Towards identifying and preventing behavioral side channel attack on recording attack resilient unaided authentication services

Abstract Side channel attacks, based on the human behavior, have not received much attention in the domain of recording attack resilient unaided authentication services (RARUAS) that purely rely on human visual perception but not on hidden auxiliary channels. In this paper, for the first time, we have made an extensive analysis to show - how human behavior during the login can weaken the claimed security standard of RARUAS. We identify this threat as behavioral side channel attack. To make situation more alarming, our investigation revealed that the identified threat model is capable of reducing the claimed session resiliency of any RARUAS by a significant extent. For dealing with this threat model, the latter part of our proposal introduces a novel defense strategy that reduces attackers’ efficiency and improves the session resiliency. The subsequent study indicates that by nature of its design, the proposed defense strategy does not make any significant impact on the usability standard. To validate our claims, we have made a thorough experimental study to show that the proposed defense strategy is truly deployable in practice for improving the situation against the behavioral side channel attack.

[1]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[2]  Jamie I. D. Campbell,et al.  Cognitive arithmetic across cultures. , 2001 .

[3]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[4]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[6]  E. Courchesne,et al.  Attentional Activation of the Cerebellum Independent of Motor Involvement , 1997, Science.

[7]  Steven Furnell Making security usable: Are things improving? , 2007, Comput. Secur..

[8]  Keith Rayner,et al.  On the Processing of Meaning from Parafoveal Vision During Eye Fixations in Reading , 2003 .

[9]  Ahmad-Reza Sadeghi,et al.  On the Security of PAS (Predicate-Based Authentication Service) , 2009, 2009 Annual Computer Security Applications Conference.

[10]  J. Wixted,et al.  An analysis of latency and interresponse time in free recall , 1994, Memory & cognition.

[11]  K. Rayner Eye movements in reading and information processing: 20 years of research. , 1998, Psychological bulletin.

[12]  Heinrich Hußmann,et al.  ColorPIN: securing PIN entry through indirect input , 2010, CHI.

[13]  K. Rayner The perceptual span and peripheral cues in reading , 1975, Cognitive Psychology.

[14]  Robert H. Deng,et al.  Leakage-resilient password entry: Challenges, design, and evaluation , 2015, Comput. Secur..

[15]  S. Sternberg Memory-scanning: mental processes revealed by reaction-time experiments. , 1969, American scientist.

[16]  George W. McConkie,et al.  Eye position and word identification during reading , 1985 .

[17]  Hassan Jameel Asghar,et al.  A New Human Identification Protocol and Coppersmith's Baby-Step Giant-Step Algorithm , 2010, IACR Cryptol. ePrint Arch..

[18]  Hideki Imai,et al.  Human Identification Through Insecure Channel , 1991, EUROCRYPT.

[19]  J M Wolfe,et al.  Search for multiple targets: Remember the targets, forget the search , 2001, Perception & psychophysics.

[20]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[21]  Han-Yu Lin,et al.  Shoulder-surfing-proof graphical password authentication scheme , 2013, International Journal of Information Security.

[22]  G. Woodman,et al.  The role of working memory and long-term memory in visual search , 2006 .

[23]  L. Corbin,et al.  Effect of a simple experimental control: The recall constraint in Sternberg's memory scanning task , 2008 .

[24]  Ning Zhang,et al.  A survey on touch dynamics authentication in mobile devices , 2016, Comput. Secur..

[25]  Annelie Heuser,et al.  Improved algebraic side-channel attack on AES , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[26]  Xiaolin Li,et al.  S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[27]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[28]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[29]  Mario Cagalj,et al.  Timing Attacks on Cognitive Authentication Schemes , 2015, IEEE Transactions on Information Forensics and Security.

[30]  Rakesh Agrawal,et al.  Keyboard acoustic emanations , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[31]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[32]  R. Shiffrin,et al.  Retrieval processes in recognition and cued recall. , 2001, Journal of experimental psychology. Learning, memory, and cognition.

[33]  Yingjiu Li,et al.  On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability , 2012, NDSS 2012.

[34]  F. Craik,et al.  Age differences in recall and recognition , 1987 .