Secure Human-Computer Id entification against Pee ping Attacks (SecHCI): A Survey Shujun Li , Harry Shum Visual Computing Group Microsoft Research Asia Sep. 2002
Secure Human-Computer Identification against Peeping Attac
ks (SecHCI): A Survey
Shujun Li, Harry ShumVisual Computing GroupMicrosoft Research Asia
Sep. 2002
Outline
Introduction
A User Study
SecHCI: General Model
SecHCI: A Comprehensive Survey
SecHCI: Other Related Works
Our Opinions
1. IntroductionOutline
Human-Computer Identification
Problems of Widely-Used Fixed Passwords
Yet Another Danger: Peeping Attack In the real world In the theoretical world
Known Solutions to Peeping Attack
1.1 Human-Computer IdentificationThree Identifications
Knowledge-based: What do you know? Fixed (textual/visual) password / PIN Pass-phase / Pass-algorithm / word-association Challenge-response identification protocol Zero-knowledge identification protocol
Token-based: What do you have? Magnetic-striped card / Smart card Hand-held one-time password generator
Biometrics-based: Who are you? Face / Fingerprint / Iris / …
1.1 Human-Computer IdentificationThree Identifications: Comparison
Knowledge-based Fixed Password: Easily understood and widely accepted,
but vulnerable to dictionary attack and replay attack Challenge-response protocol: Relatively complex but
secure against replay attackToken-based More secure than fixed password You must physically have it / sensitive to loss
Biometrics-based Always with you / minimal user efforts Performance is not really satisfactory / privacy involved
1.2 Problems of Fixed Password
Dictionary attack: A troublesome paradox between security and usability Humans always select passwords from a dramatically
small subset of the password space Too random or too long passwords are hard to
remember for humans Compulsive password rules are useful to avoid
problems, but users always try to circumvent the rulesPartial solutions: Limitations still exist Pass-phrases / Pass-algorithms / Word associations / … Visual/graphical passwords
1.3 Peeping AttackIn the Real World
Your friends standing behind your shoulders can observe your passwordYour adversaries can install hidden cameras to steal your passwordYour adversaries can deploy malicious programs in your computer to get your passwordPowerful enemies can use TEMPEST (compromising emanations) devices to monitor your computerA lot of real stories on peeping attacks to banking cards (on ATMs) were reported by R. J. Anderson in 1994.
1.3 Peeping AttackIn the Theoretical World
SecHCI means such a human-computer identification by which one can successfully prove its identity without any auxiliary devices and via insecure communication channel.Two kinds of peeping attacks Passive peeping attack and Active peeping attack
In passive peeping attack, adversaries can only passively observe the identification procedure
In active peeping attack, adversaries can impose the verifiers Open peeping attack and Hidden peeping attack
One more requirement Human sensitivity (consciousness) to faked verifiers
1.4 Solutions to Peeping AttackNon-SecHCI
Displaying “******” on the screen instead of plain-password
Shielding your input from malicious “eyes”. Visual shielding / TEMPEST shielding LVSVSS – a shielding based on visual cryptography
One-time passwords
Challenge-response protocols
Biometrics?
1.4 Solutions to Peeping AttackSecHCI
Matsumoto-Imai protocol proposed at EuroCrypt’91 Not secure enough, cryptanalyzed by C.-H. Wang et al. at EuroCry
pt’95
Matsumoto protocols proposed at HCI International’95 and ACM CCS’96 Security against peeping attack is not strong
Hopper-Blum protocols proposed at AsiaCrypt’2001 Security against peeping attack is acceptable, but the usability is n
ot good.
PhoneOIDs proposed by M. Blum (2001) All proposed PhoneOIDs have been known insure
HumanAut Project supported by CMU (2002) One implementation of a variant of Hopper-Blum protocol in Asia
Crypt’2001 paper.
2. A User StudyGoals and Brief Description
Goals Investigate the users’ opinions on security and usability
of human-computer identification system, especially fixed passwords and SecHCI
Show the significance of peeping attack and SecHCI Confirm some principles in the design and implementat
ion of human-computer identification systemsBrief description A web site is constructed 18 questions are involved About 100 volunteers attended
2. A User Study 2.1 Investigation Results (1)
Fixed passwords I Almost all users ever forgot their passwords Most users ever told other of their passwords Most users think security is more important than
convenience (usability) after careful consideration Many users ever encountered hesitation when they set a
new password Some users even have no really secret passwords
Summary: for most users, security > usability, but they always forget this principle in the real world.
2. A User Study2.1 Investigation Results (2)
Fixed passwords II All users have two or more different passwords Most users have <=6 different passwords Most users use 6~10-length passwords Most users also think 6~10 is the best password length Most users think 15 (about) is the upper bound of the
password length for all security applications
Summary: for most users, 6~10-length passwords are good, and >16 length is unendurable.
2. A User Study 2.2 Investigation Results (3)
Peeping attack Most users think peeping attack is a real danger
in the security world, especially when their money and privacy is endangered.
Most users will follows at least partial warns from security experts and technical news.
Summary: the significance of peeping attack is confirmed, especially for electronic financial applications.
2. A User Study 2.2 Investigation Results (4)
SecHCI Most users wish the identification procedure can be fini
shed within 1 minute Most users think security and usability should be balan
ced in the design of secure human-computer identification
Summary: a good SecHCI must balance security and usability, and the consuming time for one identification should be <= 1 minute.
3. SecHCI: General Model 3.1 Fundamentals
SecHCI should be a challenge-response protocol with time-variant parameters like the following one.
Define SecHCI as a HCIP – human-computer interactive protocol (H,C) with auxiliary input. The transcript between H and C is T(H(x), C(y)), and the output of the protocol is <H(x), C(y)>, which is in the set {accept, reject, }, where means H find C is a fake verifier.
3. SecHCI: General Model3.2 What is SecHCI?
Completeness A HCIP is complete if Pr[<H(z),C(z)>=accept]1-Pc.
Soundness A HCIP is sound if Pr[<H(x),C(y)>=accept]Ps.
(, , )-Human-Only Executability (HOE) A HCIP is (, , )-human-only executable if any T(H
(x),C(y)) can be carried by (1-) population with the error probability , and can be finished within seconds.
A SecHCI is a HCIP satisfying completeness and soundness, and (, , )-HOE with acceptable parameters.
3. SecHCI: General Model3.3 Definitions of Security
(p, k)-security against passive peeping attack Pr[<AA(Tk(H(z),C(z))), C(z)>=accept]p, where AA denot
es adversaries observe k random sampled identifications.
(p, k)-security against active peeping attack Pr[<AA(Tk(H(z),C(z))), C(z)>=accept]p, where AA denot
es adversaries observe k chosen identifications.(q, k)-human sensitivity (consciousness) to fake verifiers Pr[<H(z),C(z,AA(Tk(H(z),C(z))))>=]1-q, where C(z,AA
(Tk(H(z),C(z)))) denotes the fake verifier by AA.
3. SecHCI: General Model3.4 Security in the Real World
Basic Attacks Random response attack (soundness) Brute force (exhaustive) attack Dictionary attack
Peeping Attacks Store-and-replay attack Intelligent off-line password attack
Differential attack / Deduction-based attack / Intersecting attack Multi-onlooker peeping attack
Advanced Attacks Partially-known password attack Malicious administrator attack Denial-of-Logon attack
4. A Comprehensive Survey4.1 Matsumoto-Imai Protocol
Matsumoto-Imai protocol [EuroCrypt’91] An simple example to show the basic idea: ={1,2,…,
9,0}, ={1,2,…,8}, the password is ={1,2,4,6}, ={1,2,3,4}, W=3124. Assume =#()=8 and =#()=4, the challenge q is a bijection from to , and the response is a -length word a=(a1,…,a) whose characters are all in . The accepted responses should satisfy the following requirement: extract all characters in q and also in , and record their order in q to compose a list f=(f1,…,f), then i=1~, af(i)=W(i).
4. A Comprehensive Survey4.1 Matsumoto-Imai Protocol
Security problems Only one observation is enough to know . This protocol cannot resist “replay challenge
attack” (an active peeping attack). Only several observations is needed to decrypt and then find W. [C.-H. Wang et al. EuroCrypt’95]
In passive peeping attack, the number of observations is also rather small.
C.-H. Wang et al. proposed a modified version, but whose usability is too poor.
4. A Comprehensive Survey4.2 Matsumoto Protocols
Matsumoto Protocol 0 [ACM CCS’96] Fs is a finite field of order s.
The password is u vectors k1~ku, where ki is v-dimensional vector in Fsv.
The challenge is a non-zero v-dimensional vector qi in Fsv-{0}; the response ai is a element in Fs.
If i=1~u, ai=qiki, the user is accepted.
Matsumoto Protocol 1 and 2 [ACM CCS’96] Non-essential variants of Protocol 0.
4. A Comprehensive Survey4.2 Matsumoto Protocols
Usability Issues Protocol 1 can make implementations easier. Protocol 2 can provide a better trade-off between securi
ty and usability. Some graphical implementations of Protocol 1 and 2 ar
e given in Matsumoto’s paper.
Security Issues To break the password, only O(u) observations are need
ed for both passive and active peeping attack.
4. A Comprehensive Survey4.3 Hopper-Blum Protocols
Hopper-Blum Protocol 1 [AsiaCrypt’2001] The password is a (0,1)-vector x{0,1}n whose
weight is k. The challenge is also a (0,1)-vector c{0,1}n. T
he response r is 0 or 1. For total m challenge, if r=cx holds for at least
(1-)m challenges, the user is accepted.
4. A Comprehensive Survey4.3 Hopper-Blum Protocols
Security Issues Hopper-Blum Protocol 1 cannot resist replay
challenge attack (active peeping attack).
Some Errors and More Problems The result of Theorem 1 is wrong. The masquerading probability of random
response attack is slightly overestimated. Paradox exists between security and usability,
especially on the value of k.
4. A Comprehensive Survey4.3 Hopper-Blum Protocols
Hopper-Blum Protocol 2 [AsiaCrypt’2001] Basically, Protocol 2 is similar to Protocol 1 wit
h two chief modifications. Modification 1: the response is calculated with
sum of k mins. Modification 2: the linear error-correcting mech
anism is introduced to avoid malicious change of legal challenges.
4. A Comprehensive Survey4.3 Hopper-Blum Protocols
Merits Protocol 2 can resist active peeping attack. Protocol 2 has 0.1-human sensitive to fake
verifiers.
Problems Usability of Protocol 2 is even more poor than
Protocol 1. Some problems in Protocol 1 still exist in
Protocol 2.
4. A Comprehensive Survey4.4 HumanOIDs@CMU
HumanAut@CMU An image-based SecHCI, n images are involved and n/
2 images compose the password. A non-essential variant of Hopper-Blum Protocol 1. Th
e challenge is always a vector with fixed weight. Usability is poor when n is too large.
Pass-Rules You can freely change all n images. Then you can use some meaningful features of the n/2
pass-images to remember so many pictures.
4. A Comprehensive Survey4.4 HumanOIDs@CMU
PhoneOIDs@CMU PhoneOIDs is “challenge-response protocols fo
r use over the phone”, which means SecHCI protocols of two parties with limited computation capabilities.
Many PhoneOIDs have been proposed, but all are insecure.
5. Other Related Works5.1 Visual/Graphical Passwords
Selective pictures based passwords PassfaceTM: In each round, select your pass-face from 9
candidate faces. Déjà Vu: Select m portfolio images from n candidate i
mages.Point-and-click passwords PassPic: Click your pass-positions with your pass-order Graphical Password Windows in Passlogix v-GOTM SS
O: Click several things to construct your password.Drawing-based passwords Draw-a-Secret (DAS): Draw your pass-strokes on a m
n grid.
5. Other Related Works5.2 CAPTCHAs
CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart”, also called Reverse Turing Test by some researchers.The chief application of CAPTCHA is to foil malicious online robots, and can also be used to relax the security against random response attack in SecHCI protocols.The first paper on CAPTCHA occurred in 1996 (by M. Naor). The first implementation of CAPTCHA is designed in 1997. The initial booming of interests on CAPTCHAs is promoted by the occurrence of Gimpy, a CAPTCHA designed by M. Blum et al. at CMU in 2000. Now a CAPTCHA project is supported by Aladdin Center of CMU.
5. Other Related Works5.2 CAPTCHAs
Distorted texts based CAPTCHAs Gimpy@CMU Another Gimpy-like CAPTCHA@AltaVista Pessimal print
Visual pattern based CAPTCHAs Bongo@CMU
Image based CAPTCHAs PIX@CMU CAPTCHAs based on image search problem More image processing techniques can be used to distor
t involved images
5. Other Related Works5.2 CAPTCHAs
Sound/Speech based CAPTCHAs Sounds@CMU Byan@CityUHK
Text-only CAPTCHAs Impossibility of text-only CAPTCHAs under si
x assumptions “Find the Bogus Word”
Chinese CAPTCHAs?
5. Other Related Works5.3 More Topics on HIPs
HIP means “Human Interactive Proof”, which covers many topics, such as SecHCI protocol, CAPTCHA, and visual/graphical password.
There is a HIP project at Aladdin Center of CMU to support research and product transfer of theoretical results.
5. Other Related Works5.3 More Topics on HIPs
Formal Studies on Security and Complexity of HIPsComputer Vision and HIPsBiometricsVisual CryptographyHuman-Error-Tolerant Passwords (or Fuzzy Commitment)Other Sides?
5. Other Related Works5.4 ZK Identification Protocol
Many Zero-Knowledge based identification protocols have been proposed. The basic idea used in ZK protocols may be useful for the design of SecHCI protocols.
The general model of ZK identification protocols: 1) P=>V: a public (random) witness; 2) V=>P: a (random) challenge; 3) P=>V: a response (dependent on the witness and the challenge).
6. Our Opinion on SecHCI6.1 A Comparison
By security against passive peeping attack Matsumoto-Imai Protocol < Matsumoto Protocols <
Hopper-Blum Protocol 2 < Hopper-Blum Protocol 1;By security against active peeping attack Matsumoto-Imai Protocol < Matsumoto Protocols <
Hopper-Blum Protocol 1 < Hopper-Blum Protocol 2;By usability Hopper-Blum Protocol 2 < Matsumoto-Imai Protocol <
(0,1)-version of Hopper-Blum Protocol 1 decimal version of Hopper-Blum Protocol 1 Matsumoto Protocols.
6. Our Opinion on SecHCI6.2 Our Opinion
Three principles Intentional errors Redundancies Balance
Two desired requirements The password length <= 16 The identification time <= 1 minute.
6. Our Opinion on SecHCI6.3 A Prototype Protocol
Following our opinions on SecHCI, we can give a prototype protocol as follows The password is a (0,1)-vector x{0,1}n whose
weight is k. The challenge is 2m (0,1)-vectors c1,…,c2m {0,
1}n. The response is 2m bits r1,…r2m. If i=1~m, (r2i-1-c2i-1x)+(r2i-c2ix)=1 (mod 2), t
hen the user is accepted. Such a protocol may be OK as a new solution o
f SecHCI.