Handball:Simple Security Tools for

Handheld Devices

Niklas Frykholm, Markus Jakobsson, Ari Juels

LABORATORIES

Our aim:To rethink palm security from

scratch

Palm pros:– Cheap– Convenient– Someday

ubiquitous– Smartcard

alternative?

Palm cons:– Easily stolen– No tamper resistance– Often used for

sensitive data– New (sometimes

clumsy) style of data entry

Despite this, we want:

To prevent unauthorized access Get good security from low entropy

keys Alert/disable in case of unauthorized

access Achieve functionality like backup in

hostile environments

Attackers may

Steal devices and copy them

surreptitiously

Emulate copied devices completely

See all old transcripts

Do fairly serious computing (250 or so…)

Mount some on-line attack

Problem with passwords on palm devices

Passwords geared toward keyboards– Palm devices use other data entry

Some studies suggest superiority of visual memory (e.g., Sheperd)

The visual approach...– Jermyn et al., Xerox PARC, Blonder, Perrig,

Passfaces– Only Jermyn et al. suitable for palm

devices

Visual Passwords Your PIN consists of a point on an image (or

multiple such)

Icons help stimulate the

user’s memory

Visual Passwords

Error-tolerance techniques allow user to come only close to point, but security remains maximal

Training routine helps fix PIN in user’s memory

Prototype available

Some more problems with passwords

Users and passwords don’t mix well:– Either too long to be easily memorized (high entropy)– Or too short to be used effectively in naïve manner

For example, AES encryption of credit cards

Credit-Card Vault

•Special “non-redundant” encryption protects card and bank account numbers with just a PIN -- •Protection even against a determined hacker•Prototype available

Encryption using low-entropy keys

To encrypt a list of PINS:– Select master PIN -- call it M– E[PIN1] = PIN1 M

– E[PIN2] = PIN2 M , etc.

But a credit card is not so simple:– Has redundancy: Check digit– Unprotected parts may give clues to

attacker

Accommodate credit-card structure

Idea: Isolate essential digits– Strip away check digit– Strip away bank numbers

Encrypt remaining digits under stream cipher mod 10– RC4(key) 10 (cc digits)

Note: Decryption with any key yields a valid-looking credit card number

Credit-card vault

Can we do Social Security Numbers? Names? Addresses?

Infrared Palm Lock

•Small key locks and unlocks PalmPilot•Strong key would be inexpensive ($2) to manufacture in quantity

Current prototype is “conceptual”– Static key– 20-bit entropy

Evolution:– Static key, 80-bit entropy encryption

key– Rolling key, rolling encryption– Bluetooth -- interactive variant

Infrared Palm Lock

Digital Signing on the Palm

•Online approaches may suffer from spotty connectivity

•Palm is convenient platform for signing•An offline digital signing key protected with a PIN is vulnerable to attack if palm device is stolen

I agree to buy 1000 shares ofEnron at $100/share from Ken.

Our aim

Distinguish attacker–generated signatures from “real” signatures

Alert authorities of any attacks But make alarm “silent”

– attacker should be unable to distinguish a good signature from a bad one

All with a low-entropy PIN!

Funkspiel schematic

hs1 s2 s3 s4h h

h’ h’ h’

r1 r2 r3

•si = h(si, i)

•ri = h’(si, PIN)

•Incorporate ri into message to be signed

•Verifier can check correctness of ri

Why does this yield “silent” alarm?

hs1 s2 s3 s4h h

h’ h’ h’

r1 r2 r3r2

s2?

?

•Attacker can’t learn s2 because of one-wayness of h

•Attacker can’t learn PIN because she can’t learn s2

•Attacker can’t tell whether she’s tripping alarm if she signs using s3

Inserting ri into standard scheme

We use RSA-PSS (Bellare-Rogaway)

RSA-PSS supplies random padding of messages to be signed using RSA – to avoid existential forgery

Padding has some random component, some redundancy

We let ri be the random portion

The Big Picture

Everybody can verify signatures using standard RSA-PSS

“Alarm center” can check PIN, too, for “silent alarm”!

“Alarm center” can, e.g., inform bank if theft suspected

LABORATORIES

•Prototypes available for visual passwords, credit-card vault, and IR key•Patents pending on visual passwords