Breaking undercover: exploiting design flaws and nonuniform human behavior

This paper reports two attacks on Undercover, a human authentication scheme against passive observers proposed at CHI 2008. The first attack exploits nonuniform human behavior in responding to authentication challenges and the second one is based on information leaked from authentication challenges or responses visible to the attacker. The second attack can be generalized to break two alternative Undercover designs presented at Pervasive 2009. All the attacks exploit design flaws of the Undercover implementations. Theoretical and experimental analyses show that both attacks can reveal the user's password with high probability with O(10) observed login sessions. Both attacks were verified by using the login data collected in a user study with 28 participants. We also propose some enhancements to make Undercover secure against the attacks reported in this paper. Our research in breaking and improving Undercover leads to two broader implications. First, it reemphasizes the principle of "devil is in details" for the design of security-related human-computer interface. Secondly, it reveals a subtle relationship between security and usability: human users may behave in an insecure way to compromise the security of a system. To design a secure human-computer interface, designers should pay special attention to possible negative influence of any detail of the interface including how human users interact with the system.

[1]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme , 2006, IACR Cryptol. ePrint Arch..

[2]  Heejo Lee,et al.  Human Identification Through Image Evaluation Using Secret Predicates , 2007, CT-RSA.

[3]  Ravi Kuber,et al.  Feasibility study of tactile-based authentication , 2010, Int. J. Hum. Comput. Stud..

[4]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[5]  B. Malek,et al.  Novel Shoulder-Surfing Resistant Haptic-based Graphical Password , 2006 .

[6]  Volker Roth,et al.  Accessible Authentication via Tactile PIN Entry , 2006 .

[7]  Ken Dunham Mobile Malware Attacks and Defense , 2008 .

[8]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[9]  Harry Shum,et al.  Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI , 2005, IACR Cryptol. ePrint Arch..

[10]  Daphna Weinshall,et al.  Cognitive authentication schemes safe against spyware , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  John Aycock Computer Viruses and Malware (Advances in Information Security) , 2006 .

[12]  Yongdae Kim,et al.  Timing attacks on PIN input devices , 2010, CCS '10.

[13]  Heejo Lee,et al.  Image-Feature Based Human Identification Protocols on Limited Display Devices , 2008, WISA.

[14]  Ahmad-Reza Sadeghi,et al.  Breaking Randomized Linear Generation Functions Based Virtual Password System , 2010, 2010 IEEE International Conference on Communications.

[15]  Hassan Jameel Asghar,et al.  A New Human Identification Protocol and Coppersmith's Baby-Step Giant-Step Algorithm , 2010, IACR Cryptol. ePrint Arch..

[16]  Xiang-Yang Li,et al.  Practical Human-Machine Identification over Insecure Channels , 1999, J. Comb. Optim..

[17]  Alain Forget,et al.  Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords , 2010, CHI.

[18]  Nicolas Christin,et al.  New directions in multisensory authentication , 2009, SOUPS.

[19]  Hideki Imai,et al.  Human Identification Through Insecure Channel , 1991, EUROCRYPT.

[20]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[21]  Heinrich Hußmann,et al.  Towards understanding ATM security: a field study of real world ATM use , 2010, SOUPS.

[22]  Abdulmotaleb El-Saddik,et al.  User Identification Based on Handwritten Signatures with Haptic Information , 2008, EuroHaptics.

[23]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[24]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[25]  Shujun Li,et al.  Cryptanalysis of the convex hull click human identification protocol , 2012, International Journal of Information Security.

[26]  David A. Wagner,et al.  Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract) , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[27]  Ian Oakley,et al.  The haptic wheel: design & evaluation of a tactile password system , 2010, CHI EA '10.

[28]  Tzonelih Hwang,et al.  On the Matsumoto and Imai's Human Identification Scheme , 1995, EUROCRYPT.

[29]  Tsutomu Matsumoto,et al.  Human-computer cryptography: an attempt , 1998, CCS '96.

[30]  A. Ant Ozok,et al.  A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords , 2006, SOUPS '06.

[31]  Michael K. Reiter,et al.  On User Choice in Graphical Password Schemes , 2004, USENIX Security Symposium.

[32]  Nitesh Saxena,et al.  Shoulder-Surfing Safe Login in a Partially Observable Attacker Model , 2010, Financial Cryptography.

[33]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[34]  T. Hwang,et al.  On the Matsumoto and Imai human identification scheme , 1995 .

[35]  Ravi Kuber,et al.  Authentication Using Tactile Feedback , 2006 .

[36]  Shujun Li,et al.  Secure Human-Computer Identification against Peeping Attacks (SecHCI): A Survey , 2003 .

[37]  Alexander De Luca,et al.  A privacy-respectful input method for public terminals , 2008, NordiCHI.

[38]  Markus Jakobsson,et al.  Phishing and Countermeasures , 2006 .

[39]  Li Liu,et al.  A Virtual Password Scheme to Protect Passwords , 2008, 2008 IEEE International Conference on Communications.

[40]  Ahmad-Reza Sadeghi,et al.  On the Security of PAS (Predicate-Based Authentication Service) , 2009, 2009 Annual Computer Security Applications Conference.

[41]  Xiaolin Li,et al.  S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[42]  Ian Oakley,et al.  The secure haptic keypad: a tactile password system , 2010, CHI.

[43]  John Aycock,et al.  Computer Viruses and Malware , 2006, Advances in Information Security.

[44]  Nicolas Christin,et al.  Use Your Illusion: secure authentication usable anywhere , 2008, SOUPS '08.

[45]  Adrian Perrig,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Déjà Vu: A User Study Using Images for Authentication , 2000 .

[46]  Heinrich Hußmann,et al.  Vibrapass: secure authentication based on shared lies , 2009, CHI.

[47]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[48]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .