A Graphical PIN Authentication M

Document Sample
A Graphical PIN Authentication M Powered By Docstoc
					A Graphical PIN Authentication
Mechanism with Applications to Smart
Cards and Low-Cost devices
     Luigi Catuogno                Clemente Galdi
   Università di Salerno   Università di Napoli “Federico II”
Outline
• Problem overview
  – User authentication
  – Graphical passwords
  – Shoulder surfing attacks
• Our proposal
  – Deterministic and user randomized schemes
  – Security evaluation
• Application to device-device authentication
User authentication
• U.A. is a well established area in security
• Different types of services require
  different levels of security
  –   Checking email
  –   Withdrawing money at ATMs
  –   On-line banking
  –   …
  –   Access to military bases
  –   Nuke activation procedures
Human authentication
• If the required level of security is
  not high
  – “Text-based” authentication is still the
    mostly used one
     • Username-password
     • Strip/smart-card + PIN
     • One Time Password Tokens
One time password
Authentication through insecure channels

• In order to be authenticated, the
  user has to prove that she knows the
  secret x
   – The system issues a challenge C
   – The user compute the proof P=F(x,C)
       • Often the user compute F() by means a
         personal crypto-device
   – The user sends P to the system
   – The system verifies the proof…etc.
Graphical password
• A one-time password mechanism
  where:
  – The system issues a graphical challenge
    • Often called “scene”
  – The user computes the proof by means a
    cognitive function of what she sees on
    the screen
    • whithout the effort of any external device
Cognitive functions
• Image recognition
• Image position recognition
• Answering simple queries about the
  scene
• Repeating a sequence of actions in a
  scene
PassFaces
(www.realusers.com)

• The system choses
  three passfaces
  for the user
PassFaces/2
• During the logon, the
  system shows to the
  user three scenes
  each one containig one
  of user’s passfaces
• The user has to
  recognize her
  passfaces in each
  scene
• The user select the
  passfaces by
   – Mouse clicks,
   – Tapping by the stylus
A useful application…
• Everybody uses ATM and POS
  terminals everyday.
  – PINs and passwords are frequently
    subject to attacks and frauds
  – PINs are not user-friendly

• Graphical PINs could be a good
  improvement
The Problem
The Problem
But…
But..
• Many G.P. schemes requires non trivial
  visualization and pointing devices

• ATM machines, POS terminals, Cellular
  phones….
  – Small sized and low resolution displays
  – No pointing devices (mouse, touch screen…)
  – Poor computational resources (slow processors,
    small memory…)
Requirements
• The authentication scheme should be
  independent from the specific set of
  objects
  – Improves (human) usability
  – Allow the adaptation to device-device
    authentication
• (Very) Low computational overhead
• The “user” should only “recognize” objects
  – No need of crypto-devices
• Resiliency to eavesdropping
Basic Idea
• Objects:
   – Let k,a be two integers and q=ka
   – O={o1,o2,…,oq} be a set of q objects
• Secret:
   – A secret is an object in O
• Challenge:
   – Partition the objects in O into a distinct sets, each
     containing k objects
   – “Visualize” the challenge on a matrix with a rows and k
     columns
• Response:
   – The row number containing the secret object.
Naïve Protocol
• Secret:
  – Let m be an integer
  – Let s=(s1,s2,…,sm) be a sequence of m objects
     • There exist qm possible secrets
• Response:
  – The sequence of m indices of the rows containing the m
    objects
A prototype




http://www.dia.unisa.it/GRAPE
GRAPE/2

          • Handles authentication
            by means of a
            numerical one-time
            PIN
          • The graphical challange
            is composed of low-
            resolution objects
          • Challange generation
            and proof validation
            require poor
            computational
            resources
GRAPE/3
      • The user’s secret is a
        sequence of queries formed
        like:
          – “On which row is the object
            x?”
      • Where the object x is a
        geometrical shape like:
          –   Purple full rectangle
          –   Red empty rectangle
          –   White empty exagon
          –   …
GRAPE/4
   The user types the PIN here,
   each digit is the row number of the
   corresponding object


                                         34643
GRAPE/5
• The graphical challenge can be effectively
  visualized both through cheap and small-sized
  displays and through hi-res monitors
• The user response can be composed through a
  numeric keypad as well as through other
  sophisticated pointing devices
• Challenge generation and proof validation are
  affordable for small devices (e.g. smart-cards
  and old-fashioned cell phones)
• The user is simply required to recognize the
  position of some objects on the screen
GRAPE/6
• Naive protocol
  – The user correctly answers to all the m queries
• Randomized protocol: Correct or random
  – The user correctly answers to at least m-r
    queries
  – The user randomly answers to r queries
• Randomized protocol: Correct or Wrong
  – The user correctly answers to exactly m-w
    queries
  – The user wrongly aswers to w queries
Security Evaluation
• Basic assumption:
  – Three unsuccessful trials lead to block of the
    account
• Blind attacks:
  – Prob. of guessing an “authentication” secret
  – Needs to be reasonably low
• Recording attacks (eavesdropping):
  – Gaining access to a service after analyzing a
    number of transcripts
Naïve protocol
• Blind attack success probability
  – a=number of rows in the matrix
  – m=secret lenght
  – p=1/am
• The value of a cannot be to high!
• If a=4 and m=7, success prob < 10-5
  – The number of rows in the matrix should be low
Naïve protocol
• Attack goal:
  – Secret extraction.
  – The user needs to answer correctly to
    all the queries
  – Assuming three unsuccessful trials block
    the system
Naïve protocol
• Attack description: The adversary
  – is provided with as many transcripts she wants
  – associates to each object m counters
     • one for each component in the secret
  – For each transcript (challenge, response),
    increases the counter for all the objects in the
    row corresponding to the user answer
  – Stops when, for each component of the secret,
    there exist one object with maximum counter
• This attack always recover the user secret!
Naïve Protocol
• Average number of transcripts m=15
Naïve Protocol
• Average number of transcripts (a=2)
Naïve Protocol
• We can derive that the average
  number of transcripts needed to
  recover the secret increases if:
  – The number of rows (a) in the challenge
    decreases
  – The length of the secret (m) increases
  – The number of objects (q) increases
Correct-randon: blind attack

• In the following
  – c=number of correct answers
  – m=secret length


          m   m  1  1     m h

         h a h 1 a 
                      
         h c
Correct-randon: blind attack
• The number c of correct answers must be
  greater than m/a
  – Otherwise blind attack is easy!
• Example:
  – Let a=2 and c=m/3.
     • Authentication is granted if the users correcty
       guesses at least m/3 components of the secret
  – The adversary can randomly guess with high
    probability m/2 correct answers
User-randomized protocols

• In user-randomized protocols the
  “counting attack” does not work
  anymore.
   – Due to randomization, objects with
     high frequency might not belong to
     the secret
• We need to modify attack strategy
User-randomized protocols
• Attack description: The adversary
   – is provided with t transcripts
   – associates to each object m counters
      • one for each component in the secret
   – For each transcript, increases the counter for the
     objects in the row corresponding to the user answer
   – Outputs the objects with maximum value for the
     counters.
• Output classification:
   – Good: Contains all the m objects in the secret
   – Valid: Contains at least c objects from the secret
   – Wrong: Contains less than c objects from the secret
Correct-random

Percentage of good and valid secrets
Correct-wrong: blind attack

• In the following
  – c=number of correct answers
  – m=secret length

           m  1  1   m c

             c 1 
           c a  a 
Correct-wrong
• In the correct-wrong case, there is no
  “trivial” limit on the number of wrong
  answers
  – The users needs to
     • answer correctly to exactly c queries and
     • give wrong answers to exactly m-c queries.
• If c is too low, blind attack has still high
  success probability, but strictly less than 1.
  – E.g., m=15, r=8, a=2 -> p(succ)=0.19
Correct-wrong
Percentage of good and valid secrets
  does not strongly depend on q



                       QuickTime™ an d a
                         decompressor
                are need ed to see this p icture .
Correct-wrong
Percentage of good and valid secrets strongly
  depends on a
   – If a=2 the adversary might not be able to extract a valid
     secret




                                 QuickTime™ an d a
                                   decompressor
                          are need ed to see this picture .
Correct-wrong
Percentage of good and valid secrets
  strongly depends on r




                    QuickTime™ and a
                      decompressor
              are neede d to see this picture.
A variation
• Assume the user needs to answer a
  specific set of queries correctly
  – User and terminal share also a common
    sequence, e.g., generated by a PRNG.
• Let a=2
• Blind attack success probability becomes
  1/2c(1-1/2)(m-c)=1/2m
• In this case it is possible to use r=m/2
  – The adversary does not manage to extract even
    a valid sequence.
A variation
• Why?
  – Intuitively:
     • P(counter increased)=1/2 for every object
       independently from the fact that it belongs to the
       secret or not!
  – The counting attack fails.
     • It focuses on the single secret’s component
  – Does not consider that:
     • “In every transcript there exist exactly c correct
       answers”
A SAT-based attack
• Write a boolean formula whose truth
  assignment corresponds to the user secret
• Associate to each object oiO m boolean
  variables xi,1,…, xi,m
• Let C be a challenge consisting of a=2 rows
  – Let (i1,…,ip) be the indices of the objects on the
    first row
  – Let (ip+1,…,iq) be the indices of the objects on
    the second row
A SAT-based attack
• The j-th component of the secret belongs
  to one of the two rows of the challenge.

           0, j  x i , j  x i , j ... x i
                         1               2               p,   j



           1, j  x i   p1 ,   j    x i p2 , j ... x iq , j
   

   
     A SAT-based attack
     • Let:
        – =(1,…, m) be a single user reply
        – Am={a=(a1,…,am){0,1}m| w(a)=m/2}
              • ai=0 -> I-th answer is correct.
     • The following formula is satisfiable:
                                    m
                                  (  j a j (1  j )a j )
                  (a1 ,...,a m )A m j1

     • There exists one aAm such that the j-th
       component of the secret is in row jaj for j=1,…m


A SAT-based attack
• Extending the formula to k
  transcripts, it is possible to show
  that the following formula is
  satisfiable
                   t
                    (k )
                  k1

• Note: (k) are formulae over the same
  literals
      
A SAT-based attack
• Finally, since for each component, there
  exists exactly one object
     m   q
    (x1, j  ... x i1, j  x i, j x i1, j  ... x q, j )
     j1 i1


• So = is satisfiable and its truth
  assignment corresponds to the user secret.
What about “devices”
• The proposed scheme is not limited to
  human authentication.
  – Simply modify the set of objects to a list of
    numbers/strings.
  – The device needs to recognize binary strings
  – If a device (smart card/RFID) is able to run a
    PRNG:
     • The device can authenticate the reader
        – Need to generate the challenge
        – Instead of being authenticated by a reader.
     • It can implement the “variant” of our scheme
        – Or store a list of sequences…
Usability evaluation


              • Average login time

              • Error rate
Conclusions
• Presented an authentication mechanism
  “implementable” by humans and devices
• Counting attacks lead to (valid) secret
  extraction in reasonable time
  – 10-12 sessions for naïve protocol
  – Up to 36 for correct wrong
• To be done.
  – Implement the SAT based attack
     • The size of the formula is exponential in the secret
       length…

				
DOCUMENT INFO