IMAGE-BASED AUTHENTICATION Richard E. Newman, Piyush Harsh, and Prashant Jayaraman University of Florida

Human Authentication What you are (biometric) What you have (token) What you know (password)

Problems with Passwords Meaningful Word of mouth transfer Sticking it near workstation Image-based authentication (IBA) can solve these

Definitions Image Space (IS) –the set of all images used by the IBA system. Individual Image Set (IISa) – the set of images that a user Alice (a) chooses to authenticate herself. Key Image – any image in a user's IIS. Presentation Set (PS) – the set of images presented to Alice (from which the key images must be selected) for a given authentication attempt. PS_i – the ith subset of PS presented to Alice during a run – PS = U PS_i

Architecture Authentication User Agent (AUA) Authentication Server (AS) The communication between them is encrypted using authenticated Diffie-Hellman The AS is assumed to be a part of the Trusted Computing Base

Basic Protocol - Initialize Image Set Selection Alice selects ‘n’ images (n is set by the administrator, Bob) Bob stores the image set at the AS Presentation Subsets Bob picks one image from IISa and some other images from IS-IISa for each PS_i Alice picks the IISa image from each PS_i

Basic Protocol - Authenticate Authentication A→B: Username=Alice B→A: Presentation set for Round 1, PS1. A→B: Identified image. B→A: Presentation set for Round 2, PS2. …... B→A: Presentation set for Round R, PSR. If all R steps are successful, Bob authenticates Alice

Attacks Image-based authentication is not foolproof The are four points of vulnerability information stored on the AS information sent between the AS and the AUA the output at the AUA the input at the AUA.

Keystroke Logging: AUA Input Eve can observe or log Alice’s keystrokes and later authenticate herself as Alice. Counter Display the images in random order - keystrokes are are only meaningful for this PS in this display order

Shoulder Surfing: AUA Output Logging Eve can observe Alice’s screen (during the authentication process)and later authenticate herself as Alice. Counter Display the image when the mouse is over it. Otherwise, gray out the image If input is hidden, then which image is selected is not known – only get PS_i’s More on PS-based attacks later

TEMPEST Attack: AUA Output Electromagnetic emanations from the output are used to recreate the screen a distance away. Counter Use contrasting colors that a person can easily distinguish, but which look the same to the eavesdropper. Blur the images. Add random noise to the images.

Brute Force Attack Counters Select every possible combination. Note that dictionary attack is impossible. Counters Keep IIS and IS large Attack cannot be done offline

Frequency Correlation Attack: Presentation Sets Intersection Attack The IS is large, and PS_i’s are chosen randomly (with one image from IIS). Any image that repeats across attempts, is very likely to be a part of IIS Logic Attack If the PS is the same (but not PS_i’s) in every attempt, using logic, within a small number of authentication attempts the attacker can narrow down the IIS to one or a few subsets from the PS.

Countering Frequency Correlation Attacks Decoy Screens A decoy screen is image grid consisting of images none of which are part of the user’s IIS. The user has to select “none of the above” to succeed in those rounds. Make use of x rounds of decoy screens and y (y<=n) rounds or screens with images from user image set.

Countering Frequency Correlation Logic Attacks Image Buckets The IS can be partitioned into groups of images called image buckets. When an image from the IIS is displayed, all of the other images in the image bucket to which this image belongs will also be shown. The intersection of the images displayed will never decrease.

Leaking Image Set Size Randomized number of rounds The size of the image set is equal to the number of rounds. Correlation between the Image set size and the number of rounds may be blurred Randomized number of rounds The number of rounds is randomized according to a bounded normal distribution. The mean number of rounds and the variance can be changed as necessary.

Implementation Issues Image Set Storage If the images are randomized, only the seed for each image need be stored Otherwise, entire IS needs to be stored Security Implications AS must store each user’s IIS. If the AS is compromised, the IIS of every user can be obtained. The scheme depends on the impenetrability of the AS

Key Strength If K images per display may be selected, then with R rounds and |PS_i|=N we obtain an equivalent key size of KS= R log (C(N,K)) . If K=1 then KS= R log (N)

Equivalent key bits for N=16 images/round

Equivalent key bits per key image

Conclusions IBA is in its infancy IBA is more user-friendly It is difficult to share IBA image sets without showing the person the images IBA offers an alternative to passwords that my be attractive for some situation Asymmetric bandwidth Poor user input capability Protection at AS still an issue