Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Observer-Resistant Password Systems: How hard to make them both usable and secure?


Published on

This presentation is for a talk given at a half-day workshop on Human Factors in Cyber Security, organised at University of Surrey, on 16th March 2016. Below is the abstract advertised for the event.

Observer-resistant password systems (ORPSs, also known as human authentication against observers or leakage-resilient password systems) have been studied since the early 1990s in both cryptography and computer security contexts, but until today a both secure and usable ORPS remains an open question to the research community. The concept of ORPS can be used to cover a large family of attacks against password-based human authentication systems such as shoulder surfers, hidden cameras, man-in-the-middle, keyloggers and malware. A key assumption of ORPS is that human users must respond to authentication challenges without using any computational devices. In other words, the threat model behind ORPSs assumes that other than the human user's brain, nothing is trusted. The main security requirement is to avoid disclosure of the shared secret between the human user and the verifier (i.e., password) even after a practically large number of authentication sessions observed by an untrusted party.

According to Yan et al.'s NDSS 2012 paper which reviews research efforts on this topic for over two decades, it has been clear that no existing systems meet both security and usability requirements although many meet one well. In this talk, the speaker will introduce his research on ORPSs since the early 2000s, highlighting a number of key findings such as human behavioural based timing attack reported at SOUPS 2011 and some theoretical work reported at NDSS 2013 and IEEETIFS 2015. He will contextualise some part of his talk using a particular design of ORPS called Foxtail, one of those ORPSs whose implementations were shown to have a relatively better balance between security and usability. Known rules about designing ORPSs and future research directions will also be discussed.

Published in: Science
  • Be the first to comment

Observer-Resistant Password Systems: How hard to make them both usable and secure?

  1. 1. Observer-Resistant Password Systems: How hard to make them both usable and secure? Dr Shujun Li Deputy Director, Surrey Centre for Cyber Security (SCCS) Senior Lecturer, Department of Computer Science @hooklee75
  2. 2. Observer-Resistant Password Systems What is all about?
  3. 3. 3 / 41 Passwords and …
  4. 4. 4 / 41 Passwords and observers Shoulder-Surfers
  5. 5. 5 / 41 Passwords and observers Shoulder-Surfers
  6. 6. 6 / 41 Passwords and observers Hidden Cameras
  7. 7. 7 / 41 - Hidden cameras are more powerful than you thought! - Two ACM CCS 2014 papers give the evidence. Passwords and observers Not Necessarily Hidden Cameras
  8. 8. 8 / 41 - “All the attacks works[ed] with the keyboard at the 5th floor and the antenna in the basement, 20 meters away!” [Vuagnous and Pasini @ USENIX Security’09] Passwords and observers TEMPEST = Electromagnetic Emanations
  9. 9. 9 / 41 - Observers can listen as well! - Acoustic attacks on passwords [Zhu et al. @ ACM CCS 2014] Passwords and observers
  10. 10. 10 / 41 - Too sophosicated? There are simpler ones – Keyloggers and screenscrapers! Passwords and observers
  11. 11. 11 / 41 - When keyloggers and screenscrapers are running as software. -  We have more malware: computer viruses, Trojan horses, worms, rootkits, etc. -  Untrusted computers Passwords and observers
  12. 12. 12 / 41 - Not only untrusted computers, but also untrusted phones and … Passwords and observers
  13. 13. 13 / 41 - Not only untrusted computers, but also untrusted phones and untrusted terminals (e.g. card skimmers attached to POS terminals!). Passwords and observers
  14. 14. 14 / 41 - It is not necessarily malware, but just a (bad) man- in-the-middle (MitM)! - A special case of MitM: man-in-the-browser (MitB) - Could be pre-installed malware e.g. a web browser extension. - Could be dynamically loaded program e.g. JavaScript code in a malicious website you are visiting. Passwords and observers
  15. 15. 15 / 41 - Phishers can be considered (bad) men-in-the- middle! - Not just phishing emails! Passwords and observers
  16. 16. 16 / 41 Passwords and many observers! - Shoulder-surfers - Hidden cameras - Keyloggers and other password recording devices - Password stealing software tools - Attacks based on electromagnetic / optical / acoustic emanations - Phishers - Malware - Man-in-the-middle/browser/computer/phone - Public terminals (@ cafés, airports, hotels, …) - …
  17. 17. 17 / 41 Existing “solutions” against observers? - “What you know” - Static passwords: not secure at all - “What you have” - One-time passwords (OTP) generators, cards + card readers, security tokens, … - Problems: not always secure, prone to theft and loss, higher implementation costs, less usable / portable, … - “Who you are” - Problems: not always secure, you can’t change your secret (easily), privacy concerns, higher implementation costs, … - Multi-factor authentication?
  18. 18. 18 / 41 Name(s) of the game: ORPS and … - Observer-resistant/Observation-resistant password system (ORPS) (Li et al. 2015 – yes this is me and my collaborators) - Leakage-resilient password system (LRPS) (Yan et al. NDSS 2012) - Virtual passwords [Lei et al. ICC 2008 + CompComm 2008] - Cognitive authentication (Weinshall IEEE S&P 2006) - Secure Human-Computer Interface/Identification (SecHCI) (Li & Shum 2002-2005) - Human-computer cryptography (Matsumoto CCS ’96) - Human authentication/identification (protocol / system / scheme) (many researchers 1991-2015) - …
  19. 19. Observer-Resistant Password Systems Threat Model
  20. 20. 20 / 41 Two basic requirements 1. The password should remain secret after a number of (ideally infinite or practically large) authentication sessions are observed by an untrusted party (= observer). 2. Any computation in the authentication process must be conducted by the human user alone. = The process should be human-executable. = Any computing devices beyond the human user’s brain are untrusted. Here, the word “password” is a loose term referring to a secret shared between a human user (client) and a computer verifier (server).
  21. 21. 21 / 41 Manuel Blum’s words - HUMANOIDs is a protocol that allows a naked human inside a glass house to authenticate securely to a non-trusted terminal. “Naked” means that the human carries nothing: no smart cards, no laptops, no pencil or paper. “Glass house” means that anybody can see what the human is doing, including everything that the human is typing. - Special case: PhoneOIDs = HUMANOIDs over phone
  22. 22. 22 / 41 Passive observers vs. Active observers - Passive observers = Observers who only observe all authentication sessions passively (without manipulating any communications).
  23. 23. 23 / 41 Passive observers vs. Active observers - Active observers = Observers who also try to manipulate the communications (e.g. to choose part of the authentication sessions). This is harder!
  24. 24. Observer-Resistant Password Systems System and Attack Modelling (Sorry, the Math!)
  25. 25. 25 / 41 Interactive challenge-response protocol - A secret S shared between prover/human (H) and verifier/computer (C) - Authentication is a challenge-response protocol - C  H: t challenges C1(S), …, Ct(S) - H  C: t responses R1=f1(C1(S),S), …, Rt=ft(Ct(S),S) - C: Accept H if all the t responses are correct; otherwise reject H. - NB: For some designs, less than t (and/or more than t’<t) correct responses may still be acceptable.
  26. 26. 26 / 41 Modelling observers - The aim: Given n observed / chosen successful authentication sessions (= nt challenge-response pairs), try to solve the secret S with a computational complexity smaller than brute force (of S). - R1 (1)=f1(C1 (1)(S),S) … Rt (1)=ft(Ct (1)(S),S) … R1 (n)=f1(C1 (n)(S),S) … Rt (n)=ft(Ct (n)(S),S)  S=? Complexity << #(S)
  27. 27. 27 / 41 - Security requires fi(Ci(S),S) to be sufficiently complicated for observers to calculate S out of a number of (Ci(S), Ri) pairs. - Usability requires fi(Ci(S),S) to be sufficiently simple for humans to understand and execute. - Observers are computationally bounded adversaries, but they have access to computers as auxiliary computing resources. - Human users have only their brains as the computing resources. - The only advantage human users have is knowledge of S. -  We need a human-executable one-way function. An asymmetric war
  28. 28. 28 / 41 - Random guess (base line “attack”) - Statistical attacks (frequency analysis) - Algebraic attacks - Intersection attacks - Divide and conquer attacks - SAT solver based attacks - Meet-in-the-middle attacks - Side channel attacks - Human behavior related attacks - “Smarter” brute force attacks - Partially-known-password attacks - … A large number of attacking strategies!
  29. 29. 29 / 41 - 7 example ORPS schemes compared [Yan et al. NDSS 2012] (a smaller usability score is better) Bad news: Security vs. Usability ORPS Scheme Usability Score Security Level HB protocol (LPN) 33,874 No major attacks APW protocol 18,787 No major attacks CAS high 8,594 Best known attack: O(10) observed authentication sessionsCAS low 7,818 Foxtail 3,513 Best known attack: O(100) observed authentication sessions CHC 1,575 Best known attack: O(10) observed authentication sessions PAS 924 Best known attack: O(10) observed authentication sessions
  30. 30. 30 / 41 - Some general principles have been identified. - Some general design strategies have been proposed. - A number of generic attacks have been known. - Many ORPS schemes have been proposed. - Clues have been found about theoretical impossibility of sufficiently secure and usable ORPS. - Active observers are harder to handle. Not very bad news?
  31. 31. Observer-Resistant Password Systems Selected ORPS Schemes: Is this really possible?
  32. 32. 32 / 41 Hopper-Blum protocols (AsiaCrypt’2001) - A general strategy: designing ORPSs based on known NP-hard problems. - HB Protocol 1: Based on Learning Parity with Noise (LPN) problem - HB Protocol 2: Based on Sum of k Mins problem - Security vs. Usability - It stands security tests since 2001. - Not for usability: 166 seconds for login for an implementation of Protocol 1 - Find applications in light-weight cryptography (humans  RFID chips)!
  33. 33. 33 / 41 Twins and Foxtail (my work 2004-2005) Foxtail Two general architectures Twins
  34. 34. 34 / 41 A Foxtail protocol (my work 2004-2005) - The highlighted one in the table you saw before.
  35. 35. 35 / 41 Undercover (ACM CHI 2008) - A general strategy: Hiding part of challenges via a trusted channel
  36. 36. 36 / 41 - Singapore Management University researchers had a comprehensive review of ORPS at NDSS 2012. - My work (with collaborators from Australia) led to the discovery of two classes of statistical attacks, which shed light on theoretical impossibility of absolute security. - Two new human behaviour based timing attacks were reported in 2015. - My work (with collaborators from Australia) in 2015 looked at more attacks on counting-based ORPS schemes. More recent development
  37. 37. Observer-Resistant Password Systems
  38. 38. 38 / 41 - Existing systems are not far from ideal ones. - Many possible ideas have not been attempted especially graph-based schemes. - Many NP-hard problems have not been attempted. - In some scenarios (e.g. military and high-sensitive financial systems), usability requirement can be relaxed in favour of security. - Making use of untrusted computing devices (e.g. mobile phones) may relax requirements on usability. - Automated solution exploration may help! Why bother? Should we simply give up?
  39. 39. 39 / 41 - A Singapore-UK joint project COMMANDO-HUMANS will help. - Automating security and usability evaluation based on both system and human modelling. - An open event will be organised on 12th April from 12:30pm. - Introduction to COMMANDO-HUMANS. - Short talks of researchers from Singapore Management University, CSIRO (Australia), Southampton and UCL. Human computational models can help!
  40. 40. Observer-Resistant Password Systems Take Home Messages
  41. 41. 41 / 41 - ORPS is a general concept covering a large set of threats. - A real solution to ORPS problems can open up a new world of password-based user authentication. - It is hard to balance security and usability. - Nobody has managed to create one. - Will you be the one? Take home messages
  42. 42. Observer-Resistant Password Systems Thanks for your attention! Questions?