REU Summer Research in Computer Security

1. REU Summer Research in Computer Security Phillip G. Bradford Computer Science Department The University of Alabama

2. Outline • Goals • Motivation • The Challenge • Visual Authentication for Small Wireless Devices • Built in Java 2 • Target to have it ported to J2ME Computer Security: Summer 2003

3. Objective • My Goal for your Summer • Project Consists of • Research & Design System [1-2 weeks] • Build & Perform Analysis [4-5 weeks] • Tuning and Write Up [3-4 weeks] • Potential Submission to JOSHUA or other venue • Journal of Science and Health at UA Computer Security: Summer 2003

4. Starting at the Beginning • Computer Passwords • What makes a good password? • For whom? • Easy to recall for the human • Relationship chasing • Easy to guess for the attacker • Dictionary Attacks • Many responses • Check your own users! • Timeouts Computer Security: Summer 2003

5. Mobile and Wireless Issues • Passwords Hard to type • PDAs are “one-hand” devices • Mobility • Physical Insecurity Computer Security: Summer 2003

6. Graphical PasswordsUndergrad Project: Sobrado and Birget • Classical Passwords are Alpha-numeric • Often with strong relationship to the user • Easy to define search space • Enlist another human association power • Graphical & visual cognition! • Consider human face recognition • Much security is based on face recognition Computer Security: Summer 2003

7. Graphical Passwords • Human ability to recognize faces is extraordinary! • Use human ability to recognize faces • Not the computer’s inabilities! • How can we create a password scheme • That builds on Human Face recognition? • See citations in Sobrado and Birget for history and background Computer Security: Summer 2003

8. Start with a Famous Urn Computer Security: Summer 2003

9. Define Sequence of ClicksIn Specific Places 4 1 3 2 Computer Security: Summer 2003

10. Pros and Cons • The bad news • “Shoulder Surfing” • Even worse than for typed passwords • The good news • Quick and Easy for humans to process • To Help correct for Shoulder Surfing • Challenge-Response Authentication Computer Security: Summer 2003

11. Random Scatter-Grams Computer Security: Summer 2003

12. Challenge-Response Authentication • Alice proves to Bob that she knows their common secret • Without letting an observer know the secret! • This allows us to foil shoulder surfers • It also happens to have both • Important applications, and • Deep theoretical foundations Computer Security: Summer 2003

13. Project Structure • Read: http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdf • Understand the Challenge • How Strong is a Visual Security System? • 3610 for length 10 “random” password • From {a,b,…,z; 0,1,2,…,9} • K-common objects from N total • N Choose k; N=1000 and k=10 gives about 3615 Computer Security: Summer 2003

14. Project Structure • Read: http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdf • Define Small Variable-size Screen • Challenge-Authentication • Using “Random” Hash Function • Geometric Objects • Variable Strength • Testable & Portable Computer Security: Summer 2003

15. Project Structure • Test-bed for human threshold limits • Can we add “Lamport’s Hash Chain” Technology? • Document Code and Write-up project Computer Security: Summer 2003