1 / 23

Breaking Undercover: Exploiting Design Flaws and Nonuniform H uman Behavior

Explore the vulnerabilities in current PIN-entry methods and solutions for secure cognitive authentication. Learn about the implementation of Undercover and its enhancements against timing and intersection attacks.

lhumble
Download Presentation

Breaking Undercover: Exploiting Design Flaws and Nonuniform H uman Behavior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Breaking Undercover:Exploiting Design Flaws and Nonuniform Human Behavior Toni Perković1 joint work with Asma Mumtaz2, Yousra Javed2, Shujun Li3,Syed Ali Khayam2 and Mario Čagalj1 1FESB, University of Split, Croatia 2 National University of Science and Technology, Pakistan 3 Zukunftskolleg, University of Konstanz, Germany 21/07/2011

  2. Outline • Introduction • How does Undercover work? • Implementation 1 @ CHI’2008 • Implementation 2 @ Pervasive’2009 • Breaking Undercover • Timing attack • Intersection attack • Can Undercover be enhanced? • Attempt#1 • Attempt#2 • Generalizing timing attacks • Summary

  3. Introduction • Classical PIN-entry methods (via keyboards,keypads and alike) are • all vulnerable to observation attacks • Shoulder surfing attacks • Phishing attacks • Malware based attacks http://www.isgafrica.org/blog Thinkst.com – July 2011 [Kuhn2004]

  4. Introduction • Solution: A challenge-response protocol • User (P) and Verifier (V) share secret S • V  P: challenges C1(S), …, Ct(S) • P  V: responses R1=f1(C1,S), …, Rt=ft(Ct,S) • V: Accept P if all responses are correct • Goal: design a mapping f such that the attacker cannot recover S • C and R are fully observable to the attacker • C and R are completelly or partially unobservable to the attacker Partially observable Fully observable [Sobrado02] [Sasamoto08]

  5. Introduction • Designing a usable cognitive PIN-entry method secure against eavesdroppers is truly challenging: • Matsumoto-Imai scheme (EuroCrypt’91) • NOT secure (Wang et al., EuroCrypt’95) • Matsumoto protocols (CCS’96) • NOT secure (Hopper & Blum 2001; Li & Shum 2003) • Hopper-Blum protocols (AsiaCrypt’2001) • NOT usable (166 seconds for login) • Cognitive Authentication Scheme (S&P’2006) • Neither usable nor secure (S&P’2007) • Predicate-based Authentication Scheme (ACSAC’2008) • Neither secure nor usable (ACSAC’2009) • Undercover (CHI’2008) • Is Undercover secure? • Challenge 1: Security vs. Usability • Challenge 2: Weak humans vs. Powerful attackers It is difficult to design a secure HCI - Devil is in details

  6. Undercover: Implementation 1 • Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi, “Undercover: Authentication Usable in Front of Prying Eyes”, CHI’2008 • One login session: • 28 pictures: 5 pass-pictures and 23 non-pass • 7 public challenges: • 5 challenges with one pass-picture • 2 challenges without pass-picture • Each public challenge contains: • One hidden challenge – trackball covered by hand Undercover system

  7. Undercover: Implementation 1 • Example: 4 • Public challenge • Hidden challenge: “Left” 2 • Response: 2 • Average login time: ≈ 32 sec

  8. Undercover: Implementation 2 • M. Hasegawa, N. Christin and E. Hayashi, “New Directions in Multisensory Authentication,” Pervasive’2009 • Average login time: ≈ 10 sec. vs 32 sec. with Undercover • Other solutions: • VibraPass [De Luca09] • Secure Haptic Key (SHK) [Binachi10] • STL, Mod10 [Perkovic10] PIN digit is 2, hidden digit is 6

  9. Undercover • How safe is Undercover against timing/intersection attacks? • How safe is Alternative Undercover against intersection attacks? • These problems are due to: • Design flaws • Nonuniform human behavior • They can be fixed • The problems are generaland not prone to Undercover only Undercover Alternative Undercover

  10. Undercover: Our Implementation • Hidden channel • Software-based implementation • PassFaces

  11. Breaking Undercover • A cooperative usability study at two universities: • FESB, University of Split in Croatia • National University of Science and Technology (NUST) in Pakistan • 28 users (students and staff members) • Users were asked to login once a day • Overall success login rate ≈ 84% • Median login rate: 26.5 • Median login time: 30.1 sec • 18 used the keyboard, 10 used the mouse as input device • Compared to original Undercover, the median login time is slightly shorter (32 sec. vs 30.1 sec.)

  12. Timing Attack on Undercover • A design flaw  Non-uniform human behavior • The human response pattern: • The differencebetween the user’s responses to “Up” hidden challenges and toother hidden challenges is significant at 5% level. • Assume that the fastestresponse corresponds to“Up”challenge

  13. Timing Attack on Undercover • Attack procedure: • Step 1: Create 28 counters, C1,…,C28, for the 28 pictures, and initialize all of them to be 0. • Step 2: For each observed login session, take the fastest response and assume that it corresponds to an “Up” challenge. Then, if the corresponding public challenge contains a pass-picture i, Ci++. • Step 3: Rank all the pictures according to the values of the 28 counters, and take the top five pictures as the five pass-pictures forming the password. • Some settings and enhancements: 1) negative penalty; 2) multiple fastest responses; 3) successful logins only. ... ... C1 C2 C3 Ci-1 Ci Ci+1 C28 Conuter Session0 0 0 0 0 0 0 0 Session1 0 1 0 0 0 0 0 Session2 1 1 0 0 0 0 0 Session3 1 1 0 0 1 0 0 ... ... ... SessionN 15 10 4 2 9 6 15

  14. Timing Attack on Undercover • Theoretical analysis: • pt5 – probabilty of revealed password • p*t5 - probability where the passpicture is in the top 5 ranked • Real performance – best results: • First fastest response, no negative penalty, successful logins • First fastest response,negative penalty, successful logins • The real performance is similar to the one in the theoretical analysis.

  15. Intersection Attack on Undercover • Each pass-picture and decoypicture is shown once and only once in a single authentication process. Are public challenges fixed or randomized? • Attack (randomized public challenges): • Step 1: Set P to be the space of all possible passwords • Step 2: For each observed public challenge, reduce the spaceof candidate passwords P by checking each password in P and removing invalid ones • Step 3: Repeat Step 2 until the size of P becomes 1 • Example: observed ith public challenge Reduced candidate passwords ... ... ... ... ... ...

  16. Intersection Attack on Undercover • Results of the attack • MATLAB simulations with15 randomly generated login sessions: • On average 7-10 observed login sessions reveal the password • Real login data collected in our user studies: • On average number 8-11 login sessionsreveal the password • Solution: use fixed public challenges • Additionally we asked the authors of Undercover – they used fixed challenges • The devil is in details

  17. Intersection Attackon Alternative Undercover • Example: • PIN digit is 2, hidden digit is 6 • The user pushes Button “Left” (◄) and Button“Down” (▼) • The set of passwords is reduced from 10 to 4 (1, 2, 3 and 4) • Theoretical analysis: PIN “0459” is revealed after 9 login sessions • MATLAB simulations: PINs “1236” and “0459” are revealed after median number of 11 and 9 logins sessions, respecivelly. Theoretical analisys of Intersection attack

  18. Enhancing Undercover: Attempt #1 Enhancement Before • Change the button maps to make them equally difficult • Results of the evaluation: It failed! • Reason: “Up” button map is closest to the public challenge

  19. Enhancing Undercover: Attempt #2 • Equal visual distance from each button map to the public challenge • The hidden challenges are changed to “1”, …, “5” • Procedure: • Step1: Find the hidden response in the buttonlayout near to the pass-picture or the “no pass-picture” • Step2: Press the button at the same location as the hidden response • Example: • Hidden challenge: “2” • Response: 3

  20. Enhancing Undercover: Attempt #2 • Enhanced security: • The responsetimes to different hidden challenges are not significantly different. • None of passwords was fully revealed; the maximum number of revealed pass-pictures is below 50% • Enhanced usability: • The average login time ≈ 19 secvs 30.1 sec. with Undercover • The error rate: 6% • All users prefered to use this method over Undercover!

  21. Generalizing Timing Attacks • Human behavior can be nonuniform and nonlinear in many aspects: • Response time • Response error rate • Mental computation • Temporal variation • Personal preference • Facial expression and hand/body movement • User interface should be designed in a way that users have NO distinguishable nonuniform behavior. Mod10 [Perkovic10] Undercover - [Sasamoto2008] (0+7)mod 10 vs. (6+7) mod 10 (6+9)mod 10=5 vs. 6-1=5 [Hopper01] CCS poster [Kune2010]

  22. Summary • We presented two attacks on Undercover • Security weaknes in Undercover is due to some design flaws and nonuniform human behavior • User behavior reveals sensitive information • We proposed enhancements – a more secure and usable design • In future designers of security systems should pay attention to the human-computer interfaces • Future work: • Generalization of timing attacks to other Undercover-like designs and other graphical passwords • Development of new Undercover-like designs with lower login time and error rate Timing Attacks on cognitive authentication schemes have to be seriously considered!

  23. Thank you for your attention! Questions?

More Related