Information Security Engineering

Transcription

1 Information Security Engineering Huiping Sun( ) sunhp@ss.pku.edu.cn

2 Graphical Password Human Computation 回顾

3 Graphical Password Reading Paper 回顾

4

5 Introduction 心理学基础 Recall Recognition Cued Recall Recognition is an easier memory task than recall Dual Coding Theory With the aid of a retrieval cue, more information can be retrieved

6 Introduction Déjà Vu

7 Introduction PassFaces

8 Introduction Pass-Go

9 Introduction 代表产品 GrIDSure PatternLock GridCode

10

11 Recall-Based DAS: Draw-A-Secret

12 Recall-Based BDAS: Background DAS

13 Recall-Based YAGP: Yet Another Graphical Password

14 Recall-Based Passdoodle

15 Recall-Based PassShapes

16 Recall-Based Pass-Go

17 Recognition-Based Deja Vu

18 Recognition-Based PassFaces recognise images from decoy images face random art everyday objects icons challenge-response system side security vs 3-5 decoy

19 Recognition-Based Story

20 Recognition-Based Use your Illusion

21 Cued Recall-Based Passpoints 171 login 19 14*14

22 Introduction CCP: Cued Click Points implicit feedback 96% 25 Login 7

23 Introduction PCCP: Persuasive CCP viewport hotspots 50 Login 8

24 My App is My Password!

25 Background Graphical password more applicable on smartphone than text password vulnerable to shoulder surfing attack existing graphical password require user proactively memorise password Graphical password based existing memory Authentication based existing memory weak password security questions dynamic security questions autobiographical authentication

26 Password Alternatives 后备认证 Where did you meet your spouse Wasilla High School

27 Password Alternatives 自传体认证

28 Password Alternatives APP 图标布局认证 Using Icon Arrangement for Fallback Authentication on Smartphones CHI 2014

29 Password Alternatives 动态安全问题 I Know What You Did Last Week! Do You? Dynamic Security Questions for Fallback Authentication on CHI 2015

30 Password Alternatives 动态安全问题 -APP 安装 Locked Your Phone Buy a New One? From Tales of Fallback Authentication on Smartphones to Actual MobileHCI 2015

31 PassApp Concept PassApp Firefox Kindle Amazon Evernote is a novel recognition-based graphical password which utilises user s Google Chrome Wikipedia Twitter Google Maps installed apps Instagram YouTube Gmail Facebook on their mobile devices LinkedIn Fruit Ninja Skype Google Earth as password OK Cancle

32 PassApp Mechanism same category, similar ranks, etc Decoy App Selection Mechanism App Marcket install a new app: add this app as key app, add 3 decoy apps uninstall a app: delete this app from key app libs and move it into blacklist, remove corresponding decoy apps from decoy app libs App Update Mechanism Decoy App library Key App library Key App Selection Mechanism Challenge Panel Generation Mechanism Authentication Mechanism Authenticate rule out the apps preinstalled by device and OS manufactures Mobile Device User

33

34 User Study Day 1 User Study 1: How well can users correctly recognise the apps they have installed? 42 participants Day 2 User Study 2: Firefox Kindle Amazon Evernote unlock10 times How well can PassApp perform on usability and user experience? Google Chrome Instagram Wikipedia YouTube Twitter Gmail Google Maps Facebook 42 *10 Login Time LinkedIn Fruit Ninja Skype Google Earth Success Rate OK Cancle

35 Memory about Installed Apps Participant ID (#0 - #41) #40 #30 #20 #10 # % 50% 60% 70% 80% 90% 100% # of Apps F-measure (%) Max:79, Min: 11, SD: 16.79

36 Login Time and Success Rate #40 Orientation Time Selection Time Confirmation Time Pariticipant ID (#0 - #41) #30 #20 #10 # Average Orientation Time (2.42s) Average Login Time (7.27s) Login Time (s) Average confirmation time: 0.76s

37 Number of Key Apps & Usability Indices 100% 100% F-measure (%) 90% 80% Success Rate (%) 90% 80% # of Apps # of Apps Orientation Time (s) Login Time (s) # of Apps # of Apps

38 Frequency of Using Apps & Usability Indices Orientation Time (s) y = (-0.357)*x R 2 = % <0.2times/days 21.66% t/d 23.11% 1-2 t/d 12.36% 3-5 t/d The Frequency of Use (Times / Day) 14.49% >5 t/d In user study 1, Participant need complete a web survey to mark the frequency of using the installed apps Login Time (s) The Frequency of Use (Times / Day) y = (-0.344)*x R 2 =

39 Security Analysis Brutal-force Attacks 0.055% One-time shoulder Surfing Attacks Multi-time shoulder Surfing Attacks Round Needed to Expose All Key Apps key apps y = (-6.86) *x R 2 = Monte Carlo Method # of Key Apps

40 Session 1: Session 2-4: Guessing Attacks Acquaintance Attacks Impersonated Login Rate (%) 80% 60% 40% 20% V1 V2 V3 V4 V5 V6 V7 Session 1, R 2 = Session 2, R 2 = Session 3, R 2 = Session 4, R 2 = V8 0% # of Key Apps

41 Discussion Key app selection too short or too many, popular apps, communication apps Decoy app selection app market, device manufacture, OS, language,etc Challenge panel generation (n key * m decoy * r rounds) Login time (challenge, backup authentication) Participant (field study in the future) Daily memory about other graphical elements photography, wallpapers, screenshots, avatars, etc privacy vs security vs usability

42 Conclusion PassApp is the first graphical password that utilizes user s existing memory about installed apps as password without registration stage without memory burden PassApp perform better usability than most graphical password acceptable login time: 7.27s (6.51s) high success rate: >95% PassApp has sufficient security than most graphical password brute-force attacks (0.055%) and dictionary attacks (0.75%) shoulder surfing attacks: average 30 times acquaintance attacks: can to some extent withstand (challenge)

43

44 Usability Evaluation 用户 & 环境 PAD PC

45 Usability Evaluation 任务 vs vs vs Login

46 Security Evaluation 安全 hash salting checker face hotspot

47 Methodology of Evaluation 评估方法 vs vs lab study vs field study IRB session Web Amazon Mechanical Turk

48

49

50 Homework 课后作业 IEEE Security & Privacy Magazine

51 Huiping Sun