Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices Clemente Galdi Università di Napoli “Federico II” Luigi.

Published byLindsey McGee Modified over 9 years ago

Similar presentations

Presentation on theme: "A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices Clemente Galdi Università di Napoli “Federico II” Luigi."— Presentation transcript:

1 A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices Clemente Galdi Università di Napoli “Federico II” Luigi Catuogno Università di Salerno

2 Outline Problem overview –User authentication –Graphical passwords –Shoulder surfing attacks Our proposal –Deterministic and user randomized schemes –Security evaluation Application to device-device authentication

3 User authentication U.A. is a well established area in security Different types of services require different levels of security –Checking email –Withdrawing money at ATMs –On-line banking –… –Access to military bases –Nuke activation procedures

4 Human authentication If the required level of security is not high –“Text-based” authentication is still the mostly used one Username-password Strip/smart-card + PIN One Time Password Tokens

5 One time password Authentication through insecure channels In order to be authenticated, the user has to prove that she knows the secret x –The system issues a challenge C –The user compute the proof P=F(x,C) Often the user compute F() by means a personal crypto-device –The user sends P to the system –The system verifies the proof…etc.

6 Graphical password A one-time password mechanism where: –The system issues a graphical challenge Often called “scene” –The user computes the proof by means a cognitive function of what she sees on the screen whithout the effort of any external device

7 Cognitive functions Image recognition Image position recognition Answering simple queries about the scene Repeating a sequence of actions in a scene

8 PassFaces (www.realusers.com) The system choses three passfaces for the user

9 PassFaces/2 During the logon, the system shows to the user three scenes each one containig one of user’s passfaces The user has to recognize her passfaces in each scene The user select the passfaces by –Mouse clicks, –Tapping by the stylus

10 A useful application… Everybody uses ATM and POS terminals everyday. –PINs and passwords are frequently subject to attacks and frauds –PINs are not user-friendly Graphical PINs could be a good improvement

11 The Problem

12

13 But…

14 But.. Many G.P. schemes requires non trivial visualization and pointing devices ATM machines, POS terminals, Cellular phones…. –Small sized and low resolution displays –No pointing devices (mouse, touch screen…) –Poor computational resources (slow processors, small memory…)

15 Requirements The authentication scheme should be independent from the specific set of objects –Improves (human) usability –Allow the adaptation to device-device authentication (Very) Low computational overhead The “user” should only “recognize” objects –No need of crypto-devices Resiliency to eavesdropping

16 Basic Idea Objects: –Let k,a be two integers and q=ka –O={o 1,o 2,…,o q } be a set of q objects Secret: –A secret is an object in O Challenge: –Partition the objects in O into a distinct sets, each containing k objects –“Visualize” the challenge on a matrix with a rows and k columns Response: –The row number containing the secret object.

17 Naïve Protocol Secret: –Let m be an integer –Let s=(s 1,s 2,…,s m ) be a sequence of m objects There exist q m possible secrets Response: –The sequence of m indices of the rows containing the m objects

18 http://www.dia.unisa.it/GRAPE A prototype

19 GRAPE/2 Handles authentication by means of a numerical one-time PIN The graphical challange is composed of low- resolution objects Challange generation and proof validation require poor computational resources

20 GRAPE/3 The user’s secret is a sequence of queries formed like: –“On which row is the object x?” Where the object x is a geometrical shape like: – Purple full rectangle – Red empty rectangle – White empty exagon –…

21 GRAPE/4 The user types the PIN here, each digit is the row number of the corresponding object 34643

22 GRAPE/5 The graphical challenge can be effectively visualized both through cheap and small-sized displays and through hi-res monitors The user response can be composed through a numeric keypad as well as through other sophisticated pointing devices Challenge generation and proof validation are affordable for small devices (e.g. smart-cards and old-fashioned cell phones) The user is simply required to recognize the position of some objects on the screen

23 GRAPE/6 Naive protocol –The user correctly answers to all the m queries Randomized protocol: Correct or random –The user correctly answers to at least m-r queries –The user randomly answers to r queries Randomized protocol: Correct or Wrong –The user correctly answers to exactly m-w queries –The user wrongly aswers to w queries

24 Security Evaluation Basic assumption: –Three unsuccessful trials lead to block of the account Blind attacks: –Prob. of guessing an “authentication” secret –Needs to be reasonably low Recording attacks (eavesdropping): –Gaining access to a service after analyzing a number of transcripts

25 Naïve protocol Blind attack success probability –a=number of rows in the matrix –m=secret lenght –p=1/a m The value of a cannot be to high! If a=4 and m=7, success prob < 10 -5 –The number of rows in the matrix should be low

26 Naïve protocol Attack goal: –Secret extraction. –The user needs to answer correctly to all the queries –Assuming three unsuccessful trials block the system

27 Naïve protocol Attack description: The adversary –is provided with as many transcripts she wants –associates to each object m counters one for each component in the secret –For each transcript (challenge, response), increases the counter for all the objects in the row corresponding to the user answer –Stops when, for each component of the secret, there exist one object with maximum counter This attack always recover the user secret!

28 Naïve Protocol Average number of transcripts m=15

29 Naïve Protocol Average number of transcripts (a=2)

30 Naïve Protocol We can derive that the average number of transcripts needed to recover the secret increases if: –The number of rows (a) in the challenge decreases –The length of the secret (m) increases –The number of objects (q) increases

31 Correct-randon: blind attack In the following –c=number of correct answers –m=secret length

32 Correct-randon: blind attack The number c of correct answers must be greater than m/a –Otherwise blind attack is easy! Example: –Let a=2 and c=m/3. Authentication is granted if the users correcty guesses at least m/3 components of the secret –The adversary can randomly guess with high probability m/2 correct answers

33 User-randomized protocols In user-randomized protocols the “counting attack” does not work anymore. –Due to randomization, objects with high frequency might not belong to the secret We need to modify attack strategy

34 User-randomized protocols Attack description: The adversary –is provided with t transcripts –associates to each object m counters one for each component in the secret –For each transcript, increases the counter for the objects in the row corresponding to the user answer –Outputs the objects with maximum value for the counters. Output classification: –Good: Contains all the m objects in the secret –Valid: Contains at least c objects from the secret –Wrong: Contains less than c objects from the secret

35 Correct-random Percentage of good and valid secrets

36 Correct-wrong: blind attack In the following –c=number of correct answers –m=secret length

37 Correct-wrong In the correct-wrong case, there is no “trivial” limit on the number of wrong answers –The users needs to answer correctly to exactly c queries and give wrong answers to exactly m-c queries. If c is too low, blind attack has still high success probability, but strictly less than 1. –E.g., m=15, r=8, a=2 -> p(succ)=0.19

38 Correct-wrong Percentage of good and valid secrets does not strongly depend on q

39 Correct-wrong Percentage of good and valid secrets strongly depends on a –If a=2 the adversary might not be able to extract a valid secret

40 Correct-wrong Percentage of good and valid secrets strongly depends on r

41 A variation Assume the user needs to answer a specific set of queries correctly –User and terminal share also a common sequence, e.g., generated by a PRNG. Let a=2 Blind attack success probability becomes 1/2 c (1-1/2) (m-c) =1/2 m In this case it is possible to use r=m/2 –The adversary does not manage to extract even a valid sequence.

42 A variation Why? –Intuitively: P(counter increased)=1/2 for every object independently from the fact that it belongs to the secret or not! –The counting attack fails. It focuses on the single secret’s component –Does not consider that: “In every transcript there exist exactly c correct answers”

43 A SAT-based attack Write a boolean formula whose truth assignment corresponds to the user secret Associate to each object o i  O m boolean variables x i,1,…, x i,m Let C be a challenge consisting of a=2 rows –Let (i 1,…,i p ) be the indices of the objects on the first row –Let (i p+1,…,i q ) be the indices of the objects on the second row

44 A SAT-based attack The j-th component of the secret belongs to one of the two rows of the challenge.

45 A SAT-based attack Let: –  =(  1,…,  m ) be a single user reply –A m ={a=(a 1,…,a m )  {0,1} m | w(a)=m/2} a i =0 -> I-th answer is correct. The following formula is satisfiable: There exists one a  A m such that the j-th component of the secret is in row  j  a j for j=1,…m

46 A SAT-based attack Extending the formula to k transcripts, it is possible to show that the following formula is satisfiable Note:  (k) are formulae over the same literals

47 A SAT-based attack Finally, since for each component, there exists exactly one object So  =  is satisfiable and its truth assignment corresponds to the user secret.

48 What about “devices” The proposed scheme is not limited to human authentication. –Simply modify the set of objects to a list of numbers/strings. –The device needs to recognize binary strings –If a device (smart card/RFID) is able to run a PRNG: The device can authenticate the reader –Need to generate the challenge –Instead of being authenticated by a reader. It can implement the “variant” of our scheme –Or store a list of sequences…

49 Usability evaluation Average login time Error rate

50 Conclusions Presented an authentication mechanism “implementable” by humans and devices Counting attacks lead to (valid) secret extraction in reasonable time –10-12 sessions for naïve protocol –Up to 36 for correct wrong To be done. –Implement the SAT based attack The size of the formula is exponential in the secret length…

Download ppt "A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices Clemente Galdi Università di Napoli “Federico II” Luigi."

Similar presentations

Operating System Security

Operating System Security
CSCI 3160 Design and Analysis of Algorithms Tutorial 4

CSCI 3160 Design and Analysis of Algorithms Tutorial 4
CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.

CPSC 422, Lecture 21Slide 1 Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 21 Mar, 4, 2015 Slide credit: some slides adapted from Stuart.
Biometrics based Cryptosystem Design. Cryptosystem A mechanism using which one can encode an information content to an incomprehensible form and also.

Biometrics based Cryptosystem Design. Cryptosystem A mechanism using which one can encode an information content to an incomprehensible form and also.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
3d ..

3d ..
3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.

3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.
ATM User Interface Design. Requirements A bank customer is able to access his or her account using an automatic teller machine. To be able to use an ATM.

ATM User Interface Design. Requirements A bank customer is able to access his or her account using an automatic teller machine. To be able to use an ATM.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
The Architecture Design Process

The Architecture Design Process
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology

Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Similar presentations

Ads by Google