150 likes | 260 Views
REU Summer Research in Computer Security. Phillip G. Bradford Computer Science Department The University of Alabama. Outline. Goals Motivation The Challenge Visual Authentication for Small Wireless Devices Built in Java 2 Target to have it ported to J2ME. Objective.
E N D
REU Summer Research in Computer Security Phillip G. Bradford Computer Science Department The University of Alabama
Outline • Goals • Motivation • The Challenge • Visual Authentication for Small Wireless Devices • Built in Java 2 • Target to have it ported to J2ME Computer Security: Summer 2003
Objective • My Goal for your Summer • Project Consists of • Research & Design System [1-2 weeks] • Build & Perform Analysis [4-5 weeks] • Tuning and Write Up [3-4 weeks] • Potential Submission to JOSHUA or other venue • Journal of Science and Health at UA Computer Security: Summer 2003
Starting at the Beginning • Computer Passwords • What makes a good password? • For whom? • Easy to recall for the human • Relationship chasing • Easy to guess for the attacker • Dictionary Attacks • Many responses • Check your own users! • Timeouts Computer Security: Summer 2003
Mobile and Wireless Issues • Passwords Hard to type • PDAs are “one-hand” devices • Mobility • Physical Insecurity Computer Security: Summer 2003
Graphical PasswordsUndergrad Project: Sobrado and Birget • Classical Passwords are Alpha-numeric • Often with strong relationship to the user • Easy to define search space • Enlist another human association power • Graphical & visual cognition! • Consider human face recognition • Much security is based on face recognition Computer Security: Summer 2003
Graphical Passwords • Human ability to recognize faces is extraordinary! • Use human ability to recognize faces • Not the computer’s inabilities! • How can we create a password scheme • That builds on Human Face recognition? • See citations in Sobrado and Birget for history and background Computer Security: Summer 2003
Start with a Famous Urn Computer Security: Summer 2003
Define Sequence of ClicksIn Specific Places 4 1 3 2 Computer Security: Summer 2003
Pros and Cons • The bad news • “Shoulder Surfing” • Even worse than for typed passwords • The good news • Quick and Easy for humans to process • To Help correct for Shoulder Surfing • Challenge-Response Authentication Computer Security: Summer 2003
Random Scatter-Grams Computer Security: Summer 2003
Challenge-Response Authentication • Alice proves to Bob that she knows their common secret • Without letting an observer know the secret! • This allows us to foil shoulder surfers • It also happens to have both • Important applications, and • Deep theoretical foundations Computer Security: Summer 2003
Project Structure • Read: http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdf • Understand the Challenge • How Strong is a Visual Security System? • 3610 for length 10 “random” password • From {a,b,…,z; 0,1,2,…,9} • K-common objects from N total • N Choose k; N=1000 and k=10 gives about 3615 Computer Security: Summer 2003
Project Structure • Read: http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdf • Define Small Variable-size Screen • Challenge-Authentication • Using “Random” Hash Function • Geometric Objects • Variable Strength • Testable & Portable Computer Security: Summer 2003
Project Structure • Test-bed for human threshold limits • Can we add “Lamport’s Hash Chain” Technology? • Document Code and Write-up project Computer Security: Summer 2003