A Graphical PIN Authentication Mechanism for Smart Cards and Low-Cost Devices

Transcription

1 A Graphical PIN Authentication Mechanism for Smart Cards and Low-Cost Devices Luigi Catuogno Dipartimento di Informatica ed Applicazioni Università di Salerno - ITALY [luicat@dia.unisa.it] Clemente Galdi Dipartimento di Scienze Fisiche Università di Napoli Federico II - ITALY [galdi@na.infn.it] Abstract Passwords and PINs are still the most deployed authentication mechanisms and their protection is a classical branch of research in computer security. Several password schemes, as well as more sophisticated tokens, algorithms, and protocols, have been proposed during the last years. Some proposals require dedicated devices, such as biometric sensors, whereas, other of them have high computational requirements. Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, like old fashioned ATM terminals, smart cards and many low-price cellular phones. In this paper we present an graphical mechanism that handles authentication by means of a numerical PIN, that users have to type on the basis of a secret sequence of objects and a graphical challenge. The proposed scheme can be instantiatiated in a way to require low computation capabilities, making it also suitable for small devices with limited resources. We prove that our scheme is effective against shoulder surfing attacks. Introduction Passwords and PINs are still the most deployed authentication mechanism, although they suffer of relevant and well known weakness [1]. The protection of passwords is a classical branch of research in computer security. Several important improvements to the old-fashioned alphanumeric passwords, according to the context of different applications, have been proposed in the last years. Indeed, literature on authentication and passwords is huge, here we just cite Kerberos [13] and S/Key [6]. Two important aspects in dealing with passwords are the following: 1. Passwords should be easy enough to be remembered but strong enough in order to avoid guessing attacks; 2. The authentication mechanism should be resilient against classical threats, like shoulder surfing attacks, i.e., the capability of recording the interaction of the user and the terminal; moreover, it should be light enough to be used also on small computers. This work was partially supported by the European Union under IST FET Integrated Project AEOLUS (IST ).

2 Consider for example the following scenario. For accessing an ATM services, a user needs a magnetic strip card. In order to be authenticated, the user pushes her card (that carries only her identification data) in the ATM reader and types her four digit PIN; afterwards, the ATM sends the user s credentials to the remote authentication server through a PSTN network. This approach is really weak. Magnetic strip cards can be easily cloned and, PIN numbers can be collected in many ways. For example, an adversary could have placed a hidden micro-camera pointing to the ATM panel somewhere in the neighborhood. A recent tampering technique is accomplished by means of a skimmer, i.e., a reader equipped with an EPROM memory that is glued upon the ATM reader, so that strips of passing cards can be dumped to the EPROM. A forged spotlight is also placed upon the keyboard in order to record the insertion of the PIN. The skimmer allows adversaries to collect a finite number of user sessions obtaining all information needed to clone user cards. Such information, coupled with the images taken by the camera, allow the attacker to correctly authenticate to the ATM. Such attack is known in literature as shoulder surfing attack. Graphical passwords [2, 10, 3, 7, 8, 12, 16, 9, 11, 15] are a promising authentication mechanism that faces many drawbacks of old-style password/pin based scheme. The basic idea is to ask the user to click on some predefined parts of an image displayed on the screen by the system, according to a certain sequence. Such a method has been improved during the last years, in order to obtain schemes offering enhanced security and usability. Despite its importance, few attention has been devoted to graphical password schemes resilient to shoulder surfing attacks. In particular [11] first addressed this problem under restricted conditions. Subsequently, in [15] presented a graphical password scheme that was claimed to be secure against shoulder surfing attacks. However, this scheme has been proved not to be secure in [5]. For a wider overview about research on graphical passwords, we suggest the reader to take a look at the survey by Suo et al. [14] and visit the web site of the Graphical Passwords Project [4] at Rutgers. The majority of proposed schemes require costly hardware (e.g., medium or high resolution displays and graphic adapters, touch screen, data storage, high computational resources etc.). This makes some of the proposed schemes not suitable to be implemented on low cost equipments (e.g., current ATM terminals that are still the overwhelming majority). In this paper we propose a graphical PIN scheme based on the challenge-response paradigm that can be instantiatiated in a way to require low computation capabilities, making it also suitable for small devices with limited resources. The design of the scheme follows three important guidelines: The scheme should be independent from the specific set of objects that are used for the graphical challenge. In particular, our scheme can be deployed also on terminals that are equipped with small sized or cheap displays like the ones of the cellular phones, or through the classical 10 inch CRT monitor (both color or monochrome) that still equips thousands of ATM terminals. Moreover, user responses should be composed as well by any sophisticated pointing device as by simple keypad. The generation of challenges and the verification of user s responses should be affordable also by computer with limited computational resources (e.g. as in the smart card scenario described above).

3 The user is simply required to recognize the position of some objects on the screen. She is not required to compute any function. We present a strategy that can withstand shoulder surfing attacks. This strategy is independent from the specific set of objects that are used to construct the challange. 1 Our Proposal In this paper we assume that the terminal used by the user cannot be tampered. In other words, an adversary is allowed to record the challanges displayed by the terminal and the activity of the user but she is not allowed to alter in any way thebehaviour of the parties. The protocols described in this paper belong to the family of challenge and response authentication schemes, where the system issues a random challenge to the user, who is required to compute a response, according to the challenge and to a secret shared between the user and the system. More precisely, a challenge consists of a picture depicting a random arrangement of some objects (e.g. colored geometrical shapes) into a matrix. The challenge is displayed on the screen. We denote by O the set of all distinct objects and by q its cardinality. A challenge is represented as a sequence α = (o 1,...,o α ), where o i is an object drawn from O. During her authentication session, the user is required to type as PIN the position of a sequence of secret objects in the challenge matrix. It is clear that the PIN typed by the user changes in each session as the challenge changes, since it is simply the proof that the user knows the secret sequence of objects and so, she can correctly reply to the current challenge. To be more precise the secret is a sequence of m questions, called queries. Each query is a question of the following type: On which row of the screen do you see the object o?. Since questions are chosen independently, the set of possible queries has size O m. Upon reception of a challenge, the user is required to compute a response, according to the secret queries shared with the system. A response is a vector β = (β 1,...,β m ), where each β i is a number drawn from a set A = {0,1,... a 1}, representing the answer to the i-th query, according to the challenge. A Session Transcript is a pair τ = (α,β), where α is a challenge and β is the user response to α. We stress that the set of objects used to construct the challanges has an impact on the usability of the scheme. For example, it is easier to remember a sequence of pictures like home, dog, cat than a sequence of geometrical shapes, like blue traingle, green circle, yellow square. On the other hand, complex objects cannot be displayed/managed on lowcost devices. Our scheme is independent from the specific set of objects. This makes it is suitable for deployment both on complex and simple devices. 1.1 Different authentication strategies. Give the above authentication scheme, we have analized three different authentication strategies. In the first strategy, the user is required to correctly answer all the questions in her secret. A second strategy is to allow the user to correctly answer only to a subset of her secret questions. We have considered the case in which the user correctly answers at least k out of m questions of her choice while she is allowed to give random answers to the remaining queries. the last strategy we have analyzed consists in requiring the user to correctly answering exactly k out of n queries while giving wrong answers to the remaining ones.

4 Notice that the last two strategies differ in the sense that wrong answers do give information about the user secret in contrast to random answers that do not give any information on the user secret. For the above strategies we have evaluated the probability with which an adversary can extract the user secret as a function of the number of recorded sessions. Notice that the goal of the adversary may not be the secret extraction but, more simply, a one-time authentication. We notice that, typically, in the scenario we consider the adversary cannot use a brute force attack since, for example, the strip card would be disabled after three unsuccessfull authentications. For this reason the adversary should recover either the whole secret or almost the whole secret, before trying the authentication. 2 Experimental Evaluation In this section we give an experimental evaluation of the performances of the strategies presented above. For each strategy we report the number of session trascripts that the adversary needs to intercept for extracting the user secret with probability either.95 or.99. In order to present concrete examples, we will fix the number of objects to be either 36 or 80. The value 36 has been chosen so that all the object can be displayed on a low resolution display, e.g., the ATM case. The value 80 could be used in case the device used for displaying the objects is a more advanced one. Furthermore, we fix the number m of queries the user should answer to 15. This choice is due to the fact that (a) It should not be hard for a human to remember 15 objects and (b) The probability of a blind attack is negligible. Table 1 summarizes the performance of the first strategy in which the user correctly answers to all the questions in her secret. In particular, we report the number of sessions the adversary needs in order to compute successfully the user s secret either with probability 0.95 or with probability Always Correct p = 0.95 p = 0.99 q=36, a= q=36, a=6 6 7 q=80, a= q=80, a=8 5 6 Table 1: Number of sessions needed to extract the user secret with probability at least p in case m = 15 query case. As for the second strategy, the results in reported in Table 2 are referred to the single query case. This means that the adversary needs to collect at least x correct answers from the user. If we extend to the multiple query case, we need to consider that in each session, the user answers correctly only to a fraction of the queries. The value of the fraction of correct anwers depends, for some technicalities, on the size of the answer set A. As for the multiple query case, Table 3 reports the expected number of sessions that the adversary needs to collect in order to extract the user s secret. The last column indicates the probability with which the user correctly answers a query. The multiple query case is strictly related to the Group Coupon Collector s Problem. Since we are not aware of any result on such problem,

5 we have obtained these results by simulation. Correct & Random p = 0.95 p = 0.99 q=36 a= q=36 a=6 4 5 q=80 a= q=80 a=8 4 5 Table 2: Number of correct sessions needed to extract the user secret with probability at least p in the single query case. Correct & Random p = 0.95 p = 0.99 c q=36, a= /2 q=36, a= q=80, a= /2 q=80, a= Table 3: Number of sessions needed to extract the user secret with probability at least p in case m = 15 query case. As for the last strategy, let c be the number of questions the user correctly answer in each authentication. Table 4 reports the number of sessions an adversary needs to collect in order to extract the user secret with probability at least 0.95 or Correct & Wrong p = 0.95 p = 0.99 c q=36, a= m/2 q=36, a= m/4 q=36, a= m/2 q=36, a= m/4 q=80, a= m/2 q=80, a= m/4 q=80, a= m/2 q=80, a= m/4 Table 4: Number of sessions needed to extract the user secret with probability at least p in case m = 15 query case. 3 Conclusion In this paper we have presented a simple graphical PIN authentication mechanism that is resilient against shoulder surfing. Our scheme is independent on the spcific set of objects used to construct the challanges. Depending on the specific strategy, the adversary may fail in impersonating the user even if she manages to obtain as much as 36 transcripts. The scheme may be implemented on low cost devices and does not require any special training

6 for the users. The user only needs to remember a small sequence of objects. Finally the authentication requires a single round of interaction between the user and the terminal. We have also discussed a prototype implementation. The analysis of the scheme considers the probability of extracting the user s secret instead of the one of successful one-time authentication. Since the number of attempts the adversary can try before the user is disabled is limited to three, we believe that the number of sessions needed by the adversary in the latter case does not differ significantly from the one needed for the former goal. References [1] Ross J. Anderson. Why cryptosystems fail. Commun. ACM, 37(11):32 40, [2] G. E. Blonder. Graphical passwords. Lucent Technologies Inc, Murray Hill, NJ (US), US Patent no , [3] R. Dhamija and A. Perring. dèjá vu: A user study using images for authentication. In IX USENIX UNIX Security Symposium, Denver, Colorado(USA), August, [4] J. C. Birget et al. Graphical password project. birget/grpssw, [5] Philippe Golle and David Wagner. Cryptanalysis of a cognitive authentication scheme (short paper). In 2007 IEEE Symposium on Security and Privacy, to appear. [6] Neil M. Haller. The S/KEY one-time password system. In Proceedings of the Symposium on Network and Distributed System Security, pages , [7] W. Jensen, S. Gavrila, V. Korolev, R. Ayers, and R. Swanstrom. picture password: a visual login technique for mobile devices. In National Institute of Standards and Technologies Interagency Report, volume NISTIR 7030, [8] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin. the design and analysis of graphical passwords. In Proceedings of the 8th USENIX security Symposium, Washington D.C. (US), august [9] Shushuang Man, Dawei Hong, and Manton M. Matthews. A shoulder-surfing resistant graphical password scheme - wiw. In Proceedings of the International Conference on Security and Management, SAM 03, June 23-26, 2003, Las Vegas, Nevada(US), volume 1, pages , June [10] A. Perrig and D. Song. hash visualization: A new technique to improve real-world security. In Proceedings of the 1999 Internationa Workshop on Cryptographic Techniques and E-Commerce, [11] Volker Roth, Kai Richter, and Rene Freidinger. A pin-entry method resilient against shoulder surfing. In CCS 04: Proceedings of the 11th ACM conference on Computer and communications security, pages , New York, NY, USA, ACM Press. [12] L. Sobrado and J. C. Birget. graphical password. The Rutgers Scholar, an electronic Bulletin for undergraduate research, 4, 2002.

7 [13] Jennifer G. Steiner, B. Clifford Neuman, and Jeffrey I. Schiller. Kerberos: An authentication service for open network systems. In USENIX Winter, pages , [14] Xiaoyuan Suo, Ying Zhu, and G. Scott Owen. graphical passwords: a survey. In Proceedings of 21st Annual Computer Security Application Conference (ACSAC 2005) december 5-9, Tucson AZ (US), pages , december [15] Daphna Weinshall. Cognitive authentication schemes safe against spyware (short paper). In IEEE Symposium on Security and Privacy, pages IEEE Computer Society, [16] S. Wiedenbeck, J. Waters, L. Sobrado, and J. C. Birget. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of Advanced Visual Interfaces AVI 2006, Venice ITALY, may