Towards a Secure Human-and-Computer Mutual Authentication Protocol

We blend research from human-computer interface (HCI) design with computational based cryptographic provable security. We explore the notion of practice-oriented provable security (POPS), moving the focus to a higher level of abstraction (POPS+) for use in providing provable security for security ceremonies involving humans. In doing so we highlight some challenges and paradigm shifts required to achieve meaningful provable security for a protocol which includes a human. We move the focus of security ceremonies from being protocols in their context of use, to the protocols being cryptographic building blocks in a higher level protocol (the security ceremony), which POPS can be applied to. In order to illustrate the need for our approach, we analyse both a protocol proven secure in theory, and a similar protocol implemented by a financial institution, from both HCI and cryptographic perspectives.

[1]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[2]  Margot Brereton,et al.  Ceremony Analysis: Strengths and Weaknesses , 2011, SEC.

[3]  Carl M. Ellison,et al.  Public-key support for group collaboration , 2003, TSEC.

[4]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[5]  G. Arumugam SECURED AUTHENTICATION PROTOCOL SYSTEM USING IMAGES , 2010 .

[6]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[7]  Philippe A. Palanque,et al.  Proceedings of the SIGCHI Conference on Human Factors in Computing Systems , 2014, International Conference on Human Factors in Computing Systems.

[8]  Arun Kumar,et al.  Article in Press Pervasive and Mobile Computing ( ) – Pervasive and Mobile Computing a Comparative Study of Secure Device Pairing Methods , 2022 .

[9]  Colin Potts,et al.  Design of Everyday Things , 1988 .

[10]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[11]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[12]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[13]  Stefan Dziembowski How to Pair with a Human , 2010, SCN.

[14]  David A. Wagner,et al.  Conditioned-safe ceremonies and a user study of an application to web authentication , 2009, NDSS.

[15]  Moti Yung,et al.  Fourth-factor authentication: somebody you know , 2006, CCS '06.

[16]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[17]  Ran Canetti,et al.  POSH: a generalized captcha with security applications , 2008, AISec '08.

[18]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Ersin Uzun,et al.  Usability Analysis of Secure Pairing Methods , 2007, Financial Cryptography.

[20]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[21]  Matti Tedre,et al.  Science of the Artificial , 2014 .

[22]  Holger Hermanns,et al.  Logic for Programming, Artificial Intelligence, and Reasoning , 2010, Lecture Notes in Computer Science.

[23]  Phoebe Sengers,et al.  The Three Paradigms of HCI , 2007 .

[24]  Lucy Suchman,et al.  Human-Machine Reconfigurations: Plans and Situated Actions , 2006 .

[25]  Ahmad-Reza Sadeghi,et al.  Provably secure browser-based user-aware mutual authentication over TLS , 2008, ASIACCS '08.

[26]  Paul Dourish,et al.  What we talk about when we talk about context , 2004, Personal and Ubiquitous Computing.

[27]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[28]  Herbert A. Simon,et al.  The Sciences of the Artificial , 1970 .

[29]  Jean Everson Martina,et al.  Ceremonies Formal Analysis in PKI's Context , 2009, 2009 International Conference on Computational Science and Engineering.

[30]  Carl M. Ellison,et al.  Ceremony Design and Analysis , 2007, IACR Cryptol. ePrint Arch..

[31]  Paul C. van Oorschot,et al.  TwoStep: An Authentication Method Combining Text and Graphical Passwords , 2009, MCETECH.

[32]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[33]  Adam Shostack,et al.  The New School of Information Security , 2008 .

[34]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[35]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[36]  Robert Biddle,et al.  Even Experts Deserve Usable Security: Design guidelines for security management systems , 2007 .

[37]  L. Suchman Human-Machine Reconfigurations: Plans and situated actions (2nd edition). , 2007 .

[38]  Sean W. Smith Humans in the Loop: Human-Computer Interaction and Security , 2003, IEEE Secur. Priv..

[39]  Richard Mollin Codes: The Guide to Secrecy From Ancient to Modern Times , 2005 .

[40]  Julien Bringer,et al.  HB^+^+: a Lightweight Authentication Protocol Secure against Some Attacks , 2006, Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU'06).

[42]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[43]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[44]  Margot Brereton,et al.  How HCI design influences web security decisions , 2010, OZCHI '10.

[45]  Berk Sunar,et al.  PUF-HB: A Tamper-Resilient HB Based Authentication Protocol , 2008, ACNS.