiki/Salt_%28cryptography%29

19. http://security.stackexchange.com/questions/48000/why-would-you-need-a-salt-for-aes-cbs-when-iv-is-already-randomly-generated