Human Computable Protocols: Password-based Authentication

Transcription

1 18733: Applied Cryptography Human Computable Protocols: Password-based Authentication Anupam Datta With Jeremiah Blocki and Manuel Blum Carnegie Mellon University

2 Memory Experiment 1 Person Action Bill Clinton Tickling Object Peach 2

3 Memory Experiment 2 Person Action Michelle Obama Bouncing Object Smore 3

4 Password Management Competing Goals: Security Usability 4

5 Security Problem Password breaches at major companies have affected millions of users. 5

6 Traditional Security Advice Use numbers and letters Don t Reuse Passwords Use special symbols Don t use words/names Not too short Don t Write it Down Use mix of lower/upper case letters Change your passwords every 90 days 6

7 Usability Problem 7

8 Fundamental Question How can we evaluate password management strategies? Quantify Usability Quantify Security 8

9 Outline Introduction Motivation Our Approach Related Work Usability and Security Models Shared Cues Human Computable Passwords Conclusion and Future Vision 9

10 Traditional Approach Propose New Password Management Scheme User Study: Evaluate New Password Management Scheme 10

11 Our Thesis User models and security models can guide the development of human authentication schemes with analyzable usability and security properties. Develop + Analyze User Model Security Model 11

12 Our Approach: User Models User Model Capabilities + Behavior Example Capability: Users can remember a random secret with enough rehearsal. Example Behavior: How often a user visits each website on average. 12

13 Our Approach: User Models User Model Capabilities + Behavior Develop + Analyze User Model Empirical Validation Fast: Evaluation does not require Robust: expensive Can user be used to analyze Prior studies broad Cognitive class of Science password Studies management User schemes Studies 13

14 Result Research Results Defense Adopted by User Naturally Rehearsing Passwords [BBD2013] Human Computable Passwords [BBDV---] Authentication Server Optimizing Password Composition Policies [BKPS2013] GOTCHA Password Hackers [BBD2013] Cost Asymmetric Secure Hash [BBD---] Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords [BKCD2015] Develop + Analyze User Model Empirical Validation Venues: NDSS, ASIACRYPT, EC, AISEC 14

15 Preview of Results Human Computable Passwords Shared Cues Independent Strong Passwords Reuse Weak Password User Effort 15

16 Outline Introduction Motivation Our Approach Related Work Usability and Security Models Shared Cues Human Computable Passwords Conclusion and Future Vision 16

17 Related Work Challenge: Multiple Passwords Graphical Passwords Passfaces, Cued Click Points, Windows 8 17

18 Related Work Goal: Password Quantify Strength Security Metrics for Multiple Passwords Telepathwords Markov Models Password Grammar Guessing Numbers 18

19 Related Work Goal: Minimize Trust Assumptions about User s Password Management Software Computational Devices 19

20 Related Work Quest Alternatives to Replace to Passwords [BHOS2012] 20

21 Outline Introduction Usability and Security Models Example Password Management Schemes Usability Model Security Model Shared Cues Human Computable Passwords Conclusion and Future Vision 21

22 Scheme 1: Reuse Strong Password Pick four random words w 1,w 2,w 3,w 4 Account Amazon Ebay Password w 1 w 2 w 3 w 4 w 1 w 2 w 3 w 4 22

23 Scheme 2: Strong Random Independent Four Independent Random Words per Account Account Amazon Ebay Password w 1 w 2 w 3 w 4 x 1 x 2 x 3 x 4 23

24 Outline Introduction Usability and Security Models Example Password Management Schemes Usability Model Security Model Shared Cues Human Computable Passwords Conclusion and Future Vision 24

25 First Attempt: Chunking Memorize: nbccbsabc Memorize: tkqizrlwp Incomplete 3 Chunks vs. 9 Chunks! Usability Goal: Minimize Number of Chunks in Passwords Source: The magical number seven, plus or minus two [Miller, 56] 25

26 Human Memory: Vast, but Lossy Rehearse or Forget! How much work? Quantify Usability Rehearsal Assumption p amazon???? p google 26

27 Memory Capability Day: Expanding Rehearsal Assumption: user maintains cue-association pair by rehearsing during each interval [s i, s i+1 ]. Source: Optimization of Repetition Spacing in the Practice of Learning [WG, 94] 28

28 Memory Capability Day Succeeded(i)/Returned(i) Source: Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords [BKCD15] 29

29 Natural Rehearsal Day: Expanding Rehearsal Assumption: user maintains cue-association pair by rehearsing during each interval [s i, s i+1 ]. Visit Amazon: Natural Rehearsal Google X t : extra rehearsals to maintain all passwords for t days. Source: Optimization of Repetition Spacing in the Practice of Learning [WG, 94] 30

30 Extra Rehearsals Day: X t : extra rehearsals to maintain all passwords for t days. Reuse Password Usability Measure: X t X Usability Goal: Minimize X t Independent Passwords 31

31 Usability Results Reuse Strong Active ,938 Typical ,974 Occasional ,135 Strong Random Independent Infrequent ,024 E[X ]: Extra Rehearsals to maintain all passwords over lifetime. m = 75 accounts, s=1.5 Usable Unusable 34