Visual Encryption Applied to Enhanced Online Account Security and Access Control

Awards

• Alameda County Science and Engineering Fair

  • 4th Place, 2016

Summary

After reading about visual cryptography online, I worked throughout eighth and ninth grade to develop a proof of concept of a two-factor authentication system that is nearly impossible to brute force.

Abstract

In this proposal, an innovative mechanism, using visual encryption, will be implemented, tested, and evaluated to enhance online account security and access control. With the proposed method, a pay-to-view website can sell customers viewing passes for a set amount of time or number of views. Most importantly, each customer’s viewing pass must be distinct and difficult to reproduce, so that a customer cannot simply copy or sell the pass.

Visual cryptography is a process through which a black-and-white image is split into multiple sub-images, which individually reveal nothing about the source image. When overlaid at a precise position, the superimposed sub-images reveal the source image. The encryption scheme is based on visual interpretation, which is difficult for machines to perform. Using visual encryption, this study attempts to enhance online account security and access control with the following mechanism.

First, the customer’s email is required to open an user account. The moment the account is created and payment is received, the website’s server produces a Captcha, specific to this account, and encrypts it into two sub-images, using visual encryption. One sub-image is kept on the server, while the other is emailed to the user, after which the sent user’s sub-image, along with the original Captcha, are cleared from the server. In the process of logging in, the user is first prompted for his email address, which the server uses to locate its previously stored sub-image for this user. The server then asks for the user’s sub-image. Once entered, the user’s sub-image is combined with the server’s sub-image to reveal the Captcha. At this point, the user is asked to visually inspect and enter the text in the Captcha to complete the login process. Subsequently, the user proceeds to view the content while the server erases both the server’s sub-image and the recombined Captcha image. This process of generating and encrypting a new Captcha repeats after every user login.

The proposed mechanism prevents any user from logging in twice with the same user’s sub-image, making it useless to try to sell used sub-images. Also, if the server is hacked, only the server’s sub-image would be compromised; both the Captcha and the user’s sub-image would have already been cleared from the server. Thus, the hacker would also have to hack into the user’s email in order to fully access the user’s account, doubling account security. Furthermore, the user’s sub-image is nearly unguessable ─ the probability of finding the user’s sub-image by chance is infinitesimal. With the proposed method, the user’s account becomes almost perfectly secure, although a hacker infiltrating both the user’s email and the server remains a problem. In addition to login security, the proposed method provides precise and variable access control for vendors. The server can be set to stop generating new Captchas after a certain number of logins or period of time, completely controlled by the vendor.