對於存取不同的系統服務而言,用戶身份驗證是一個重要的機制。雖然傳統的字母符號式密碼(Alphanumeric Password)仍是目前系統提供服務時候最常使用的認證機制,但卻很容易造成安全問題。 因此,T. Pering提出使用一個圖片認證(PA: Photographic Authentication) 來提供一個更加安全的登入機制。它也正符合目前數位照片日漸普及的。在先前的研究中,它的安全分析呈現是以基於真實的駭客攻擊以及較小量的照片集為主,並沒有分析使用工具進行攻擊及大量使用者情境下的安全性。 在本篇論文中,自動執行的攻擊工具的目的是為了去分析圖片認證系統的安全性。攻擊工具收集圖片式認證系統顯示過的照片並且累計歷史照片出現過的次數。然後,攻擊工具選擇出現最多次數的照片去做認證並且重複這個程序,直到能夠成功的登入。 另外,為了干擾攻擊工具比對照片的能力以及增加系統的安全性,雜訊技術也被用來加入到原始照片。進一步地,模擬工具被設計出來用來分析面對較大數量照片時的安全性。從本篇文章的實驗以及模擬結果中,可以很清楚地檢驗圖片認證方法的安全性。
User authentication is an important mechanism for accessing various services. Although the traditional alphanumeric password is still popular for user authentication, it is vulnerable and easily causes security issues. Therefore, photographic authentication (PA) is proposed by T. Pering et al. to provide a more secure login mechanism. It also meets the increased prevalence of digital photography. Its security analysis presented in the previous study is based on real attackers and very small photo sets. In this paper, an automatic attack tool is designed to analysis the security of photographic authentication systematically. The tool collects the displayed photos and matches with historical ones to accumulate their counts. Then, it selects the photo with highest count and repeats the process until successful login. In order to interfere with the photo match of such attack tool and thus enhance the security, a noise displacement technique is also used to add into the original photos. In advance, a simulation tool is designed to analysis the security of a large number of photo sets. The security of photographic authentication is examined clearly from the experimental and simulation studies presented in this paper.