230 likes | 385 Views
Breaking Undercover: Exploiting Design Flaws and Nonuniform H uman Behavior. Toni Perković 1 joint work with Asma Mumtaz 2 , Yousra Javed 2 , Shujun Li 3 , Syed Ali Khayam 2 and Mario Čagalj 1 1 FESB, University of Split , Croatia
E N D
Breaking Undercover:Exploiting Design Flaws and Nonuniform Human Behavior Toni Perković1 joint work with Asma Mumtaz2, Yousra Javed2, Shujun Li3,Syed Ali Khayam2 and Mario Čagalj1 1FESB, University of Split, Croatia 2 National University of Science and Technology, Pakistan 3 Zukunftskolleg, University of Konstanz, Germany 21/07/2011
Outline • Introduction • How does Undercover work? • Implementation 1 @ CHI’2008 • Implementation 2 @ Pervasive’2009 • Breaking Undercover • Timing attack • Intersection attack • Can Undercover be enhanced? • Attempt#1 • Attempt#2 • Generalizing timing attacks • Summary
Introduction • Classical PIN-entry methods (via keyboards,keypads and alike) are • all vulnerable to observation attacks • Shoulder surfing attacks • Phishing attacks • Malware based attacks http://www.isgafrica.org/blog Thinkst.com – July 2011 [Kuhn2004]
Introduction • Solution: A challenge-response protocol • User (P) and Verifier (V) share secret S • V P: challenges C1(S), …, Ct(S) • P V: responses R1=f1(C1,S), …, Rt=ft(Ct,S) • V: Accept P if all responses are correct • Goal: design a mapping f such that the attacker cannot recover S • C and R are fully observable to the attacker • C and R are completelly or partially unobservable to the attacker Partially observable Fully observable [Sobrado02] [Sasamoto08]
Introduction • Designing a usable cognitive PIN-entry method secure against eavesdroppers is truly challenging: • Matsumoto-Imai scheme (EuroCrypt’91) • NOT secure (Wang et al., EuroCrypt’95) • Matsumoto protocols (CCS’96) • NOT secure (Hopper & Blum 2001; Li & Shum 2003) • Hopper-Blum protocols (AsiaCrypt’2001) • NOT usable (166 seconds for login) • Cognitive Authentication Scheme (S&P’2006) • Neither usable nor secure (S&P’2007) • Predicate-based Authentication Scheme (ACSAC’2008) • Neither secure nor usable (ACSAC’2009) • Undercover (CHI’2008) • Is Undercover secure? • Challenge 1: Security vs. Usability • Challenge 2: Weak humans vs. Powerful attackers It is difficult to design a secure HCI - Devil is in details
Undercover: Implementation 1 • Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi, “Undercover: Authentication Usable in Front of Prying Eyes”, CHI’2008 • One login session: • 28 pictures: 5 pass-pictures and 23 non-pass • 7 public challenges: • 5 challenges with one pass-picture • 2 challenges without pass-picture • Each public challenge contains: • One hidden challenge – trackball covered by hand Undercover system
Undercover: Implementation 1 • Example: 4 • Public challenge • Hidden challenge: “Left” 2 • Response: 2 • Average login time: ≈ 32 sec
Undercover: Implementation 2 • M. Hasegawa, N. Christin and E. Hayashi, “New Directions in Multisensory Authentication,” Pervasive’2009 • Average login time: ≈ 10 sec. vs 32 sec. with Undercover • Other solutions: • VibraPass [De Luca09] • Secure Haptic Key (SHK) [Binachi10] • STL, Mod10 [Perkovic10] PIN digit is 2, hidden digit is 6
Undercover • How safe is Undercover against timing/intersection attacks? • How safe is Alternative Undercover against intersection attacks? • These problems are due to: • Design flaws • Nonuniform human behavior • They can be fixed • The problems are generaland not prone to Undercover only Undercover Alternative Undercover
Undercover: Our Implementation • Hidden channel • Software-based implementation • PassFaces
Breaking Undercover • A cooperative usability study at two universities: • FESB, University of Split in Croatia • National University of Science and Technology (NUST) in Pakistan • 28 users (students and staff members) • Users were asked to login once a day • Overall success login rate ≈ 84% • Median login rate: 26.5 • Median login time: 30.1 sec • 18 used the keyboard, 10 used the mouse as input device • Compared to original Undercover, the median login time is slightly shorter (32 sec. vs 30.1 sec.)
Timing Attack on Undercover • A design flaw Non-uniform human behavior • The human response pattern: • The differencebetween the user’s responses to “Up” hidden challenges and toother hidden challenges is significant at 5% level. • Assume that the fastestresponse corresponds to“Up”challenge
Timing Attack on Undercover • Attack procedure: • Step 1: Create 28 counters, C1,…,C28, for the 28 pictures, and initialize all of them to be 0. • Step 2: For each observed login session, take the fastest response and assume that it corresponds to an “Up” challenge. Then, if the corresponding public challenge contains a pass-picture i, Ci++. • Step 3: Rank all the pictures according to the values of the 28 counters, and take the top five pictures as the five pass-pictures forming the password. • Some settings and enhancements: 1) negative penalty; 2) multiple fastest responses; 3) successful logins only. ... ... C1 C2 C3 Ci-1 Ci Ci+1 C28 Conuter Session0 0 0 0 0 0 0 0 Session1 0 1 0 0 0 0 0 Session2 1 1 0 0 0 0 0 Session3 1 1 0 0 1 0 0 ... ... ... SessionN 15 10 4 2 9 6 15
Timing Attack on Undercover • Theoretical analysis: • pt5 – probabilty of revealed password • p*t5 - probability where the passpicture is in the top 5 ranked • Real performance – best results: • First fastest response, no negative penalty, successful logins • First fastest response,negative penalty, successful logins • The real performance is similar to the one in the theoretical analysis.
Intersection Attack on Undercover • Each pass-picture and decoypicture is shown once and only once in a single authentication process. Are public challenges fixed or randomized? • Attack (randomized public challenges): • Step 1: Set P to be the space of all possible passwords • Step 2: For each observed public challenge, reduce the spaceof candidate passwords P by checking each password in P and removing invalid ones • Step 3: Repeat Step 2 until the size of P becomes 1 • Example: observed ith public challenge Reduced candidate passwords ... ... ... ... ... ...
Intersection Attack on Undercover • Results of the attack • MATLAB simulations with15 randomly generated login sessions: • On average 7-10 observed login sessions reveal the password • Real login data collected in our user studies: • On average number 8-11 login sessionsreveal the password • Solution: use fixed public challenges • Additionally we asked the authors of Undercover – they used fixed challenges • The devil is in details
Intersection Attackon Alternative Undercover • Example: • PIN digit is 2, hidden digit is 6 • The user pushes Button “Left” (◄) and Button“Down” (▼) • The set of passwords is reduced from 10 to 4 (1, 2, 3 and 4) • Theoretical analysis: PIN “0459” is revealed after 9 login sessions • MATLAB simulations: PINs “1236” and “0459” are revealed after median number of 11 and 9 logins sessions, respecivelly. Theoretical analisys of Intersection attack
Enhancing Undercover: Attempt #1 Enhancement Before • Change the button maps to make them equally difficult • Results of the evaluation: It failed! • Reason: “Up” button map is closest to the public challenge
Enhancing Undercover: Attempt #2 • Equal visual distance from each button map to the public challenge • The hidden challenges are changed to “1”, …, “5” • Procedure: • Step1: Find the hidden response in the buttonlayout near to the pass-picture or the “no pass-picture” • Step2: Press the button at the same location as the hidden response • Example: • Hidden challenge: “2” • Response: 3
Enhancing Undercover: Attempt #2 • Enhanced security: • The responsetimes to different hidden challenges are not significantly different. • None of passwords was fully revealed; the maximum number of revealed pass-pictures is below 50% • Enhanced usability: • The average login time ≈ 19 secvs 30.1 sec. with Undercover • The error rate: 6% • All users prefered to use this method over Undercover!
Generalizing Timing Attacks • Human behavior can be nonuniform and nonlinear in many aspects: • Response time • Response error rate • Mental computation • Temporal variation • Personal preference • Facial expression and hand/body movement • User interface should be designed in a way that users have NO distinguishable nonuniform behavior. Mod10 [Perkovic10] Undercover - [Sasamoto2008] (0+7)mod 10 vs. (6+7) mod 10 (6+9)mod 10=5 vs. 6-1=5 [Hopper01] CCS poster [Kune2010]
Summary • We presented two attacks on Undercover • Security weaknes in Undercover is due to some design flaws and nonuniform human behavior • User behavior reveals sensitive information • We proposed enhancements – a more secure and usable design • In future designers of security systems should pay attention to the human-computer interfaces • Future work: • Generalization of timing attacks to other Undercover-like designs and other graphical passwords • Development of new Undercover-like designs with lower login time and error rate Timing Attacks on cognitive authentication schemes have to be seriously considered!
Thank you for your attention! Questions?