Title: A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices
1A Graphical PIN Authentication Mechanism with
Applications to Smart Cards and Low-Cost devices
- Clemente Galdi
- Università di Napoli Federico II
Luigi Catuogno Università di Salerno
2Outline
- Problem overview
- User authentication
- Graphical passwords
- Shoulder surfing attacks
- Our proposal
- Deterministic and user randomized schemes
- Security evaluation
- Application to device-device authentication
3User authentication
- U.A. is a well established area in security
- Different types of services require different
levels of security - Checking email
- Withdrawing money at ATMs
- On-line banking
-
- Access to military bases
- Nuke activation procedures
4Human authentication
- If the required level of security is not high
- Text-based authentication is still the mostly
used one - Username-password
- Strip/smart-card PIN
- One Time Password Tokens
5One time password Authentication through
insecure channels
- In order to be authenticated, the user has to
prove that she knows the secret x - The system issues a challenge C
- The user compute the proof PF(x,C)
- Often the user compute F() by means a personal
crypto-device - The user sends P to the system
- The system verifies the proofetc.
6Graphical password
- A one-time password mechanism where
- The system issues a graphical challenge
- Often called scene
- The user computes the proof by means a cognitive
function of what she sees on the screen - whithout the effort of any external device
7Cognitive functions
- Image recognition
- Image position recognition
- Answering simple queries about the scene
- Repeating a sequence of actions in a scene
8PassFaces(www.realusers.com)
- The system choses three passfaces for the user
9PassFaces/2
- During the logon, the system shows to the user
three scenes each one containig one of users
passfaces - The user has to recognize her passfaces in each
scene - The user select the passfaces by
- Mouse clicks,
- Tapping by the stylus
10A useful application
- Everybody uses ATM and POS terminals everyday.
- PINs and passwords are frequently subject to
attacks and frauds - PINs are not user-friendly
- Graphical PINs could be a good improvement
11The Problem
12The Problem
13But
14But..
- Many G.P. schemes requires non trivial
visualization and pointing devices - ATM machines, POS terminals, Cellular phones.
- Small sized and low resolution displays
- No pointing devices (mouse, touch screen)
- Poor computational resources (slow processors,
small memory)
15Requirements
- The authentication scheme should be independent
from the specific set of objects - Improves (human) usability
- Allow the adaptation to device-device
authentication - (Very) Low computational overhead
- The user should only recognize objects
- No need of crypto-devices
- Resiliency to eavesdropping
16Basic Idea
- Objects
- Let k,a be two integers and qka
- Oo1,o2,,oq be a set of q objects
- Secret
- A secret is an object in O
- Challenge
- Partition the objects in O into a distinct sets,
each containing k objects - Visualize the challenge on a matrix with a rows
and k columns - Response
- The row number containing the secret object.
17Naïve Protocol
- Secret
- Let m be an integer
- Let s(s1,s2,,sm) be a sequence of m objects
- There exist qm possible secrets
- Response
- The sequence of m indices of the rows containing
the m objects
18http//www.dia.unisa.it/GRAPE
A prototype
19GRAPE/2
- Handles authentication by means of a numerical
one-time PIN - The graphical challange is composed of
low-resolution objects - Challange generation and proof validation require
poor computational resources
20GRAPE/3
- The users secret is a sequence of queries formed
like - On which row is the object x?
- Where the object x is a geometrical shape like
- Purple full rectangle
- Red empty rectangle
- White empty exagon
21GRAPE/4
The user types the PIN here, each digit is the
row number of the corresponding object
34643
22GRAPE/5
- The graphical challenge can be effectively
visualized both through cheap and small-sized
displays and through hi-res monitors - The user response can be composed through a
numeric keypad as well as through other
sophisticated pointing devices - Challenge generation and proof validation are
affordable for small devices (e.g. smart-cards
and old-fashioned cell phones) - The user is simply required to recognize the
position of some objects on the screen
23GRAPE/6
- Naive protocol
- The user correctly answers to all the m queries
- Randomized protocol Correct or random
- The user correctly answers to at least m-r
queries - The user randomly answers to r queries
- Randomized protocol Correct or Wrong
- The user correctly answers to exactly m-w queries
- The user wrongly aswers to w queries
24Security Evaluation
- Basic assumption
- Three unsuccessful trials lead to block of the
account - Blind attacks
- Prob. of guessing an authentication secret
- Needs to be reasonably low
- Recording attacks (eavesdropping)
- Gaining access to a service after analyzing a
number of transcripts
25Naïve protocol
- Blind attack success probability
- anumber of rows in the matrix
- msecret lenght
- p1/am
- The value of a cannot be to high!
- If a4 and m7, success prob lt 10-5
- The number of rows in the matrix should be low
26Naïve protocol
- Attack goal
- Secret extraction.
- The user needs to answer correctly to all the
queries - Assuming three unsuccessful trials block the
system
27Naïve protocol
- Attack description The adversary
- is provided with as many transcripts she wants
- associates to each object m counters
- one for each component in the secret
- For each transcript (challenge, response),
increases the counter for all the objects in the
row corresponding to the user answer - Stops when, for each component of the secret,
there exist one object with maximum counter - This attack always recover the user secret!
28Naïve Protocol
- Average number of transcripts m15
29Naïve Protocol
- Average number of transcripts (a2)
30Naïve Protocol
- We can derive that the average number of
transcripts needed to recover the secret
increases if - The number of rows (a) in the challenge decreases
- The length of the secret (m) increases
- The number of objects (q) increases
31Correct-randon blind attack
- In the following
- cnumber of correct answers
- msecret length
32Correct-randon blind attack
- The number c of correct answers must be greater
than m/a - Otherwise blind attack is easy!
- Example
- Let a2 and cm/3.
- Authentication is granted if the users correcty
guesses at least m/3 components of the secret - The adversary can randomly guess with high
probability m/2 correct answers
33User-randomized protocols
- In user-randomized protocols the counting
attack does not work anymore. - Due to randomization, objects with high frequency
might not belong to the secret - We need to modify attack strategy
34User-randomized protocols
- Attack description The adversary
- is provided with t transcripts
- associates to each object m counters
- one for each component in the secret
- For each transcript, increases the counter for
the objects in the row corresponding to the user
answer - Outputs the objects with maximum value for the
counters. - Output classification
- Good Contains all the m objects in the secret
- Valid Contains at least c objects from the
secret - Wrong Contains less than c objects from the
secret
35Correct-random
- Percentage of good and valid secrets
36Correct-wrong blind attack
- In the following
- cnumber of correct answers
- msecret length
37Correct-wrong
- In the correct-wrong case, there is no trivial
limit on the number of wrong answers - The users needs to
- answer correctly to exactly c queries and
- give wrong answers to exactly m-c queries.
- If c is too low, blind attack has still high
success probability, but strictly less than 1. - E.g., m15, r8, a2 -gt p(succ)0.19
38Correct-wrong
- Percentage of good and valid secrets does not
strongly depend on q
39Correct-wrong
- Percentage of good and valid secrets strongly
depends on a - If a2 the adversary might not be able to extract
a valid secret
40Correct-wrong
- Percentage of good and valid secrets strongly
depends on r
41A variation
- Assume the user needs to answer a specific set of
queries correctly - User and terminal share also a common sequence,
e.g., generated by a PRNG. - Let a2
- Blind attack success probability becomes
1/2c(1-1/2)(m-c)1/2m - In this case it is possible to use rm/2
- The adversary does not manage to extract even a
valid sequence.
42A variation
- Why?
- Intuitively
- P(counter increased)1/2 for every object
independently from the fact that it belongs to
the secret or not! - The counting attack fails.
- It focuses on the single secrets component
- Does not consider that
- In every transcript there exist exactly c
correct answers
43A SAT-based attack
- Write a boolean formula whose truth assignment
corresponds to the user secret - Associate to each object oi?O m boolean variables
xi,1,, xi,m - Let C be a challenge consisting of a2 rows
- Let (i1,,ip) be the indices of the objects on
the first row - Let (ip1,,iq) be the indices of the objects on
the second row
44A SAT-based attack
- The j-th component of the secret belongs to one
of the two rows of the challenge.
45A SAT-based attack
- Let
- ?(?1,, ?m) be a single user reply
- Ama(a1,,am)?0,1m w(a)m/2
- ai0 -gt I-th answer is correct.
- The following formula is satisfiable
- There exists one a?Am such that the j-th
component of the secret is in row ?j?aj for j1,m
46A SAT-based attack
- Extending the formula to k transcripts, it is
possible to show that the following formula is
satisfiable - Note ?(k) are formulae over the same literals
47A SAT-based attack
- Finally, since for each component, there exists
exactly one object - So ???? is satisfiable and its truth assignment
corresponds to the user secret.
48What about devices
- The proposed scheme is not limited to human
authentication. - Simply modify the set of objects to a list of
numbers/strings. - The device needs to recognize binary strings
- If a device (smart card/RFID) is able to run a
PRNG - The device can authenticate the reader
- Need to generate the challenge
- Instead of being authenticated by a reader.
- It can implement the variant of our scheme
- Or store a list of sequences
49Usability evaluation
- Average login time
- Error rate
50Conclusions
- Presented an authentication mechanism
implementable by humans and devices - Counting attacks lead to (valid) secret
extraction in reasonable time - 10-12 sessions for naïve protocol
- Up to 36 for correct wrong
- To be done.
- Implement the SAT based attack
- The size of the formula is exponential in the
secret length