A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices

1
A Graphical PIN Authentication Mechanism with
Applications to Smart Cards and Low-Cost devices

• Clemente Galdi
• Università di Napoli Federico II

Luigi Catuogno Università di Salerno
2
Outline

• Problem overview
• User authentication
• Graphical passwords
• Shoulder surfing attacks
• Our proposal
• Deterministic and user randomized schemes
• Security evaluation
• Application to device-device authentication

3
User authentication

• U.A. is a well established area in security
• Different types of services require different
  levels of security
• Checking email
• Withdrawing money at ATMs
• On-line banking
• Access to military bases
• Nuke activation procedures

4
Human authentication

• If the required level of security is not high
• Text-based authentication is still the mostly
  used one
• Username-password
• Strip/smart-card PIN
• One Time Password Tokens

5
One time password Authentication through
insecure channels

• In order to be authenticated, the user has to
  prove that she knows the secret x
• The system issues a challenge C
• The user compute the proof PF(x,C)
• Often the user compute F() by means a personal
  crypto-device
• The user sends P to the system
• The system verifies the proofetc.

6
Graphical password

• A one-time password mechanism where
• The system issues a graphical challenge
• Often called scene
• The user computes the proof by means a cognitive
  function of what she sees on the screen
• whithout the effort of any external device

7
Cognitive functions

• Image recognition
• Image position recognition
• Answering simple queries about the scene
• Repeating a sequence of actions in a scene

8
PassFaces(www.realusers.com)

• The system choses three passfaces for the user

9
PassFaces/2

• During the logon, the system shows to the user
  three scenes each one containig one of users
  passfaces
• The user has to recognize her passfaces in each
  scene
• The user select the passfaces by
• Mouse clicks,
• Tapping by the stylus

10
A useful application

• Everybody uses ATM and POS terminals everyday.
• PINs and passwords are frequently subject to
  attacks and frauds
• PINs are not user-friendly
• Graphical PINs could be a good improvement

11
The Problem
12
The Problem
13
But
14
But..

• Many G.P. schemes requires non trivial
  visualization and pointing devices
• ATM machines, POS terminals, Cellular phones.
• Small sized and low resolution displays
• No pointing devices (mouse, touch screen)
• Poor computational resources (slow processors,
  small memory)

15
Requirements

• The authentication scheme should be independent
  from the specific set of objects
• Improves (human) usability
• Allow the adaptation to device-device
  authentication
• (Very) Low computational overhead
• The user should only recognize objects
• No need of crypto-devices
• Resiliency to eavesdropping

16
Basic Idea

• Objects
• Let k,a be two integers and qka
• Oo1,o2,,oq be a set of q objects
• Secret
• A secret is an object in O
• Challenge
• Partition the objects in O into a distinct sets,
  each containing k objects
• Visualize the challenge on a matrix with a rows
  and k columns
• Response
• The row number containing the secret object.

17
Naïve Protocol

• Secret
• Let m be an integer
• Let s(s1,s2,,sm) be a sequence of m objects
• There exist qm possible secrets
• Response
• The sequence of m indices of the rows containing
  the m objects

18
http//www.dia.unisa.it/GRAPE
A prototype
19
GRAPE/2

• Handles authentication by means of a numerical
  one-time PIN
• The graphical challange is composed of
  low-resolution objects
• Challange generation and proof validation require
  poor computational resources

20
GRAPE/3

• The users secret is a sequence of queries formed
  like
• On which row is the object x?
• Where the object x is a geometrical shape like
• Purple full rectangle
• Red empty rectangle
• White empty exagon

21
GRAPE/4
The user types the PIN here, each digit is the
row number of the corresponding object
34643
22
GRAPE/5

• The graphical challenge can be effectively
  visualized both through cheap and small-sized
  displays and through hi-res monitors
• The user response can be composed through a
  numeric keypad as well as through other
  sophisticated pointing devices
• Challenge generation and proof validation are
  affordable for small devices (e.g. smart-cards
  and old-fashioned cell phones)
• The user is simply required to recognize the
  position of some objects on the screen

23
GRAPE/6

• Naive protocol
• The user correctly answers to all the m queries
• Randomized protocol Correct or random
• The user correctly answers to at least m-r
  queries
• The user randomly answers to r queries
• Randomized protocol Correct or Wrong
• The user correctly answers to exactly m-w queries
• The user wrongly aswers to w queries

24
Security Evaluation

• Basic assumption
• Three unsuccessful trials lead to block of the
  account
• Blind attacks
• Prob. of guessing an authentication secret
• Needs to be reasonably low
• Recording attacks (eavesdropping)
• Gaining access to a service after analyzing a
  number of transcripts

25
Naïve protocol

• Blind attack success probability
• anumber of rows in the matrix
• msecret lenght
• p1/am
• The value of a cannot be to high!
• If a4 and m7, success prob lt 10-5
• The number of rows in the matrix should be low

26
Naïve protocol

• Attack goal
• Secret extraction.
• The user needs to answer correctly to all the
  queries
• Assuming three unsuccessful trials block the
  system

27
Naïve protocol

• Attack description The adversary
• is provided with as many transcripts she wants
• associates to each object m counters
• one for each component in the secret
• For each transcript (challenge, response),
  increases the counter for all the objects in the
  row corresponding to the user answer
• Stops when, for each component of the secret,
  there exist one object with maximum counter
• This attack always recover the user secret!

28
Naïve Protocol

• Average number of transcripts m15

29
Naïve Protocol

• Average number of transcripts (a2)

30
Naïve Protocol

• We can derive that the average number of
  transcripts needed to recover the secret
  increases if
• The number of rows (a) in the challenge decreases
• The length of the secret (m) increases
• The number of objects (q) increases

31
Correct-randon blind attack

• In the following
• cnumber of correct answers
• msecret length

32
Correct-randon blind attack

• The number c of correct answers must be greater
  than m/a
• Otherwise blind attack is easy!
• Example
• Let a2 and cm/3.
• Authentication is granted if the users correcty
  guesses at least m/3 components of the secret
• The adversary can randomly guess with high
  probability m/2 correct answers

33
User-randomized protocols

• In user-randomized protocols the counting
  attack does not work anymore.
• Due to randomization, objects with high frequency
  might not belong to the secret
• We need to modify attack strategy

34
User-randomized protocols

• Attack description The adversary
• is provided with t transcripts
• associates to each object m counters
• one for each component in the secret
• For each transcript, increases the counter for
  the objects in the row corresponding to the user
  answer
• Outputs the objects with maximum value for the
  counters.
• Output classification
• Good Contains all the m objects in the secret
• Valid Contains at least c objects from the
  secret
• Wrong Contains less than c objects from the
  secret

35
Correct-random

• Percentage of good and valid secrets

36
Correct-wrong blind attack

• In the following
• cnumber of correct answers
• msecret length

37
Correct-wrong

• In the correct-wrong case, there is no trivial
  limit on the number of wrong answers
• The users needs to
• answer correctly to exactly c queries and
• give wrong answers to exactly m-c queries.
• If c is too low, blind attack has still high
  success probability, but strictly less than 1.
• E.g., m15, r8, a2 -gt p(succ)0.19

38
Correct-wrong

• Percentage of good and valid secrets does not
  strongly depend on q

39
Correct-wrong

• Percentage of good and valid secrets strongly
  depends on a
• If a2 the adversary might not be able to extract
  a valid secret

40
Correct-wrong

• Percentage of good and valid secrets strongly
  depends on r

41
A variation

• Assume the user needs to answer a specific set of
  queries correctly
• User and terminal share also a common sequence,
  e.g., generated by a PRNG.
• Let a2
• Blind attack success probability becomes
  1/2c(1-1/2)(m-c)1/2m
• In this case it is possible to use rm/2
• The adversary does not manage to extract even a
  valid sequence.

42
A variation

• Why?
• Intuitively
• P(counter increased)1/2 for every object
  independently from the fact that it belongs to
  the secret or not!
• The counting attack fails.
• It focuses on the single secrets component
• Does not consider that
• In every transcript there exist exactly c
  correct answers

43
A SAT-based attack

• Write a boolean formula whose truth assignment
  corresponds to the user secret
• Associate to each object oi?O m boolean variables
  xi,1,, xi,m
• Let C be a challenge consisting of a2 rows
• Let (i1,,ip) be the indices of the objects on
  the first row
• Let (ip1,,iq) be the indices of the objects on
  the second row

44
A SAT-based attack

• The j-th component of the secret belongs to one
  of the two rows of the challenge.

45
A SAT-based attack

• Let
• ?(?1,, ?m) be a single user reply
• Ama(a1,,am)?0,1m w(a)m/2
• ai0 -gt I-th answer is correct.
• The following formula is satisfiable
• There exists one a?Am such that the j-th
  component of the secret is in row ?j?aj for j1,m

46
A SAT-based attack

• Extending the formula to k transcripts, it is
  possible to show that the following formula is
  satisfiable
• Note ?(k) are formulae over the same literals

47
A SAT-based attack

• Finally, since for each component, there exists
  exactly one object
• So ???? is satisfiable and its truth assignment
  corresponds to the user secret.

48
What about devices

• The proposed scheme is not limited to human
  authentication.
• Simply modify the set of objects to a list of
  numbers/strings.
• The device needs to recognize binary strings
• If a device (smart card/RFID) is able to run a
  PRNG
• The device can authenticate the reader
• Need to generate the challenge
• Instead of being authenticated by a reader.
• It can implement the variant of our scheme
• Or store a list of sequences

49
Usability evaluation

• Average login time
• Error rate

50
Conclusions

• Presented an authentication mechanism
  implementable by humans and devices
• Counting attacks lead to (valid) secret
  extraction in reasonable time
• 10-12 sessions for naïve protocol
• Up to 36 for correct wrong
• To be done.
• Implement the SAT based attack
• The size of the formula is exponential in the
  secret length