A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost devices
Clemente GaldiUniversità di Napoli “Federico
II”
Luigi CatuognoUniversità di Salerno
Outline
• Problem overview– User authentication – Graphical passwords– Shoulder surfing attacks
• Our proposal– Deterministic and user randomized schemes– Security evaluation
• Application to device-device authentication
User authentication
• U.A. is a well established area in security
• Different types of services require different levels of security– Checking email– Withdrawing money at ATMs– On-line banking– …– Access to military bases– Nuke activation procedures
Human authentication
• If the required level of security is not high– “Text-based” authentication is still
the mostly used one• Username-password• Strip/smart-card + PIN• One Time Password Tokens
One time password Authentication through insecure channels
• In order to be authenticated, the user has to prove that she knows the secret x – The system issues a challenge C– The user compute the proof P=F(x,C)
• Often the user compute F() by means a personal crypto-device
– The user sends P to the system– The system verifies the proof…etc.
Graphical password
• A one-time password mechanism where:– The system issues a graphical
challenge • Often called “scene”
– The user computes the proof by means a cognitive function of what she sees on the screen • whithout the effort of any external device
Cognitive functions
• Image recognition• Image position recognition• Answering simple queries about
the scene• Repeating a sequence of actions in
a scene
PassFaces(www.realusers.com)
• The system choses three passfaces for the user
PassFaces/2
• During the logon, the system shows to the user three scenes each one containig one of user’s passfaces
• The user has to recognize her passfaces in each scene
• The user select the passfaces by– Mouse clicks,– Tapping by the stylus
A useful application…
• Everybody uses ATM and POS terminals everyday. – PINs and passwords are frequently
subject to attacks and frauds– PINs are not user-friendly
• Graphical PINs could be a good improvement
The Problem
The Problem
But…
But..
• Many G.P. schemes requires non trivial visualization and pointing devices
• ATM machines, POS terminals, Cellular phones….– Small sized and low resolution displays– No pointing devices (mouse, touch screen…)– Poor computational resources (slow
processors, small memory…)
Requirements
• The authentication scheme should be independent from the specific set of objects– Improves (human) usability– Allow the adaptation to device-device
authentication
• (Very) Low computational overhead• The “user” should only “recognize” objects
– No need of crypto-devices
• Resiliency to eavesdropping
Basic Idea
• Objects:– Let k,a be two integers and q=ka– O={o1,o2,…,oq} be a set of q objects
• Secret:– A secret is an object in O
• Challenge:– Partition the objects in O into a distinct sets, each
containing k objects– “Visualize” the challenge on a matrix with a rows and
k columns
• Response:– The row number containing the secret object.
Naïve Protocol
• Secret:– Let m be an integer
– Let s=(s1,s2,…,sm) be a sequence of m objects
• There exist qm possible secrets
• Response:– The sequence of m indices of the rows containing the
m objects
http://www.dia.unisa.it/GRAPE
A prototype
GRAPE/2
• Handles authentication by means of a numerical one-time PIN
• The graphical challange is composed of low-resolution objects
• Challange generation and proof validation require poor computational resources
GRAPE/3
• The user’s secret is a sequence of queries formed like:– “On which row is the object x?”
• Where the object x is a geometrical shape like:– Purple full rectangle– Red empty rectangle– White empty exagon– …
GRAPE/4The user types the PIN here, each digit is the row number of the corresponding object
34643
GRAPE/5
• The graphical challenge can be effectively visualized both through cheap and small-sized displays and through hi-res monitors
• The user response can be composed through a numeric keypad as well as through other sophisticated pointing devices
• Challenge generation and proof validation are affordable for small devices (e.g. smart-cards and old-fashioned cell phones)
• The user is simply required to recognize the position of some objects on the screen
GRAPE/6
• Naive protocol– The user correctly answers to all the m
queries
• Randomized protocol: Correct or random– The user correctly answers to at least m-r
queries– The user randomly answers to r queries
• Randomized protocol: Correct or Wrong– The user correctly answers to exactly m-w
queries– The user wrongly aswers to w queries
Security Evaluation
• Basic assumption: – Three unsuccessful trials lead to block of the
account
• Blind attacks: – Prob. of guessing an “authentication” secret– Needs to be reasonably low
• Recording attacks (eavesdropping): – Gaining access to a service after analyzing a
number of transcripts
Naïve protocol
• Blind attack success probability – a=number of rows in the matrix– m=secret lenght– p=1/am
• The value of a cannot be to high!• If a=4 and m=7, success prob < 10-5
– The number of rows in the matrix should be low
Naïve protocol
• Attack goal:– Secret extraction.– The user needs to answer correctly to
all the queries– Assuming three unsuccessful trials
block the system
Naïve protocol
• Attack description: The adversary– is provided with as many transcripts she wants– associates to each object m counters
• one for each component in the secret
– For each transcript (challenge, response), increases the counter for all the objects in the row corresponding to the user answer
– Stops when, for each component of the secret, there exist one object with maximum counter
• This attack always recover the user secret!
Naïve Protocol
• Average number of transcripts m=15
Naïve Protocol
• Average number of transcripts (a=2)
Naïve Protocol
• We can derive that the average number of transcripts needed to recover the secret increases if: – The number of rows (a) in the
challenge decreases– The length of the secret (m) increases– The number of objects (q) increases
Correct-randon: blind attack
• In the following– c=number of correct answers– m=secret length
€
m
h
⎛
⎝ ⎜
⎞
⎠ ⎟1
ah1−
1
a
⎛
⎝ ⎜
⎞
⎠ ⎟m−h
h= c
m
∑
Correct-randon: blind attack
• The number c of correct answers must be greater than m/a– Otherwise blind attack is easy!
• Example:– Let a=2 and c=m/3.
• Authentication is granted if the users correcty guesses at least m/3 components of the secret
– The adversary can randomly guess with high probability m/2 correct answers
User-randomized protocols
• In user-randomized protocols the “counting attack” does not work anymore.– Due to randomization, objects
with high frequency might not belong to the secret
• We need to modify attack strategy
User-randomized protocols
• Attack description: The adversary– is provided with t transcripts– associates to each object m counters
• one for each component in the secret – For each transcript, increases the counter for the
objects in the row corresponding to the user answer– Outputs the objects with maximum value for the
counters.
• Output classification:– Good: Contains all the m objects in the secret– Valid: Contains at least c objects from the secret– Wrong: Contains less than c objects from the secret
Correct-random
Percentage of good and valid secrets
Correct-wrong: blind attack
• In the following– c=number of correct answers– m=secret length
€
m
c
⎛
⎝ ⎜
⎞
⎠ ⎟1
ac1−
1
a
⎛
⎝ ⎜
⎞
⎠ ⎟m−c
Correct-wrong
• In the correct-wrong case, there is no “trivial” limit on the number of wrong answers– The users needs to
• answer correctly to exactly c queries and• give wrong answers to exactly m-c queries.
• If c is too low, blind attack has still high success probability, but strictly less than 1.– E.g., m=15, r=8, a=2 -> p(succ)=0.19
Correct-wrongPercentage of good and valid secrets
does not strongly depend on q
QuickTime™ and a decompressor
are needed to see this picture.
Correct-wrongPercentage of good and valid secrets strongly
depends on a– If a=2 the adversary might not be able to extract a
valid secret
QuickTime™ and a decompressor
are needed to see this picture.
Correct-wrongPercentage of good and valid secrets
strongly depends on r
QuickTime™ and a decompressor
are needed to see this picture.
A variation
• Assume the user needs to answer a specific set of queries correctly– User and terminal share also a common
sequence, e.g., generated by a PRNG.
• Let a=2• Blind attack success probability
becomes 1/2c(1-1/2)(m-c)=1/2m
• In this case it is possible to use r=m/2– The adversary does not manage to extract
even a valid sequence.
A variation
• Why?– Intuitively:
• P(counter increased)=1/2 for every object independently from the fact that it belongs to the secret or not!
– The counting attack fails. • It focuses on the single secret’s component
– Does not consider that:• “In every transcript there exist exactly c correct
answers”
A SAT-based attack
• Write a boolean formula whose truth assignment corresponds to the user secret
• Associate to each object oiO m boolean variables xi,1,…, xi,m
• Let C be a challenge consisting of a=2 rows – Let (i1,…,ip) be the indices of the objects on the
first row
– Let (ip+1,…,iq) be the indices of the objects on the second row
A SAT-based attack
• The j-th component of the secret belongs to one of the two rows of the challenge.
€
φ0, j = x i1 , j ∨x i2 , j ∨...∨x ip , j
€
φ1, j = x ip+1 , j ∨x ip+2 , j ∨...∨x iq , j
A SAT-based attack
• Let: =(1,…, m) be a single user reply– Am={a=(a1,…,am){0,1}m| w(a)=m/2}
• ai=0 -> I-th answer is correct.
• The following formula is satisfiable:
• There exists one aAm such that the j-th component of the secret is in row jaj for j=1,…m
€
ψ = ∨(a1 ,...,am )∈Am
∧j=1
m
(φβ j ⊕a j ∧¬φ(1−β j )⊕a j)
A SAT-based attack
• Extending the formula to k transcripts, it is possible to show that the following formula is satisfiable
• Note: ψ(k) are formulae over the same literals
€
γ=∧k=1
t
ψ (k )
A SAT-based attack
• Finally, since for each component, there exists exactly one object
• So = is satisfiable and its truth assignment corresponds to the user secret.€
ε =∧j=1
m
∨i=1
q
(¬ x1, j ∧...∧¬ x i−1, j ∧x i, j ∧¬ x i+1, j ∧...∧¬ xq, j )
What about “devices”
• The proposed scheme is not limited to human authentication.– Simply modify the set of objects to a list of
numbers/strings. – The device needs to recognize binary strings– If a device (smart card/RFID) is able to run a
PRNG:• The device can authenticate the reader
– Need to generate the challenge– Instead of being authenticated by a reader.
• It can implement the “variant” of our scheme– Or store a list of sequences…
Usability evaluation
• Average login time
• Error rate
Conclusions
• Presented an authentication mechanism “implementable” by humans and devices
• Counting attacks lead to (valid) secret extraction in reasonable time – 10-12 sessions for naïve protocol– Up to 36 for correct wrong
• To be done. – Implement the SAT based attack
• The size of the formula is exponential in the secret length…
Top Related