Secure HumanComputer Identification against Peeping Attacks SecHCI: A Survey - PowerPoint PPT Presentation


PPT – Secure HumanComputer Identification against Peeping Attacks SecHCI: A Survey PowerPoint presentation | free to download - id: 227a8-ODMxO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Secure HumanComputer Identification against Peeping Attacks SecHCI: A Survey


Your adversaries can install hidden cameras to steal your password ... Open peeping attack and Hidden peeping attack. One more requirement ... – PowerPoint PPT presentation

Number of Views:98
Avg rating:3.0/5.0
Slides: 41
Provided by: shuj3
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Secure HumanComputer Identification against Peeping Attacks SecHCI: A Survey

Secure Human-Computer Identification against
Peeping Attacks (SecHCI) A Survey
  • Shujun Li, Harry Shum
  • Visual Computing GroupMicrosoft Research Asia
  • Sep. 2002

  • Introduction
  • A User Study
  • SecHCI General Model
  • SecHCI A Comprehensive Survey
  • SecHCI Other Related Works
  • Our Opinions

1. IntroductionOutline
  • Human-Computer Identification
  • Problems of Widely-Used Fixed Passwords
  • Yet Another Danger Peeping Attack
  • In the real world
  • In the theoretical world
  • Known Solutions to Peeping Attack

1.1 Human-Computer IdentificationThree
  • Knowledge-based What do you know?
  • Fixed (textual/visual) password / PIN
  • Pass-phase / Pass-algorithm / word-association
  • Challenge-response identification protocol
  • Zero-knowledge identification protocol
  • Token-based What do you have?
  • Magnetic-striped card / Smart card
  • Hand-held one-time password generator
  • Biometrics-based Who are you?
  • Face / Fingerprint / Iris /

1.1 Human-Computer IdentificationThree
Identifications Comparison
  • Knowledge-based
  • Fixed Password Easily understood and widely
    accepted, but vulnerable to dictionary attack and
    replay attack
  • Challenge-response protocol Relatively complex
    but secure against replay attack
  • Token-based
  • More secure than fixed password
  • You must physically have it / sensitive to loss
  • Biometrics-based
  • Always with you / minimal user efforts
  • Performance is not really satisfactory / privacy

1.2 Problems of Fixed Password
  • Dictionary attack A troublesome paradox between
    security and usability
  • Humans always select passwords from a
    dramatically small subset of the password space
  • Too random or too long passwords are hard to
    remember for humans
  • Compulsive password rules are useful to avoid
    problems, but users always try to circumvent the
  • Partial solutions Limitations still exist
  • Pass-phrases / Pass-algorithms / Word
    associations /
  • Visual/graphical passwords

1.3 Peeping AttackIn the Real World
  • Your friends standing behind your shoulders can
    observe your password
  • Your adversaries can install hidden cameras to
    steal your password
  • Your adversaries can deploy malicious programs in
    your computer to get your password
  • Powerful enemies can use TEMPEST (compromising
    emanations) devices to monitor your computer
  • A lot of real stories on peeping attacks to
    banking cards (on ATMs) were reported by R. J.
    Anderson in 1994.

1.3 Peeping AttackIn the Theoretical World
  • SecHCI means such a human-computer identification
    by which one can successfully prove its identity
    without any auxiliary devices and via insecure
    communication channel.
  • Two kinds of peeping attacks
  • Passive peeping attack and Active peeping attack
  • In passive peeping attack, adversaries can only
    passively observe the identification procedure
  • In active peeping attack, adversaries can impose
    the verifiers
  • Open peeping attack and Hidden peeping attack
  • One more requirement
  • Human sensitivity (consciousness) to faked

1.4 Solutions to Peeping AttackNon-SecHCI
  • Displaying on the screen instead of
  • Shielding your input from malicious eyes.
  • Visual shielding / TEMPEST shielding
  • LVSVSS a shielding based on visual
  • One-time passwords
  • Challenge-response protocols
  • Biometrics?

1.4 Solutions to Peeping AttackSecHCI
  • Matsumoto-Imai protocol proposed at EuroCrypt91
  • Not secure enough, cryptanalyzed by C.-H. Wang et
    al. at EuroCrypt95
  • Matsumoto protocols proposed at HCI
    International95 and ACM CCS96
  • Security against peeping attack is not strong
  • Hopper-Blum protocols proposed at AsiaCrypt2001
  • Security against peeping attack is acceptable,
    but the usability is not good.
  • PhoneOIDs proposed by M. Blum (2001)
  • All proposed PhoneOIDs have been known insure
  • HumanAut Project supported by CMU (2002)
  • One implementation of a variant of Hopper-Blum
    protocol in AsiaCrypt2001 paper.

2. A User StudyGoals and Brief Description
  • Goals
  • Investigate the users opinions on security and
    usability of human-computer identification
    system, especially fixed passwords and SecHCI
  • Show the significance of peeping attack and
  • Confirm some principles in the design and
    implementation of human-computer identification
  • Brief description
  • A web site is constructed
  • 18 questions are involved
  • About 100 volunteers attended

2. A User Study 2.1 Investigation Results (1)
  • Fixed passwords I
  • Almost all users ever forgot their passwords
  • Most users ever told other of their passwords
  • Most users think security is more important than
    convenience (usability) after careful
  • Many users ever encountered hesitation when they
    set a new password
  • Some users even have no really secret passwords
  • Summary for most users, security usability,
    but they always forget this principle in the real

2. A User Study2.1 Investigation Results (2)
  • Fixed passwords II
  • All users have two or more different passwords
  • Most users have
  • Most users use 610-length passwords
  • Most users also think 610 is the best password
  • Most users think 15 (about) is the upper bound of
    the password length for all security
  • Summary for most users, 610-length passwords
    are good, and 16 length is unendurable.

2. A User Study 2.2 Investigation Results (3)
  • Peeping attack
  • Most users think peeping attack is a real danger
    in the security world, especially when their
    money and privacy is endangered.
  • Most users will follows at least partial warns
    from security experts and technical news.
  • Summary the significance of peeping attack is
    confirmed, especially for electronic financial

2. A User Study 2.2 Investigation Results (4)
  • SecHCI
  • Most users wish the identification procedure can
    be finished within 1 minute
  • Most users think security and usability should be
    balanced in the design of secure human-computer
  • Summary a good SecHCI must balance security and
    usability, and the consuming time for one
    identification should be

3. SecHCI General Model 3.1 Fundamentals
  • SecHCI should be a challenge-response protocol
    with time-variant parameters like the following
  • Define SecHCI as a HCIP human-computer
    interactive protocol (H,C) with auxiliary input.
    The transcript between H and C is T(H(x), C(y)),
    and the output of the protocol is ,
    which is in the set accept, reject, ?, where ?
    means H find C is a fake verifier.

3. SecHCI General Model3.2 What is SecHCI?
  • Completeness
  • A HCIP is complete if Praccept?1-Pc.

  • Soundness
  • A HCIP is sound if Praccept?Ps.
  • (?, ?, ?)-Human-Only Executability (HOE)
  • A HCIP is (?, ?, ?)-human-only executable if any
    T(H(x),C(y)) can be carried by (1-?) population
    with the error probability ?, and can be finished
    within ? seconds.
  • A SecHCI is a HCIP satisfying completeness and
    soundness, and (?, ?, ?)-HOE with acceptable

3. SecHCI General Model3.3 Definitions of
  • (p, k)-security against passive peeping attack
  • Praccept?p, where A
    denotes adversaries observe k random sampled
  • (p, k)-security against active peeping attack
  • Praccept?p, where A
    denotes adversaries observe k chosen
  • (q, k)-human sensitivity (consciousness) to fake
  • Pr??1-q, where
    C(z,A(Tk(H(z),C(z)))) denotes the fake verifier
    by A.

3. SecHCI General Model3.4 Security in the Real
  • Basic Attacks
  • Random response attack (soundness)
  • Brute force (exhaustive) attack
  • Dictionary attack
  • Peeping Attacks
  • Store-and-replay attack
  • Intelligent off-line password attack
  • Differential attack / Deduction-based attack /
    Intersecting attack
  • Multi-onlooker peeping attack
  • Advanced Attacks
  • Partially-known password attack
  • Malicious administrator attack
  • Denial-of-Logon attack

4. A Comprehensive Survey4.1 Matsumoto-Imai
  • Matsumoto-Imai protocol EuroCrypt91
  • An simple example to show the basic idea
    ?1,2,,9,0, ?1,2,,8??, the password is
    ?1,2,4,6??, ?1,2,3,4??, W3124. Assume
    ?(?)8 and ?(?)4, the challenge q is a
    bijection from ? to ?, and the response is a
    ?-length word a(a1,,a?) whose characters are
    all in ?. The accepted responses should satisfy
    the following requirement extract all characters
    in q and also in ?, and record their order in q
    to compose a list f(f1,,f?), then ?i1?,

4. A Comprehensive Survey4.1 Matsumoto-Imai
  • Security problems
  • Only one observation is enough to know ?.
  • This protocol cannot resist replay challenge
    attack (an active peeping attack). Only several
    observations is needed to decrypt ? and then find
    W. C.-H. Wang et al. EuroCrypt95
  • In passive peeping attack, the number of
    observations is also rather small.
  • C.-H. Wang et al. proposed a modified version,
    but whose usability is too poor.

4. A Comprehensive Survey4.2 Matsumoto Protocols
  • Matsumoto Protocol 0 ACM CCS96
  • Fs is a finite field of order s.
  • The password is u vectors k1ku, where ki is
    v-dimensional vector in Fsv.
  • The challenge is a non-zero v-dimensional vector
    qi in Fsv-0 the response ai is a element in
  • If ?i1u, aiqi?ki, the user is accepted.
  • Matsumoto Protocol 1 and 2 ACM CCS96
  • Non-essential variants of Protocol 0.

4. A Comprehensive Survey4.2 Matsumoto Protocols
  • Usability Issues
  • Protocol 1 can make implementations easier.
  • Protocol 2 can provide a better trade-off between
    security and usability.
  • Some graphical implementations of Protocol 1 and
    2 are given in Matsumotos paper.
  • Security Issues
  • To break the password, only O(u) observations are
    needed for both passive and active peeping attack.

4. A Comprehensive Survey4.3 Hopper-Blum
  • Hopper-Blum Protocol 1 AsiaCrypt2001
  • The password is a (0,1)-vector x?0,1n whose
    weight is k.
  • The challenge is also a (0,1)-vector c?0,1n.
    The response r is 0 or 1.
  • For total m challenge, if rc?x holds for at
    least (1-?)m challenges, the user is accepted.

4. A Comprehensive Survey4.3 Hopper-Blum
  • Security Issues
  • Hopper-Blum Protocol 1 cannot resist replay
    challenge attack (active peeping attack).
  • Some Errors and More Problems
  • The result of Theorem 1 is wrong.
  • The masquerading probability of random response
    attack is slightly overestimated.
  • Paradox exists between security and usability,
    especially on the value of k.

4. A Comprehensive Survey4.3 Hopper-Blum
  • Hopper-Blum Protocol 2 AsiaCrypt2001
  • Basically, Protocol 2 is similar to Protocol 1
    with two chief modifications.
  • Modification 1 the response is calculated with
    sum of k mins.
  • Modification 2 the linear error-correcting
    mechanism is introduced to avoid malicious change
    of legal challenges.

4. A Comprehensive Survey4.3 Hopper-Blum
  • Merits
  • Protocol 2 can resist active peeping attack.
  • Protocol 2 has 0.1-human sensitive to fake
  • Problems
  • Usability of Protocol 2 is even more poor than
    Protocol 1.
  • Some problems in Protocol 1 still exist in
    Protocol 2.

4. A Comprehensive Survey4.4 HumanOIDs_at_CMU
  • HumanAut_at_CMU
  • An image-based SecHCI, n images are involved and
    n/2 images compose the password.
  • A non-essential variant of Hopper-Blum Protocol
    1. The challenge is always a vector with fixed
  • Usability is poor when n is too large.
  • Pass-Rules
  • You can freely change all n images.
  • Then you can use some meaningful features of the
    n/2 pass-images to remember so many pictures.

4. A Comprehensive Survey4.4 HumanOIDs_at_CMU
  • PhoneOIDs_at_CMU
  • PhoneOIDs is challenge-response protocols for
    use over the phone, which means SecHCI protocols
    of two parties with limited computation
  • Many PhoneOIDs have been proposed, but all are

5. Other Related Works5.1 Visual/Graphical
  • Selective pictures based passwords
  • PassfaceTM In each round, select your pass-face
    from 9 candidate faces.
  • Déjà Vu Select m portfolio images from n
    candidate images.
  • Point-and-click passwords
  • PassPic Click your pass-positions with your
  • Graphical Password Windows in Passlogix v-GOTM
    SSO Click several things to construct your
  • Drawing-based passwords
  • Draw-a-Secret (DAS) Draw your pass-strokes on a
    m?n grid.

5. Other Related Works5.2 CAPTCHAs
  • CAPTCHA stands for Completely Automated Public
    Turing Test to Tell Computers and Humans Apart,
    also called Reverse Turing Test by some
  • The chief application of CAPTCHA is to foil
    malicious online robots, and can also be used to
    relax the security against random response attack
    in SecHCI protocols.
  • The first paper on CAPTCHA occurred in 1996 (by
    M. Naor). The first implementation of CAPTCHA is
    designed in 1997. The initial booming of
    interests on CAPTCHAs is promoted by the
    occurrence of Gimpy, a CAPTCHA designed by M.
    Blum et al. at CMU in 2000. Now a CAPTCHA project
    is supported by Aladdin Center of CMU.

5. Other Related Works5.2 CAPTCHAs
  • Distorted texts based CAPTCHAs
  • Gimpy_at_CMU
  • Another Gimpy-like CAPTCHA_at_AltaVista
  • Pessimal print
  • Visual pattern based CAPTCHAs
  • Bongo_at_CMU
  • Image based CAPTCHAs
  • PIX_at_CMU
  • CAPTCHAs based on image search problem
  • More image processing techniques can be used to
    distort involved images

5. Other Related Works5.2 CAPTCHAs
  • Sound/Speech based CAPTCHAs
  • Sounds_at_CMU
  • Byan_at_CityUHK
  • Text-only CAPTCHAs
  • Impossibility of text-only CAPTCHAs under six
  • Find the Bogus Word
  • Chinese CAPTCHAs?

5. Other Related Works5.3 More Topics on HIPs
  • HIP means Human Interactive Proof, which covers
    many topics, such as SecHCI protocol, CAPTCHA,
    and visual/graphical password.
  • There is a HIP project at Aladdin Center of CMU
    to support research and product transfer of
    theoretical results.

5. Other Related Works5.3 More Topics on HIPs
  • Formal Studies on Security and Complexity of
  • Computer Vision and HIPs
  • Biometrics
  • Visual Cryptography
  • Human-Error-Tolerant Passwords (or Fuzzy
  • Other Sides?

5. Other Related Works5.4 ZK Identification
  • Many Zero-Knowledge based identification
    protocols have been proposed. The basic idea used
    in ZK protocols may be useful for the design of
    SecHCI protocols.
  • The general model of ZK identification protocols
    1) PV a public (random) witness 2) VP a
    (random) challenge 3) PV a response
    (dependent on the witness and the challenge).

6. Our Opinion on SecHCI6.1 A Comparison
  • By security against passive peeping attack
  • Matsumoto-Imai Protocol Hopper-Blum Protocol 2
  • By security against active peeping attack
  • Matsumoto-Imai Protocol Hopper-Blum Protocol 1
  • By usability
  • Hopper-Blum Protocol 2
    decimal version of Hopper-Blum Protocol 1 ?
    Matsumoto Protocols.

6. Our Opinion on SecHCI6.2 Our Opinion
  • Three principles
  • Intentional errors
  • Redundancies
  • Balance
  • Two desired requirements
  • The password length
  • The identification time

6. Our Opinion on SecHCI6.3 A Prototype Protocol
  • Following our opinions on SecHCI, we can give a
    prototype protocol as follows
  • The password is a (0,1)-vector x?0,1n whose
    weight is k.
  • The challenge is 2m (0,1)-vectors c1,,c2m
    0,1n. The response is 2m bits r1,r2m.
  • If ?i1m, (r2i-1-c2i-1?x)(r2i-c2i?x)1 (mod 2),
    then the user is accepted.
  • Such a protocol may be OK as a new solution of

Thanks for watching!