IMAGE-BASED AUTHENTICATION - PowerPoint PPT Presentation

About This Presentation
Title:

IMAGE-BASED AUTHENTICATION

Description:

Image Space (IS) the set of all images used by the IBA system. Individual Image Set (IISa) the set of images that a user Alice (a) chooses to ... – PowerPoint PPT presentation

Number of Views:673
Avg rating:3.0/5.0
Slides: 22
Provided by: manuelb9
Learn more at: https://www.cise.ufl.edu
Category:

less

Transcript and Presenter's Notes

Title: IMAGE-BASED AUTHENTICATION


1
IMAGE-BASED AUTHENTICATION
Richard E. Newman, Piyush Harsh, and Prashant
Jayaraman
  • University of Florida

2
Human Authentication
  • What you are (biometric)
  • What you have (token)
  • What you know (password)

3
Problems with Passwords
  • Meaningful
  • Word of mouth transfer
  • Sticking it near workstation
  • Image-based authentication (IBA) can solve these

4
Definitions
  • Image Space (IS) the set of all images used by
    the IBA system.
  • Individual Image Set (IISa) the set of images
    that a user Alice (a) chooses to authenticate
    herself.
  • Key Image any image in a user's IIS.
  • Presentation Set (PS) the set of images
    presented to Alice (from which the key images
    must be selected) for a given authentication
    attempt.
  • PS_i the ith subset of PS presented to Alice
    during a run PS U PS_i

5
Architecture
  • Authentication User Agent (AUA)
  • Authentication Server (AS)
  • The communication between them is encrypted
    using authenticated Diffie-Hellman
  • The AS is assumed to be a part of the Trusted
    Computing Base

6
Basic Protocol - Initialize
Image Set Selection
  • Alice selects n images (n is set by the
    administrator, Bob)
  • Bob stores the image set at the AS

Presentation Subsets
  • Bob picks one image from IISa and some other
    images from IS-IISa for each PS_i
  • Alice picks the IISa image from each PS_i

7
Basic Protocol - Authenticate
Authentication
  • A?B UsernameAlice
  • B?A Presentation set for Round 1, PS1.
  • A?B Identified image.
  • B?A Presentation set for Round 2, PS2.
  • A?B Identified image.
  • ...
  • B?A Presentation set for Round R, PSR.
  • A?B Identified image.
  • If all R steps are successful, Bob authenticates
    Alice

8
Attacks
  • Image-based authentication is not foolproof
  • The are four points of vulnerability
  • information stored on the AS
  • information sent between the AS and the AUA
  • the output at the AUA
  • the input at the AUA.

9
Keystroke Logging AUA Input
  • Eve can observe or log Alices keystrokes and
    later authenticate herself as Alice.

Counter
  • Display the images in random order
  • - keystrokes are are only meaningful for this
    PS in this display order

10
Shoulder Surfing AUA Output Logging
  • Eve can observe Alices screen (during the
    authentication process)and later authenticate
    herself as Alice.

Counter
  • Display the image when the mouse is over it.
    Otherwise, gray out the image
  • If input is hidden, then which image is selected
    is not known only get PS_is
  • More on PS-based attacks later

11
TEMPEST Attack AUA Output
  • Electromagnetic emanations from the output are
    used to recreate the screen a distance away.

Counter
  • Use contrasting colors that a person can easily
    distinguish, but which look the same to the
    eavesdropper.
  • Blur the images.
  • Add random noise to the images.

12
Brute Force Attack
  • Select every possible combination.
  • Note that dictionary attack is impossible.

Counters
  • Keep IIS and IS large
  • Attack cannot be done offline

13
Frequency Correlation Attack Presentation Sets
Intersection Attack
  • The IS is large, and PS_is are chosen randomly
    (with one image from IIS). Any image that repeats
    across attempts, is very likely to be a part of
    IIS

Logic Attack
  • If the PS is the same (but not PS_is) in every
    attempt, using logic, within a small number of
    authentication attempts the attacker can narrow
    down the IIS to one or a few subsets from the PS.

14
Countering Frequency Correlation Attacks
Decoy Screens
  • A decoy screen is image grid consisting of images
    none of which are part of the users IIS. The
    user has to select none of the above to succeed
    in those rounds.
  • Make use of x rounds of decoy screens and y
    (yltn) rounds or screens with images from user
    image set.

15
Countering Frequency Correlation Logic Attacks
Image Buckets
  • The IS can be partitioned into groups of images
    called image buckets. When an image from the IIS
    is displayed, all of the other images in the
    image bucket to which this image belongs will
    also be shown.
  • The intersection of the images displayed will
    never decrease.

16
Leaking Image Set Size
  • The size of the image set is equal to the number
    of rounds.
  • Correlation between the Image set size and the
    number of rounds may be blurred

Randomized number of rounds
  • The number of rounds is randomized according to a
    bounded normal distribution.
  • The mean number of rounds and the variance can be
    changed as necessary.

17
Implementation Issues
Image Set Storage
  • If the images are randomized, only the seed for
    each image need be stored
  • Otherwise, entire IS needs to be stored

Security Implications
  • AS must store each users IIS.
  • If the AS is compromised, the IIS of every user
    can be obtained.
  • The scheme depends on the impenetrability of the
    AS

18
Key Strength
  • If K images per display may be selected, then
    with R rounds and PS_iN we obtain an
    equivalent key size of KS R log (C(N,K)) .
  • If K1 thenKS R log (N)

19
Equivalent key bits for N16 images/round
20
Equivalent key bits per key image
21
Conclusions
  • IBA is in its infancy
  • IBA is more user-friendly
  • It is difficult to share IBA image sets without
    showing the person the images
  • IBA offers an alternative to passwords that my be
    attractive for some situation
  • Asymmetric bandwidth
  • Poor user input capability
  • Protection at AS still an issue
Write a Comment
User Comments (0)
About PowerShow.com