PHOTOGRAPHIC AUTHENTICATION THROUGH UNTRUSTED TERMINALS

Authors: Trevor Pering, Murali Sundar John Light, Roy Want

CS585Feb 26,2009

THE AUTHORS

OUTLINE Introduction Motivation and premise Security overview Experimental evaluation Discussion Future work

INTRODUCTION

Public internet access points provide a convenient means to access the Internet, but they pose considerable security risks.

Solving method to the risks: Photographic authentication (PA): is a technique

that relies on personal photographs for authenticating user access.

OVERVIEW (CONT.) How it works

Work in conjunction with a trusted “home server” that stores the user’s photographs and account information. The users identify themselves to the system, initiating

the authentication process with their home server The home server passes the necessary credentials to

the desired Web-service host

OVERVIEW (CONT.)—EXAMPLE

OVERVIEW (CONT.) —EXAMPLE: EXPLANATION The users selected the images that belonged

to them. The system presented photographs such as above figure. Because the home server manages the authentication process, the access terminal does not gain access to any unnecessary information, such as the user’s photographic databases. The system can not be compromised from public terminal. Thus, the attacker cannot break the authentication scheme.

MOTIVATION AND PREMISE The need for more secure login mechanisms

that grant or deny access through untrusted terminals. While login, there are additional risk with using

public infrastructure. E.g. users check the status of their bank accounts,

they are potentially compromising both their account balance and account number. However, it is generally only necessary to display the account balance, not both.

MOTIVATION AND PREMISE (CONT.) The need for alternative authentication

techniques because of the emerging mobile Internet.

A highly secure authentication technique would be overkill for a terminal which cannot guarantee the security of the data accessed. PA aims to be “secure enough” for casual data by providing the necessary level of security with compromising ease of use.

MOTIVATION AND PREMISE (CONT.) The increased prevalence of digital photos

and the ease with which people can recognize photographic images.The popularity of digital photos have

recently exploded because of the widespread availability of affordable consumer grade cameras and computers capable of manipulating photos;

More people possess large personal image collections ;

Digital storage capacities are rapidly increasing

SECURITY OVERVIEW

The PA implementation presented is about as secure as a six-digital password.

This means that there is a 1 in 106 chance that random guessing will be successful, a smaller chance than that of the personal identification numbers (PINs) which is 104;

SECURITY OVERVIEW (CONT.)

The real vulnerability of photograph-based authentication is not numeric, but cognitive.

The attacker uses knowledge about the user in a cognitive attack

SECURITY OVERVIEW (CONT.) PA is convenient, don’t carry a portable

electronic device, so there is no chance to damage the device

users simply walk up to a terminal and select from a few sequences of images presented to them on the screen;

Another technique requires users to carry a portable electronic device, such as a SecurID card, as a trusted authentication mechanism that would let them safely log in to an untrusted terminal using a one-time key generated by the device

SECURITY OVERVIEW (CONT.)

PA is suited to providing access through semi-trusted or untrusted terminals, and also suited to trusted environments.

It only provides an easier means to access information than text-based authentication.

EXPERIMENTAL EVALUATION Experiment conditions and process:

1. Two sets of experiment help to evaluate PA2. Converted all images to 400 X 300 resolution; 3. Simulated a standard login process to see

whether PA is feasible;4. Simulated an attack against the system to see if

it would hold up under a reasonable replay attack;

5. Conducted both the two experiments though a Web interface, and logged all transactions ;

EXPERIMENTAL EVALUATION (CONT.)

EXPERIMENTAL EVALUATION (CONT.) Authentication experiment

Goal: design the primary authentication test to see whether users could correctly distinguish their own images from those of others;

Result: Users can quickly and accurately identify their own

pictures Not require any learning

EXPERIMENTAL EVALUATION (CONT.) Attack experiment

Goal: designed the login attack to simulate an attack on a user account by someone who had snooped on a previous authentication session by that user;

Result: (see blow figure) Have great variability of success rate and speed Indicate that most users’ image sets are relatively

immune to attack.

EXPERIMENTAL EVALUATION (CONT.)

EXPERIMENTAL EVALUATION (CONT.)

EXPERIMENTAL EVALUATION (CONT.)

Conclusion:

Attackers fared significantly worse than the primary users at recognizing images

DISCUSSION Overview; Replay attacks; Cognitive attacks; Coincident attacks; Compromised attacks; Polling attacks.

DISCUSSION --OVERVIEW Security is the prime concern of any

authentication mechanism; PA is secure because it bases on recognition,

rather than memorization, there are no security leaks generated by people writing down password;

Exist ways such that the system can be compromised;

Exist drawback to the experiment, e.g., maybe the attackers is unskilled

DISCUSSION (CONT.) -- REPLAY ATTACKS Definition: Replay attack, also known as

observer attack, consists of capturing part of a communication between two entities and playing back that information at a later time to compromise the system;

Property: PA is well suited to resist replay attacks through

untrusted terminals by varying the challenge image set each time;

PA is not completely immune to replay attacks because the images from one attempt might provide enough information to deduce the correct images in following attempts.

DISCUSSION (CONT.) --COGNITIVE ATTACKS Including two kinds:

Similarity attack involves determining whether two images are pictures of the same thing;

Knowledge attack uses specific pieces of knowledge, such as knowing about a trip to Paris, to identify related pictures.

Property: cognitive attack is somewhat sensitive to

knowledge attacks because of the strong correlation between users’ lives and the pictures they keep;

A cognitive attack requires the perpetrators to think about the selections they are making instead of just picking images they recognize.

DISCUSSION (CONT.) --COINCIDENT ATTACKS

Definition: Coincident attack is one in which an unscrupulous agent or proxy running on the untrusted terminal has access to a user’s data in parallel to the user actively operating the system.

Property: the window for a coincident attack begins after a successful authentication and ends when the user either explicitly logs out of the system or times out.

DISCUSSION (CONT.) --COMPROMISED ATTACKS Definition: A compromised attack is one in which

the system’s integrity has already been compromised. E.g., the attacker has cracked the password or

identified the picture set; How to fix the system:

Select a new password in the case of text passwords; It is more difficult to a compromised PA system

because a user cannot forget pictures they have seen and suddenly recognize new ones; one way is to use a series of image subsets for the authentication process. When one subset becomes compromised, the user simply rotates to the next set.

DISCUSSION (CONT.) --POLLING ATTACKS Definition: A polling attack is one in which

the authentication server is repeatedly accessed to gather information about the authentication account.

Property: In the case of text password, a polling attack is

similar to random or dictionary attacks, where trial passwords are thrown at the authentication mechanism to guess the correct password;

While for PA, this kind of attack could be used to glean the entire set of images used for authentication.

FUTURE WORK PA is a novel technique for dealing with

public infrastructure, an emerging concern as mobile and fixed-infrastructure systems continue to evolve and merge:

Explore alternate image presentation and techniques for generating challenge image sets;

Improve the effectiveness of the challenge set by preprocessing images to remove obvious similarities between pictures;

Explore using trial time to filter attacks.

THANK YOU!!!