300 likes | 416 Vues
Photographic A uthentication through Untrusted terminals . Authors: Trevor Pering, Murali Sundar John Light, Roy Want CS585 Feb 26,2009. The authors. Outline. Introduction Motivation and premise Security overview Experimental evaluation Discussion
E N D
Photographic Authentication through Untrusted terminals Authors: Trevor Pering, Murali Sundar John Light, Roy Want CS585 Feb 26,2009
Outline • Introduction • Motivation and premise • Security overview • Experimental evaluation • Discussion • Future work
introduction • Public internet access points provide a convenient means to access the Internet, but they pose considerable security risks. • Solving method to the risks: • Photographic authentication (PA): is a technique that relies on personal photographs for authenticating user access.
OVERVIEW (CONT.) • How it works • Work in conjunction with a trusted “home server” that stores the user’s photographs and account information. • The users identify themselves to the system, initiating the authentication process with their home server • The home server passes the necessary credentials to the desired Web-service host
Overview (cont.)—Example: explanation • The users selected the images that belonged to them. The system presented photographs such as above figure. Because the home server manages the authentication process, the access terminal does not gain access to any unnecessary information, such as the user’s photographic databases. The system can not be compromised from public terminal. Thus, the attacker cannot break the authentication scheme.
Motivation and premise • The need for more secure login mechanisms that grant or deny access through untrusted terminals. • While login, there are additional risk with using public infrastructure. • E.g. users check the status of their bank accounts, they are potentially compromising both their account balance and account number. However, it is generally only necessary to display the account balance, not both.
Motivation and premise (cont.) • The need for alternative authentication techniques because of the emerging mobile Internet. • A highly secure authentication technique would be overkill for a terminal which cannot guarantee the security of the data accessed. PA aims to be “secure enough” for casual data by providing the necessary level of security with compromising ease of use.
MOTIVATION AND PREMISE (CONT.) • The increased prevalence of digital photos and the ease with which people can recognize photographic images. • The popularity of digital photos have recently exploded because of the widespread availability of affordable consumer grade cameras and computers capable of manipulating photos; • More people possess large personal image collections ; • Digital storage capacities are rapidly increasing
Security overview • The PA implementation presented is about as secure as a six-digital password. • This means that there is a 1 in 106 chance that random guessing will be successful, a smaller chance than that of the personal identification numbers (PINs) which is 104;
Security overview (cont.) • The real vulnerability of photograph-based authentication is not numeric, but cognitive. • The attacker uses knowledge about the user in a cognitive attack
SECURITY OVERVIEW (CONT.) • PA is convenient, don’t carry a portable electronic device, so there is no chance to damage the device • users simply walk up to a terminal and select from a few sequences of images presented to them on the screen; • Another technique requires users to carry a portable electronic device, such as a SecurID card, as a trusted authentication mechanism that would let them safely log in to an untrusted terminal using a one-time key generated by the device
SECURITY OVERVIEW (CONT.) • PA is suited to providing access through semi-trusted or untrusted terminals, and also suited to trusted environments. • It only provides an easier means to access information than text-based authentication.
Experimental evaluation • Experiment conditions and process: 1. Two sets of experiment help to evaluate PA 2. Converted all images to 400 X 300 resolution; 3. Simulated a standard login process to see whether PA is feasible; 4. Simulated an attack against the system to see if it would hold up under a reasonable replay attack; 5. Conducted both the two experiments though a Web interface, and logged all transactions ;
EXPERIMENTAL EVALUATION (CONT.) • Authentication experiment • Goal: design the primary authentication test to see whether users could correctly distinguish their own images from those of others; • Result: • Users can quickly and accurately identify their own pictures • Not require any learning
EXPERIMENTAL EVALUATION (CONT.) • Attack experiment • Goal: designed the login attack to simulate an attack on a user account by someone who had snooped on a previous authentication session by that user; • Result: (see blow figure) • Have great variability of success rate and speed • Indicate that most users’ image sets are relatively immune to attack.
EXPERIMENTAL EVALUATION (CONT.) • Conclusion: • Attackers fared significantly worse than the primary users at recognizing images
discussion • Overview; • Replay attacks; • Cognitive attacks; • Coincident attacks; • Compromised attacks; • Polling attacks.
Discussion --overview • Security is the prime concern of any authentication mechanism; • PA is secure because it bases on recognition, rather than memorization, there are no security leaks generated by people writing down password; • Exist ways such that the system can be compromised; • Exist drawback to the experiment, e.g., maybe the attackers is unskilled
DISCUSSION (CONT.)-- REPLAY ATTACKS • Definition: Replay attack, also known as observer attack, consists of capturing part of a communication between two entities and playing back that information at a later time to compromise the system; • Property: • PA is well suited to resist replay attacks through untrusted terminals by varying the challenge image set each time; • PA is not completely immune to replay attacks because the images from one attempt might provide enough information to deduce the correct images in following attempts.
DISCUSSION (CONT.)--COGNITIVE ATTACKS • Including two kinds: • Similarity attack involves determining whether two images are pictures of the same thing; • Knowledge attack uses specific pieces of knowledge, such as knowing about a trip to Paris, to identify related pictures. • Property: • cognitive attack is somewhat sensitive to knowledge attacks because of the strong correlation between users’ lives and the pictures they keep; • A cognitive attack requires the perpetrators to think about the selections they are making instead of just picking images they recognize.
Discussion (cont.)--Coincident attacks • Definition: Coincident attack is one in which an unscrupulous agent or proxy running on the untrusted terminal has access to a user’s data in parallel to the user actively operating the system. • Property: the window for a coincident attack begins after a successful authentication and ends when the user either explicitly logs out of the system or times out.
DISCUSSION (CONT.)--COMPROMISED ATTACKS • Definition: A compromised attack is one in which the system’s integrity has already been compromised. • E.g., the attacker has cracked the password or identified the picture set; • How to fix the system: • Select a new password in the case of text passwords; • It is more difficult to a compromised PA system because a user cannot forget pictures they have seen and suddenly recognize new ones; one way is to use a series of image subsets for the authentication process. When one subset becomes compromised, the user simply rotates to the next set.
Discussion (cont.)--polling attacks • Definition: A polling attack is one in which the authentication server is repeatedly accessed to gather information about the authentication account. • Property: • In the case of text password, a polling attack is similar to random or dictionary attacks, where trial passwords are thrown at the authentication mechanism to guess the correct password; • While for PA, this kind of attack could be used to glean the entire set of images used for authentication.
Future work PA is a novel technique for dealing with public infrastructure, an emerging concern as mobile and fixed-infrastructure systems continue to evolve and merge: • Explore alternate image presentation and techniques for generating challenge image sets; • Improve the effectiveness of the challenge set by preprocessing images to remove obvious similarities between pictures; • Explore using trial time to filter attacks.