Trustworthy Computing in My Mind: A Case Study on Visual Password Shujun Li Visiting Student at VC Group, Microsoft Research Asia Institute of Image Processing Xi’an Jiaotong University April, 2002

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia Table of Contents 1.What is Trustworthy Computing? 2.Does Perfect Trustworthiness Exist? 3.How to Increase Trustworthiness? 4.A Case Study: Visual Password  What/Why/How about Visual Password  Some Proposed Schemes  A Comparison Between Visual Password and Textual Password from Trustworthy Viewpoint  Problems, Principles and Solutions

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 1. What is Trustworthy Computing? “ Trustworthy computing is a label for a whole range of advances that have to be made for people to be as comfortable using devices powered by computers and softwares as they are today using a device that is powered by electricity. ” —— Microsoft White Paper: Trustworthy Computing “ Trustworthy computing is a multi-dimensional set of issues ” : good availability for almost needs requested by the users, acceptable reliability of provided services, high security of users ’ data and system configurations, recoverability of damaged systems and lost data, full control of users ’ data only by themselves with suitable manners, great reputation of the services providers, etc.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 2. Does Perfect Trustworthiness Exist? Nothing is perfect. We can only provide ENOUGH trustworthiness in practice. It is very hard to give a “ right ” definition of trustworthiness. Trustworthiness is a complicated concept in both technical and social world. “ An architecture built on diversity is robust, but it also operates on the edge of chaos. ” As a natural result, it is very difficult to exactly analyze the trustworthiness of Trade-offs exist between the different requirements of “ perfect trustworthiness ”. For example, higher security always corresponds to less usability, higher trustworthiness needs more costs in many cases.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 3. How to Increase Trustworthiness? Avoid using insecure codes Trustworthiness first, not new features Adopt suitable algorithms to protect the security and integrity of users ’ data and systems Keep in mind that “ a computing system is only as trustworthy as its weakest link ” Users-centered design, coding and support Keep things simple to enhance usability and long- term and large-scale reliability More redundancy trend to less risks

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4a. A Case Study: Visual Password ？ What is Visual Password? The user interface by which one can generate password with graphical/visual operations, such as movement and clicking of mouse on a picture. ？ Why Use Visual Password? It may provide higher trustworthiness than traditional textual password. ？ How to Make Visual Password? Some schemes have been proposed, we will briefly introduce and analyze those ideas. Some principles and more potential solutions will also be discussed.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4b. Some Proposed Schemes 1.Drawing-Based Visual Password: I. Jermyn ’ s Graphical Password for PDA 2.Visual Password Based on Selected Secret Pictures from a Picture Database: PassFace TM and D é j à Vu System 3.Click-by-Click Visual Password: Blonder ’ s Patent, PassPic TM, Passlogix v-GO TM Graphical Password Window, Darko Kirovski ’ s System (Microsoft) More details about proposed schemes are needed for further investigations.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4c. A Comparison Between Visual Password and Textual Password Textual Password Visual Password Usability Inconvenient for young children and the blind Inconvenient for the blind Memorizablity & Security to Dictionary Attack Easily-memorizable passwords are weak to dictionary attack, while “ good ” ones are generally hard to be memorized. Many strong passwords may be easily memorized. Dictionary attack becomes more hard. Security to Shoulder- Surfing Attack The slower the typewriting speed, the weaker the security. All proposed schemes cannot resist shoulder- surfing attack.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4d. Problems: How to Resist Shoulder-Surfing Attack? ？ How does shoulder-surfing attack work? Once one impostor peeps legal users ’ login actions, he can repeat those actions to cheat the login system, without guessing the right password behind such login actions. ？ How to resist shoulder-surfing attack? The login operations of different logins must not be same. We call such a feature time-variant login-actions. ？ How to obtain time-variant property? Pseudo-randomization mechanism may be helpful.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4d. Principles: Visual Password 1.Larger strong key space than textual password 2.Similar or better usability than textual password: a) easy user interface; b) good memorizability. 3.Resistance to shoulder-surfing attack: Is such a capability possible? (Clue: a shoulder-surfing attacker can see what you can see and understand what you can understand; people hate hard deduction required by time-variant login- actions.) 4.Acceptable solution of the trade-off between usability and security.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4d. Solutions: A Theoretical Model of Visual Password Login System Resisting Shoulder-Surfing Attack Here, PCNL should satisfy the following requirements: deducing the actions in the next login is easy enough for legal users who know the password, but is hard enough for illegal users who have monitored your previous logins.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4d. Problems: Is a Practical PCNL Possible? 1.In fact, a PCNL is a trapdoor function from cryptographic viewpoint. 2.Human beings are not machines and hate complicated deduction, a PCNL MUST be easy enough for any users, including young children. 3.Legal users may forget what they input in the last login, clues should be given to remind them. Consider such clues may be also peeped by an impostor, they should not provide useful information to him under the assumption that he does not know password. Now I have not found a really practical PCNL. Does a practical PCNL exist? We try to find the answer.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia 4d. Solutions: More Fresh Ways? 1.More Click-by-Click Visual Passwords: Visual Password Based on Clicking Picture Properties, such as differences of a pair of pictures, the relations between two countries in a world map, the geometry properties of elements in a computer painting. 2.Visual Passwords Based on Specially-Designed Input Devices: a) Device tracking users’ eyes; b) “Strange” mouse that can generate password by ones touching different parts; c) “Strange” glasses that can generate different scenes from different view directions with enough sensitivity.

April, 2002Shujun Li, VS at VC Group of Microsoft Research Asia Thanks For your watching and advice!