Your SlideShare is downloading. ×
0
Logging safely in public spaces
using attribute PINs
Frank Nielsen
Frank.Nielsen@acm.org
5793b870
Sony Computer Science La...
Logging, the need for a secure UI...

We daily use...
◮

more and more cloud services...

◮

Internet terminals in public ...
Tokens, biometrics and secure UI...

Current mainstream solution:
◮

One Time passwords (OTPs), physical token (can be sto...
Associative PINs
Concept = Two graphics keyboards:
◮

Fixed digit board (or letters, icons, etc.)

◮

Moveable cursor lett...
Example (shuffling the fixed digit board after each input)

3141
CAHB

3141
CAHB

3141
CAHB

3141
CAHB

c 2013 Frank Nielsen,...
2 × 5 keyboard layout

◮

Implemented in Processing, processing.org

◮

Wrapping the cursor operating system on the screen...
Torus topology/mouse origin

c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc.

7/17
Some extensions of the basic AssociativePIN system

◮

Use legacy password systems (split in half the password into
PASSWD...
Graphics skins: Colors/Icons on fixed Digits

c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc.

9/17
Generating UI passwords from user profiles
To help user memorize the UI password and generate many UI
passwords, we define a...
Prior work (I)
◮

CursorCamouflage [11]: set of dummy cursors that makes it
difficult for observers to correlate with the use...
Prior work (II)

◮

ColorPin [3]: PIN entry system using color PINs relying on
keyboard interactions. At the bottom of eac...
Potential security threats

◮

UI PASSWORD too simple

◮

gaze tracking and advanced computer vision: guess which
part wer...
Videos/Software

http://www.sonycsl.co.jp/person/nielsen/ColorPINs/
http://www.youtube.com/watch?v=IDgaH-ilUCw
@article{Co...
Bibliographic references I
William Cheswick.
Rethinking passwords.
Commun. ACM, 56(2):40–44, February 2013.
John Chuang, H...
Bibliographic references II
Xuˆn-Linh Labb´.
a
e
Touchscreen accessibility - accessible and secure authentication using a ...
Bibliographic references III

Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget.
Design and evaluati...
Upcoming SlideShare
Loading in...5
×

Slides: Logging safely in public spaces using color PINs

150

Published on

Logging safely in public spaces using color PINs
from the paper:
http://arxiv.org/abs/1304.6499

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
150
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Slides: Logging safely in public spaces using color PINs"

  1. 1. Logging safely in public spaces using attribute PINs Frank Nielsen Frank.Nielsen@acm.org 5793b870 Sony Computer Science Laboratories, Inc. 2013 c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 1/17
  2. 2. Logging, the need for a secure UI... We daily use... ◮ more and more cloud services... ◮ Internet terminals in public spaces... → threats of passwords being stolen (yielding identity theft!). Many potential threats: ◮ shoulder-surfing attacks ◮ concealed spy cameras (video surveillance) ◮ spyware (key and mouse loggers) c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 2/17
  3. 3. Tokens, biometrics and secure UI... Current mainstream solution: ◮ One Time passwords (OTPs), physical token (can be stolen or borrowed too!), or ◮ biometrics (expensive)+PINs Our proposal: Design a secure UI with zero-knowledge using associative PINs: A UI PIN associated to a USR PIN (both secret). → robust by design to mouse loggers and video captures. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 3/17
  4. 4. Associative PINs Concept = Two graphics keyboards: ◮ Fixed digit board (or letters, icons, etc.) ◮ Moveable cursor letter board (or digits, icons, etc.) Task (Human): Align the cursor to the corresponding digit ◮ Origin is chosen at random (keylogger cannot replay mouse motions). ◮ Torus topology for wrapping the moveable cursor board. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 4/17
  5. 5. Example (shuffling the fixed digit board after each input) 3141 CAHB 3141 CAHB 3141 CAHB 3141 CAHB c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 5/17
  6. 6. 2 × 5 keyboard layout ◮ Implemented in Processing, processing.org ◮ Wrapping the cursor operating system on the screen edges (for endless smooth toric motion) using JavaTM Robot class c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 6/17
  7. 7. Torus topology/mouse origin c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 7/17
  8. 8. Some extensions of the basic AssociativePIN system ◮ Use legacy password systems (split in half the password into PASSWD and USR-PASSWD parts), ◮ Graphics board skins, ◮ Cursor control using another device, ◮ Free users from remembering another UI PASSWD: Generate One-time UI PASSWDS from user profiles. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 8/17
  9. 9. Graphics skins: Colors/Icons on fixed Digits c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 9/17
  10. 10. Generating UI passwords from user profiles To help user memorize the UI password and generate many UI passwords, we define a user profile by asking a set of k questions, each with n choices like what is her favorite food, favorite place, favorite color, favorite celebrity, favorite movie, favorite music, etc. Each time the user enters a key, the moveable cursor skin changes to the next mode: food→place→color→celebrity→movie→music, ... Furthermore, for k-length passwords, we generate a random permutation on the question orders (yielding k! UI passwords) However less secure when observers know or guess his/her preferences. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 10/17
  11. 11. Prior work (I) ◮ CursorCamouflage [11]: set of dummy cursors that makes it difficult for observers to correlate with the user hand motion. ◮ Convex Hull Pass Icons [12]: enter password with pass-icons blended with other icons on a 2D layout; The user is required to pass several challenges where each challenge asks to click inside the convex hull of the pass icons. ◮ Cognitive Trapdoor Games [8]: select on which set the current PIN code digit is contained. After a few selections, the system knows by “intersecting” the challenge subsets which digit was entered, and proceed for entering the next digit, etc. ◮ FakeCursor [9]: The FakeCursor system manages a fixed secret and a disposal secret: enter pin code by aligning the secret digit on the fixed disposal icons using left/right ATM-like arrow buttons. We can interpret FakeCursor as a discrete UI working on the 1D ring topology. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 11/17
  12. 12. Prior work (II) ◮ ColorPin [3]: PIN entry system using color PINs relying on keyboard interactions. At the bottom of each digit, three colored letters (black, red and white) are shown. Each letter appears in all three different colors for security reasons. The user enters the color PIN by pressing corresponding keyboard keys. ◮ Login systems designed based on eye gaze input [6] ◮ PIN Tactons [7]. Well-suited for visually impaired people. ◮ etc. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 12/17
  13. 13. Potential security threats ◮ UI PASSWORD too simple ◮ gaze tracking and advanced computer vision: guess which part were “intentionally” aligned by observing the user’ eyes. → risk minimized by showing a small board size. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 13/17
  14. 14. Videos/Software http://www.sonycsl.co.jp/person/nielsen/ColorPINs/ http://www.youtube.com/watch?v=IDgaH-ilUCw @article{ColorPINS, author = {Frank Nielsen}, title = {Logging safely in public spaces using color PINs}, journal = {CoRR}, volume = {abs/1304.6499}, year = {2013}, ee = {http://arxiv.org/abs/1304.6499} } c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 14/17
  15. 15. Bibliographic references I William Cheswick. Rethinking passwords. Commun. ACM, 56(2):40–44, February 2013. John Chuang, Hamilton Nguyen, Charles Wang, and Benjamin Johnson. I think, therefore i am: Usability and security of authentication using brainwaves. In Proceedings of the Workshop on Usable Security, USEC ’13, 2013. Alexander De Luca, Katja Hertzschuch, and Heinrich Hussmann. Colorpin: securing pin entry through indirect input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10, pages 1103–1106, New York, NY, USA, 2010. ACM. Yutaka Hirakawa, Motohiro Take, and Kazuo Ohzeki. Pass-image authentication method tolerant to random and video-recording attacks. International Journal of Computer Science & Applications (IJCSA), 9(3):20–36, 2012. B. Kaliski. Pkcs #5: Password-based cryptography specification version 2.0 (rfc), 2000. Manu Kumar, Tal Garfinkel, Dan Boneh, and Terry Winograd. Reducing shoulder-surfing by using gaze-based password entry. In Proceedings of the 3rd symposium on Usable privacy and security, SOUPS ’07, pages 13–19, New York, NY, USA, 2007. ACM. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 15/17
  16. 16. Bibliographic references II Xuˆn-Linh Labb´. a e Touchscreen accessibility - accessible and secure authentication using a haptic PIN. Master’s thesis, University of Glasgow, 2010. Volker Roth, Kai Richter, and Rene Freidinger. A PIN-entry method resilient against shoulder surfing. In Proceedings of the 11th ACM conference on Computer and communications security, CCS ’04, pages 236–245, New York, NY, USA, 2004. ACM. Tetsuji Takada. Fakepointer: An authentication scheme for improving security against peeping attacks using video cameras. In Proceedings of the 2 Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies, UBICOMM ’08, pages 395–400, Washington, DC, USA, 2008. IEEE Computer Society. Tetsuji Takada. Fakepointer: An authentication scheme for improving security against peeping attacks using video cameras. In Proceedings of the 2008 The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies, UBICOMM ’08, pages 395–400, Washington, DC, USA, 2008. IEEE Computer Society. Keita Watanabe, Fumito Higuchi, Masahiko Inami, and Takeo Igarashi. CursorCamouflage: Multiple dummy cursors as a defense against shoulder surfing. In SIGGRAPH Asia 2012 Emerging Technologies, SA ’12, pages 6:1–6:2, New York, NY, USA, 2012. ACM. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 16/17
  17. 17. Bibliographic references III Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the working conference on Advanced visual interfaces, AVI ’06, pages 177–184, New York, NY, USA, 2006. ACM. c 2013 Frank Nielsen, Sony Computer Science Laboratories, Inc. 17/17
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×