Security and Usability Computer Security: Lecture 9. 9 February 2009 Guest Lecture by Mike Just

Similar documents
HCI Lecture 10: Guest Lecture Usability & Security 28 October 2008

User Authentication and Passwords

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication EECE 412. Copyright Konstantin Beznosov

Usable Security. Computer Security Lecture 17. Mike Just. 19th March School of Engineering and Built Environment Glasgow Caledonian University

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication

Lecture 3 - Passwords and Authentication

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Lecture 3 - Passwords and Authentication

Authentication SPRING 2018: GANG WANG. Slides credit: Michelle Mazurek (U-Maryland) and Blase Ur (CMU)

CS Passwords, part 2. Prof. Clarkson Spring 2016

User Authentication. E.g., How can I tell you re you?

14 - Authentication in Practice

Chapter 3: User Authentication

Password Managers: Devil s in the Details

Authentication KAMI VANIEA 1

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Security and human behavior. Some material from Lorrie Cranor, Mike Reiter, Rob Reeder, Blase Ur

CSE 565 Computer Security Fall 2018

CAN WE ESCAPE PASSWORDS?

Usable Security Introduction to User Authentication and Human Interaction Proof Research

User Authentication. Tadayoshi Kohno

2. Access Control. 1. Introduction

On Passwords (and People)

Chapter 4 Protection in General-Purpose Operating Systems

Authentication. Tadayoshi Kohno

Sumy State University Department of Computer Science

CSCI 667: Concepts of Computer Security

01- Course overview and introductions

01- Course overview and introductions

MANAGING LOCAL AUTHENTICATION IN WINDOWS

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A. Authentication

Authentication schemes for session password using color and special characters

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

Tennessee Technological University Policy No Password Management

Proceedings of the 10 th USENIX Security Symposium

Authentication Methods

SWAMID Person-Proofed Multi-Factor Profile

CS530 Authentication

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/1516/ Chapter 4: 1

5-899 / Usable Privacy and Security Text Passwords Lecture by Sasha Romanosky Scribe notes by Ponnurangam K March 30, 2006

Accounts and Passwords

User Authentication. Daniel Halperin Tadayoshi Kohno

Passwords. Secure Software Systems

A Novel Method for Graphical Password Mechanism

Information Security & Privacy

Passwords. EJ Jung. slide 1

Intruders, Human Identification and Authentication, Web Authentication

Password Managers. Victor (Vic) Daniel. Handout Page 1/38

TABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure

HumanAUT Secure Human Identification Protocols

Who are you? Enter userid and password. Means of Authentication. Authentication 2/19/2010 COMP Authentication is the process of verifying that

Mnemonic Password Algorithms

User Authentication. Modified By: Dr. Ramzi Saifan

USER AUTHENTICATION GUIDANCE FOR INFORMATION TECHNOLOGY SYSTEMS

Biometrics problem or solution?

CNT4406/5412 Network Security

Defenses against Large Scale Online Password Guessing by Using Persuasive Cued Click Points

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

In this unit we are continuing our discussion of IT security measures.

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

Usable Security: Phishing

User Authentication. Modified By: Dr. Ramzi Saifan

Frontline Information Protection

AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS

Computer Security: Principles and Practice

User Behaviors and Attitudes Under Password Expiration Policies

How. Biometrics. Expand the Reach of Mobile Banking ENTER

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Put Identity at the Heart of Security

MODULE NO.28: Password Cracking

Integrated Access Management Solutions. Access Televentures

LOGIN SERVICE SECURITY

Authentication Objectives People Authentication I

Meeting the requirements of PCI DSS 3.2 standard to user authentication

BTEC Level 3. Unit 32 Network System Security Password Authentication and Protection. Level 3 Unit 32 Network System Security

CSC 474 Network Security. Authentication. Identification

A STUDY OF TWO-FACTOR AUTHENTICATION AGAINST ON-LINE IDENTITY THEFT

User Authentication and Human Factors

PASSWORD SECURITY GUIDELINE

Stuart Hall ICTN /10/17 Advantages and Drawbacks to Using Biometric Authentication

Online Threats. This include human using them!

Authentication CS 136 Computer Security Peter Reiher January 22, 2008

KuppingerCole Whitepaper. by Dave Kearns February 2013

5/15/2009. Introduction

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

Intro. So, let s start your first SMS marketing legalese class!

Security and Privacy. Security or Privacy? Computer Security

Rethinking Authentication. Steven M. Bellovin

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

A guide to the Cyber Essentials Self-Assessment Questionnaire

Topics. Authentication System. Passwords

Evaluating Alternatives to Passwords

Password. authentication through passwords

CPSC 467b: Cryptography and Computer Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Authentication and passwords

===============================================================================

HY-457 Information Systems Security

Transcription:

Security and Usability Computer Security: Lecture 9 9 February 2009 Guest Lecture by Mike Just

Introduction Who am I? Mike Just Visiting Research Fellow, School of Informatics Researching security and usability of knowledgebased authentication with David Aspinall Continue to work (part time, remotely) for Canadian Government investigating innovative technology Received Ph.D. from Carleton University in 1998 Home: Ottawa, Canada 9 Feb 2009 Computer Security Lecture 9 2

'Challenge Questions Experiment' Stage 2 Before beginning today's lecture, we will perform Stage 2 of our Experiment Details are provided in the handout To participate, you must have completed Stage 1, and have your sealed envelope with you today The experiment is voluntary you can choose to not participate, or to withdraw at any point At no time will you be asked to submit any personal information 9 Feb 2009 Computer Security Lecture 9 3

Security and Usability [S]ystems security is one of the last areas in IT in which user centered design and user training are not regarded as essential. [H]ackers pay more attention to the human link in the security chain than security designers do. [Adams and Sasse, 1999] (And still true today!) 9 Feb 2009 Computer Security Lecture 9 4

Security and Usability (2) Can usability and security co exist? Does increased security reduce usability? Yes (sometimes) Does increased usability reduce security? Yes (sometimes) We do know that reduced usability can also reduce security System designers must find the balance between usability and security 9 Feb 2009 Computer Security Lecture 9 5

Security and Usability (3) And the design environment isn t easy... [These devices] are incapable of securely storing highquality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.) [C. Kaufman, R. Perlman, M. Speciner, Network Security, 2002] 9 Feb 2009 Computer Security Lecture 9 6

Authentication and Usability Authentication is the process of confirming someone as authentic Three information types for authenticating Something you have Mobiles, smartcards,... Something you are Biometrics physical characteristics, involuntary actions Fingerprints, facial recognition, voice recognition,... Something you know Password, PINs, passphrases,... 9 Feb 2009 Computer Security Lecture 9 7

Authentication and Usability (2) Authentication information has a lifecycle Security and usability should be addressed at each stage Issuance and Maintenance Use Stage at which information is created, issued, updated or retired Stage at which information is used to authenticate 9 Feb 2009 Computer Security Lecture 9 8

Some Security & Usability Principles Some Usability Principles Limit amount of physical interaction Limit human processing and learning requirements Limit memorization requirements Limit number of seemingly artificial constraints Limit excessive update requirements Limit requirements for perfect accuracy Security should not interfere with the task of the user Security often strains these usability limits Especially when using something you know 9 Feb 2009 Computer Security Lecture 9 9

Something You Know Root Causes Passwords require 100% correct, unaided recall of a nonmeaningful item [Sasse, 2003] The cause of usability issues are known Rules, rules, rules! Length of at least 8 characters... Must contain one lower and uppercase, one number,... Monthly updates Dozens of accounts with passwords And they're not even considered terribly secure today! Unfortunately, the solutions to the 'Create and Memorize' paradigm/dilemma aren't so obvious 9 Feb 2009 Computer Security Lecture 9 10

Something You Know Potential Improvements Don t rely upon the creation and memorization of new information for authentication Use information that is already known Cognitive passwords Passwords based upon information already known Best known example is use of challenge questions A.k.a. Knowledge Based Authentication 9 Feb 2009 Computer Security Lecture 9 11

Challenge Questions Some Examples Consider the following examples What is your mother s maiden name? What is your favourite colour? Who is your favourite actor? What was your high school locker combination? What was your first pet s name? Are these questions secure? Are these questions usable? 9 Feb 2009 Computer Security Lecture 9 12 Example Questions not necessarily from this class' experiment.

Challenge Questions Usability Criteria Applicability Users have sufficient information to provide a relevant answer to a question Memorability Users can consistently recall the original answer to a question over time Repeatability Users can consistently and accurately (syntactically) repeat the original answer to a question over time 9 Feb 2009 Computer Security Lecture 9 13

Challenge Questions Security Criteria Guessability Traditional measure in which the security level is directly proportional to the number of possible answers for a given question Observability The security level is inversely proportional to an attacker s ability to find the answer to a given question Attackers might be strangers, acquaintances, colleagues, friends, family members 9 Feb 2009 Computer Security Lecture 9 14

Challenge Questions Some Examples Revisited (Re )Consider the following examples What is your mother s maiden name? Security MED Usability HIGH What is your favourite colour? Security LOW Usability MED Who is your favourite actor? Security MED Usability MED What was your high school locker combination? Security HIGH Usability LOW What was your first pet s name? Security MED Usability MED 9 Feb 2009 Computer Security Lecture 9 15

Challenge Questions Some Examples Revisited (2) Did you agree with the usability and security ratings on the previous page? Security 'Observability' levels are often subjective Usability Often depend upon context and environment, e.g. user base, user experience, guidance to users Requires empirical evidence 9 Feb 2009 Computer Security Lecture 9 16

Challenge Questions Security Revisited Attacks Blind Blind Guess Information Available to Attacker Attacker knows alphabet used for answers and its frequency distribution Focused Guess Attacker also knows the questions used and can typically determine possible answers and their frequency distribution Site Specific Guess Attacker can glean some information from the site which the authentication is protecting Personalized Guess Attacker can determine personal information about the user; either the answers themselves, or information that further reduces the set of likely answers 9 Feb 2009 Computer Security Lecture 9 17

Challenge Questions Security Revisited (2) Blind Guess The entropy of X is the amount of information conveyed by X, or equivalently, uncertainty in X Let X take on values x 1,x 2,...,x n with respective probabilities p 1,p 2,...p n H(X) = [Sum(i=1,n) {p i lg(p i )}] = [Sum(i=1,n) {p i (lg(1/p i ))}] E.g. With n=8, and uniformly distributed x i (p i =1/8), H(X)=3 E.g. Password consisting of 8 8 bit ASCII characters Actual password size of (2 8 ) 8 = 2 64. Or 64 bits to encode. Effective size of (62) 8 ~ 2 48. Or 48 bits to guess. (Upper/lowercase, #'s) The 'effective size' is not a minimum! For example, the above calculation assumes a uniform distribution of passwords, which is not the case in reality. 9 Feb 2009 Computer Security Lecture 9 18

Challenge Questions Security Revisited (3) Blind Guess (cont'd) E.g. Answer consisting of 8 8 bit ASCII characters Answers usually normalized to use 26 lowercase characters only Effective size of (26) 8 ~ (2 4.7 ) 8 ~ 2 38. Or 38 bits (4.7 bits of entropy per character) But, this assumes uniformly distributed/chosen characters to form answers Answer space is the English language, reducing the uncertainty (dictionary attack) Effective size of 2.3(8) = 18.4 bits of uncertainty (according to Shannon) How many bits are needed to prevent attacks? That depends upon which attacks (risks) you're trying to mitigate Online attacks can be mitigated by limiting the number of authentication attempts. However, offline attacks allow for many, many more guesses. Random attacks (compromise any account) allow many guesses spread across multiple accounts. Targetted attacks focus on a specific user account so are limited by online/offline constraints (but introduce personalization to attack) But 20 bits is not enough... 9 Feb 2009 Computer Security Lecture 9 19

Challenge Questions Security Revisited (4) Focused Guess Knowing question gives further reduction in uncertainty (and questions are effectively public) E.g. What was my first pet's name? http://www.babynames.com/names/pets/ gives the top 200 names for dogs and cats Some questions simply suggest very low entropy answers, e.g. What religion is my father?, Favourite colour? Site Specific Guess Dependent upon the site, one can sometimes learn the likely gender, age range, interests, place of residence of users E.g. First album bought?, Who is my favourite actor? Personalized Guess Only necessary once previous attacks have been exhausted Mother's Maiden Name is often easy to determine from public records 9 Feb 2009 Computer Security Lecture 9 20 Example Questions not necessarily from this class' experiment.

Challenge Questions Usability Revisited There's been very little study of the memorability of authentication credentials, especially challenge questions We hope to learn more from our experiments Some observations Older users have difficulty remember first time events Favourites can change over long term Questions that are disguised to be more secure, can also be less memorable 9 Feb 2009 Computer Security Lecture 9 21

Other Options for Authentication Graphical text passwords No link input position to temporal order Consider familiar password process, where temporal order is tied to position password: G _ password: G o password: G o p _ password: G o p h password: G o p h e _ password: G o p h e r password: G _ password: G o password: _ p G o password: _ p G o h _ password: e p G o h _ password: e p G o h r Other memorable passwords possible E.g. reverse, rotation, even then odd, outside in Secure? Usable? 9 Feb 2009 Computer Security Lecture 9 22

Other Options for Authentication (2) Password is (2,2)(3,2)(3,3)(2,3)(2,2)(2,1)(5,5) '(5,5)' is 'pen up' 9 Feb 2009 Computer Security Lecture 9 23

Other Options for Authentication (3) 9 Feb 2009 Computer Security Lecture 9 24

Other Options for Authentication (4) 9 Feb 2009 Computer Security Lecture 9 25

Security and Usability Final Thoughts Security authentication with information (passwords, challenge questions) requires Sufficient information But this impacts memory Minimal constraints But this impacts processing Accuracy But this impacts memory & processing Seems daunting! Current solutions simply don't have a sufficient balance between security and usability 9 Feb 2009 Computer Security Lecture 9 26

References Lorrie Cranor and Simson Garfinkel, Security and Usability, O'Reilly and Associates, 2005. SOUPS, CHI and HCI conferences for peerreviewed papers Questions? mike.just@ed.ac.uk http://homepages.inf.ed.ac.uk/mjust/ 9 Feb 2009 Computer Security Lecture 9 27

Additional Slides 9 Feb 2009 Computer Security Lecture 9 28

'Something You Have' Security and Usability Considerations Issuance and Maintenance Use Often requires physical interaction (e.g. In person, mail) Security: In person registration, using 'physical' credentials for identification Usability: Physical interaction required, but little processing or memory Security: Prevent duplication or impersonation Usability: No requirements placed on human memory, but human card machine interface issues, e.g. Which way do I insert the card? 9 Feb 2009 Computer Security Lecture 9 29

'Something You Are' Security and Usability Considerations Issuance and Maintenance Use Requires physical interaction to collect biometrics Security: In person registration, using 'physical' credentials for identification Usability: Physical interaction required, but little processing or memory Limited options for renewal due to finite set of biometrics Security: Prevent duplication or impersonation Usability: No requirements placed on human memory, but humanmachine interface issues, e.g. Not all have readable fingerprints 9 Feb 2009 Computer Security Lecture 9 30

'Something You Know' Security and Usability Considerations Issuance and Maintenance Use Can (and typically do) perform online Security: Relies upon online identification information Usability: Ability to follow rules (length, capitalization,...), and create something secure and memorable Security/Usability: Typically prevent re use of previously used information Security: Very dependent upon user memory capabilities Usability: Memory recall of credentials 9 Feb 2009 Computer Security Lecture 9 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback