Breaking Undercover: Exploiting Design Flaws and
Nonuniform Human Behavior Toni Perkovi1 joint work with Asma Mumtaz2, Yousra Javed2, Shujun Li3, Syed Ali Khayam2 and Mario agalj1 1FESB, University of Split, Croatia 2 National University of Science and Technology, Pakistan 3 Zukunftskolleg, University of Konstanz, Germany 21/07/2011 Outline Introduction How does Undercover work?
Implementation CHI2008 Implementation Pervasive2009 Breaking Undercover Timing attack Intersection attack Can Undercover be enhanced? Attempt #1 Attempt #2 Generalizing timing attacks Summary Introduction Classical PIN-entry methods (via keyboards, keypads and alike) are all vulnerable to observation attacks Thinkst.com July 2011 [Kuhn2004] Shoulder surfing attacks Phishing attacks Malware based attacks Introduction Solution: A challenge-response protocol
User (P) and Verifier (V)share secret S V P: challenges C1(S), , Ct(S) P V: responses R1=f1(C1,S), , Rt=ft(Ct,S) V: Accept P if all responses are correct Goal: design a mapping f such that the attacker cannot recover S C and R are fully observable to the attacker C and R are completelly or partially unobservable to the attacker Fully observable Partially observable [Sobrado02] [Sasamoto08] It is difficult to design a secure HCI - Devil is in details
Introduction Designing a usable cognitive PIN-entry method secure againsteavesdroppers is truly challenging: Matsumoto-Imai scheme (EuroCrypt91) NOT secure (Wang et al., EuroCrypt95) Matsumoto protocols (CCS96) NOT secure (Hopper & Blum 2001; Li & Shum 2003) Hopper-Blum protocols (AsiaCrypt2001) NOT usable (166 seconds for login) Cognitive Authentication Scheme (S&P2006) Neither usable nor secure (S&P2007) Predicate-based Authentication Scheme (ACSAC2008) Neither secure nor usable (ACSAC2009) Undercover (CHI2008) Is Undercover secure? Challenge 1: Security vs. Usability Challenge 2: Weak humans vs. Powerful attackers It is difficult to design a secure HCI - Devil is in details Undercover: Implementation 1
Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi, Undercover:Authentication Usable in Front of Prying Eyes, CHI2008 One login session: 28 pictures: 5 pass-pictures and 23 non-pass 7 public challenges: 5 challenges with one pass-picture 2 challenges without pass-picture Each public challenge contains: One hidden challenge trackball covered by hand Undercover system Undercover: Implementation 1
Example: 4 Public challenge Hidden challenge: Left 2 Response: 2 Average login time: 32 sec Undercover: Implementation 2
M. Hasegawa, N. Christin and E. Hayashi, New Directions in Multisensory Authentication, Pervasive2009 Average login time: 10 sec. vs 32 sec. with Undercover Other solutions: VibraPass [De Luca09] Secure Haptic Key (SHK) [Binachi10] STL, Mod10 [Perkovic10] PIN digit is 2, hidden digit is 6 Undercover How safe is Undercover against timing/intersection attacks?
How safe is Alternative Undercover against intersection attacks? These problems are due to: Design flaws Nonuniform human behavior They can be fixed The problems are general and not prone to Undercover only Undercover Alternative Undercover Undercover: Our Implementation
Software-based implementation PassFaces Hidden channel Breaking Undercover A cooperative usability study at two universities:
FESB, University of Split in Croatia National University of Science and Technology (NUST) in Pakistan 28 users (students and staff members) Users were asked to login once a day Overall success login rate 84% Median login rate: 26.5 Median login time: 30.1 sec 18 used the keyboard, 10 used the mouse as input device Compared to original Undercover, the median login time is slightly shorter (32 sec. vs 30.1 sec.) Timing Attack on Undercover
A design flaw Non-uniform human behavior The human response pattern: The difference between the users responses to Up hidden challenges and to other hidden challenges is significant at 5% level. Assume that the fastest response corresponds to Up challenge Timing Attack on Undercover
Attack procedure: Step 1: Create 28 counters, C1,,C28, for the 28 pictures, and initialize all of them to be 0. Step 2: For each observed login session, take the fastest response and assume that it corresponds to an Up challenge. Then, if the corresponding public challenge contains a pass-picture i, Ci++. Step 3: Rank all the pictures according to the values of the 28 counters, and take the top five pictures as the five pass-pictures forming the password. Some settings and enhancements: 1) negative penalty; 2) multiple fastest responses; 3) successful logins only. ... ... Conuter C1 C2 C3 Ci-1 Ci Ci+1 C28 Session0 Session1 1 Session2 1 1 Session3 1 1 1 ... ... ... SessionN 15 4 10 2 6 9 15 Timing Attack on Undercover
Theoretical analysis: pt5 probabilty of revealed password p*t5 - probability where the passpicture is in the top 5 ranked Real performance best results: First fastest response, no negative penalty, successful logins First fastest response, negative penalty, successful logins The real performance is similar to the one in the theoretical analysis. Are public challenges fixed or randomized?
Intersection Attack on Undercover Each pass-picture and decoy picture is shown once and only once in a single authentication process. Are public challenges fixed or randomized? Attack (randomized public challenges): Step 1: Set P to be the space of all possible passwords Step 2: For each observed public challenge, reduce the space of candidate passwords P by checking each password in P andremoving invalid ones Step 3: Repeat Step 2 until the size of P becomes 1 Example: observed ith public challenge Reduced candidate passwords ... ... ... ... ... ... Intersection Attack on Undercover
Results of the attack MATLAB simulations with 15 randomly generated login sessions: On average 7-10 observed login sessions reveal the password Real login data collected in our user studies: On average number 8-11 login sessions reveal the password Solution: use fixed public challenges Additionally we asked the authors of Undercover they used fixed challenges The devil is in details Intersection Attack on Alternative Undercover
Example: PIN digit is 2, hidden digit is 6 The user pushes Button Left () and Button Down () The set of passwords is reduced from 10 to 4 (1, 2, 3 and 4) Theoretical analysis: PIN 0459 is revealed after 9 login sessions MATLAB simulations: PINs 1236 and 0459 are revealed after median number of 11 and 9 logins sessions, respecivelly. PIN digit Combinations of button press patterns Occurrence probability in n responses + 4 + 5 + 9 + 1 + + 3 + + 6 + + 8 + + 2 + + 7 + + Theoretical analisys of Intersection attack Enhancing Undercover: Attempt #1
Change the button maps to make them equally difficult Results of the evaluation: It failed! Reason: Up button map is closest to the public challenge Before Enhancement Enhancing Undercover: Attempt #2
Equal visual distance from each button map to the public challenge The hidden challenges are changed to 1, , 5 Procedure: Step1: Find the hidden response in the button layout near to the pass-picture or the no pass-picture Step2: Press the button at the same location as the hidden response Example: Hidden challenge: 2 Response: 3 Enhancing Undercover: Attempt #2
Enhanced security: The response times to different hidden challenges are not significantly different. None of passwords was fully revealed; the maximum number of revealed pass-pictures is below 50% Enhanced usability: The average login time 19 sec vs 30.1 sec. with Undercover The error rate: 6% All users prefered to use this method over Undercover! Generalizing Timing Attacks
Human behavior can be nonuniform and nonlinear in many aspects: Response time Response error rate Mental computation Temporal variation Personal preference Facial expression and hand/body movement User interface should be designed in a way that users have NO distinguishable nonuniform behavior. Undercover - [Sasamoto2008] [Hopper01] Mod10 [Perkovic10] CCS poster [Kune2010] (0+7)mod 10 vs. (6+7) mod 10 (6+9)mod 10=5 vs. 6-1=5 Summary We presented two attacks on Undercover
Security weaknes in Undercover is due to some design flaws andnonuniform human behavior User behavior reveals sensitive information We proposed enhancements a more secure and usable design In future designers of security systems should pay attention to thehuman-computer interfaces Future work: Generalization of timing attacks to other Undercover-like designsand other graphical passwords Development of new Undercover-like designs with lower login time and error rate Timing Attacks on cognitive authentication schemes have to be seriously considered! Thank you for your attention! Questions?