Breaking Undercover: Exploiting Design Flaws and Nonuniform Human Behavior

Transcription

1 Breakig Udercover: Exploitig Desig Flaws ad Nouiform Huma Behavior Toi Perković* FESB, Uiversity of Split, Croatia Shuju Li* Uiversity of Kostaz, Germay Asma Mumtaz Natioal Uiversity of Sciece ad Techology (NUST), Pakista Syed Ali Khayam Natioal Uiversity of Sciece ad Techology (NUST), Pakista Yousra Javed Natioal Uiversity of Sciece ad Techology (NUST), Pakista Mario Čagalj FESB, Uiversity of Split, Croatia ABSTRACT This paper reports two attacks o Udercover, a huma autheticatio scheme agaist passive observers proposed at CHI 8 The first attack exploits ouiform huma behavior i respodig to autheticatio challeges ad the secod oe is based o iformatio leaked from autheticatio challeges or resposes visible to the attacker The secod attack ca be geeralized to break two alterative Udercover desigs preseted at Pervasive 9 All the attacks exploit desig flaws of the Udercover implemetatios Theoretical ad experimetal aalyses show that both attacks ca reveal the user s password with high probability with O() observed logi sessios Both attacks were verified by usig the logi data collected i a user study with 8 participats We also propose some ehacemets to make Udercover secure agaist the attacks reported i this paper Our research i breakig ad improvig Udercover leads to two broader implicatios First, it reemphasizes the priciple of devil is i details for the desig of security-related huma-computer iterface Secodly, it reveals a subtle relatioship betwee security ad usability: huma users may behave i a isecure way to compromise the security of a system To desig a secure huma-computer iterface, desigers should pay special attetio to possible egative ifluece of ay detail of the iterface icludig how huma users iteract with the system Categories ad Subject Descriptors D46 [Security ad Protectio]: Access cotrols, Autheticatio; H [User/Machie Systems]: Huma factors Geeral Terms Security, Huma Factors Keywords Passwords, Observatio Attack, Udercover, Tactile Device, Audio Chael, Timig Attack, Itersectio Attack * Correspodig authors Copyright is held by the author/ower Permissio to make digital or hard copies of all or part of this work for persoal or classroom use is grated without fee Symposium O Usable Privacy ad Security (SOUPS), July -,, Pittsburgh, PA, USA INTRODUCTION Ay reasoably-sesitive computer system starts from a user autheticatio process where a huma user has to prove her idetity Cotemporary systems use oe or a combiatio of the followig autheticatio methods: what you kow (eg, passwords), what you have (eg, hardware tokes) or who you are (eg, biometrics like our figerprits) [39] The user autheticatio process plays a key role i the security of the whole system sice it is the first (ad ofte the oly) meas to prevet uauthorized access by illegitimate users Despite the existece of more advaced user autheticatio methods, the simplest oe based o static passwords/pins has bee the most widely adopted method sice its birth i the 96s This is because other more advaced methods either require additioal costs or decrease the usability A saliet drawback of static passwords/pins is that they are extremely sesitive to replay attacks: they ca be stole ad the simply replayed by attackers to impersoate legitimate users I other words, whe a user s idetity is protected by a static password/pin, stealig this password/pin meas stealig the user s idetity There are may differet ways to steal a user s static password/pin Oe of the simplest ways is shoulder surfig [45], which ca be automated by istallig hidde cameras or fake keypads or eve fake termials (like fake ATMs) [3] Other ways of idetity theft iclude social egieerig attacks like phishig [4] ad malware-based attacks like keyloggig ad Troja horses [6,7] These attacks are ofte described as observatio attacks i literature, to highlight the fact that the attacker ca observe commuicatios betwee the user ad the verifier computer Sice the early 99s may solutios have bee proposed to fight observatio attacks With the exceptio of a few specialized hardware based solutios, most solutios are challege-respose user autheticatio protocols based o shared secrets I each autheticatio sessio, the user is asked to give resposes to a umber of radom challeges based o her kowledge of the shared secret Let the shared secret, the challeges, ad the resposes be deoted by S, C ad R, respectively The user will be accepted oly whe R=f(C,S) I a observatio attack, we assume that the attacker ca observe both C ad R but does ot have access to S The mai task of the attacker is to solve S from C ad R Accordigly, the task of the user autheticatio system is to desig a mappig f such that the attacker caot (partially or

2 completely) recover S from C ad R Differet solutios use differet mappigs ad geerate radom challeges i differet maer Ufortuately, some solutios have bee foud isecure agaist multiple observatios ad others are ot usable i terms of the average logi time A solutio that is both secure ad usable remais a ope problem While most previous efforts were based o the assumptio that radom challeges C ad resposes R are fully observable to the attacker, some researchers proposed to make C ad R completely or partially uobservable to icrease the complexity of solvig S The idea of uobservable challeges was proposed by several differet groups of researchers idepedetly i 6 [,7,36] The uobservable challege is trasmitted via a tactile device that ca be sesed by the user but ot visible to a observer Later at CHI 8, Sasamoto et al proposed aother desig called Udercover [43], i which part of the challeges is set to the user via a movig trackball covered by the user s had Hayashi et al claimed that Udercover is secure agaist multiple observatios as log as the hidde challeges are truly uobservable to attackers Hasegawa et al from the same research group proposed two alterative desigs i [], oe of which uses a audio chael as the carrier of the hidde challeges Some other researchers have also bee ispired to propose similar solutios [8,9,4,4] I this paper, we report two attacks o the origial desig of Udercover i [43] Oe attack ca also be geeralized to the alterative desigs i [] Our attacks are based o flaws i the Udercover desig, ad oe attack exploits huma users ouiform behavior o how they respod to differet hidde challeges To be more precise, a average user teds to respod faster to oe specific hidde challege, thus the fastest respose exposes this hidde challege with a cosiderably high probability Both theoretical ad experimetal aalyses show that the two attacks ca recover the password or part of it with cosiderably high probability with O() observed logi sessios Whe less tha te logi sessios are observed, the attacker is still able to get a reduced password space for lauchig a radom guess attack with a better chace or a brute force attack with less complexity The huma behavior based attack was validated by a user study with a total of 8 users performed at two distict geographical locatios We also propose some effective ehacemets to make Udercover secure agaist the proposed attacks Our ivestigatio o the ehacemets revealed more ouiformities of huma behavior i iteractig with the user iterface, which further highlight some uique priciples we eed to follow for the desig of secure huma-computer iterfaces The rest of the paper is orgaized as follows First we give a brief survey of related work, ad the detail differet desigs of Udercover Afterwards we describe our attacks ad demostrate their real performace with experimetal results The, we propose some ehacemets ad show how the Udercover system ca be made secure agaist our attacks Fially, we discuss how the timig attack may be geeralized to other huma autheticatio systems Theoretical aalyses of the two attacks are covered i the Appedix RELATED WORK I the challege-respose protocol we described above, the key is to fid a good mappig f so that the computatio R=f(C,S) ca be easily hadled by a average huma user while at the same time maitai the expected security level If a hardware device is available to assist the huma user, it is ot difficult to choose a strog trapdoor oe-way fuctio as f, thus leadig to a cryptographically strog system Ufortuately, to protect the device from uauthorized access, a password/pin is still eeded, which is agai vulerable to observatio attacks If the hardware device is a geeral-purpose oe like a mobile phoe, the mobile malware ca be aother potetial threat [7] If auxiliary hardware devices caot be used, the mappig f has to be sufficietly simple for huma users to metally calculate the correct resposes While the user has his/her ow brai as the oly computatioal resource, the attacker ca access a supercomputer or eve a large umber of distributed computig resources (eg, a botet) Furthermore, to make a huma autheticatio system usable i reality, the average logi time ad the error rate should be small I cotrast, the attacker ca wait for a log time to break a victim s secret Ituitively argued, it is o-trivial to fid a mappig f that makes the costructed huma autheticatio system both sufficietly secure ad highly usable Sice the 99s, there have bee a umber of attempts i this field, but they are either isecure or ot usable i terms of average logi time To the best of our kowledge, the first solutio agaist observatio attack was proposed by Matsumoto ad Imai i 99 [38] The solutio tries to hide the user s secret i the respose by usig a questio alphabet ad a radomized aswer alphabet Ufortuately, a few years later Wag et al poited out [46] that Matsumoto-Imai scheme is ot sufficietly secure if the same challege ca be replayed several times by a active adversary I additio, to achieve a high level of security, Matsumoto-Imai scheme has to use large questio ad aswer alphabets, thus compromisig usability [33] Wag et al also proposed a improved scheme to ehace the security, but the usability is much worse Matsumoto later proposed several other solutios based o ier products of secret ad public vectors [37] As poited out i [3,33], these solutios caot resist multiple observatios because the secret vector ca be solved from O(N) observatios, where N is the size of the secret vector Li ad Teg proposed a ew solutio based o lexical shiftig ad matchig i [35] Although o cryptaalysis has bee reported so far, its usability is ot good eough sice the user eeds to remember a log 3-tuple secret Hopper ad Blum proposed two solutios based o hard mathematical problems i [3] The mai problem with these solutios is agai about usability: the password has to be log eough to esure security, which makes usability relatively low Accordig to the user study reported i [3], the average logi time of oe solutio (the less complicated oe) is aroud 6 secods, which is too log for a practical system Oe solutio also requires the users to make itetioal errors with probability h, which may ot be a easy task for them Sobrado ad Birget proposed several ovel graphical password schemes agaist observatio attacks i [44] Oe typical scheme called CHC (covex hull click) asks the user to click a radom poit iside a covex hull formed by three or more secret icos i the password This scheme was later tested i a user study reported by Wiedebeck et al i [48] A similar scheme called S3PAS was proposed i [49] Two attacks o CHC were recetly reported i [4] I additio, the usability show i [48] is ot ecouragig: the average logi time is loger tha 7 secods The user study was performed o a small password space of size

3 C(,5) 7, so the usability will be much worse if the password space has to be elarged sigificatly I [34], Li ad Shum suggested some basic priciples of desigig challege-respose protocols agaist observatio attack They also proposed two geeral protocols called Twis ad Foxtail, which are based o makig balaced errors ad hidig direct resposes to attackers, respectively A Foxtail protocol ad a graphical implemetatio were also reported No cryptaalysis has bee reported, but the usability of the graphical implemetatio is questioable, sice the average logi time is cosiderably log Jameel et al proposed a ew image-based solutio i [5] ad shortly after exteded it for devices with limited display [6] This solutio is based o a hidde rule classifyig a image pool ito two differet sets Oe major problem with this desig is the coflict betwee the automatio of the classificatio process ad security agaist automated attack However, if the classificatio process has to be doe maually by the user, the usability will be low sice the image pool eeds to be large I [47], Weishall proposed two ew solutios based o image recogitio capabilities of humas Golle ad Wager showed that both solutios are isecure agaist SAT (satisfiability solver) attack [] This attack requires oly a small umber of observatios I additio to the security problem, the usability of Weishall s solutios is also questioable: the user has to remember more tha 3 pictures as the password Bai et al proposed a ew observatio-resistat huma autheticatio scheme called PAS i [7] PAS uses differet parts of the password for differet logi sessios ad the user s resposes are obfuscated by radomized challege ad respose tables I [3], Li et al show that part of the password ca be revealed with a umber of observatios, thus leadig to a degradatio of the PAS scheme to a commo OTP (oe-timepassword) system but with worse usability I [3] Lei et al proposed a virtual password system agaist observatio attack They base the system o a radomized liear fuctio However, i [3] Li et al poited out that this virtual password system is ot secure because a equivalet password ca always be derived with oly two or a few more observatios Very recetly Asghar et al proposed a scheme i [5], which is based o a may-to-oe oliear mappig to hide the direct respose While it is still too early to say if this solutio is ideed secure, its usability does ot seem to be very ecouragig: the average logi time was estimated to be 3 secods, eve slower tha Hopper-Blum protocol proposed i [3] Istead of tryig to desig a solutio secure agaist geeral observatio attack, some solutios relax the security requiremets to target oly the weakest observatio attack: shoulder surfig with a very limited umber (say, three) of passive observatios Examples of these solutios iclude some graphical passwords [,6,4], which offers limited security agaist observatio attack by exposig oly partial iformatio of the password i each logi sessio A iterestig comparative study o simple shoulder surfig performed by huma observers o Passfaces (a commercial graphical password scheme [4]) ad textual passwords was reported i [45], which reveals that Passfaces with keyboard iput is the strogest settig ad strog textual password is the weakest oe While most previous work does ot require ay hardware device, some other solutios employ special devices so that the challeges ad/or the resposes are completely or partially uobservable Devices of this kid iclude eye-gazig devices [9], haptic/tactile iput devices [8-,5,,7,8,36,43], headphoe/earphoe [9,,4], mobile phoes [9,4], ad so o The use of eye-gazig devices ca obviously make the resposes R ivisible to huma observers, but it is still possible to istall hidde eye-trackig devices to read the user s eye movemets Solutios based o other partly/completely uobservable devices have close liks to Udercover [43,], the observatio-resistat solutio studied i this paper, ad are described i the ext sectio Huma users are kow for beig ureliable to behave properly to protect their passwords [] Previous research has also show that differet kids of isecure huma behavior ca compromise the security of some password systems [3,4,9] However, how huma behavior ifluece the security of may ad hoc desigs of huma autheticatio systems remais largely uexplored 3 UNDERCOVER AND SIMILAR SOLUTIONS Sice observatio attacks are maily performed i visual form, most solutios based o uobservable challeges ad/or resposes aim at prevetig the attacker s visible access to challeges ad/or resposes Maily two kids of devices are employed to achieve this goal: haptic/tactile devices, ad audio devices I the followig, we first itroduce Udercover [43,] i detail ad the briefly overview some similar solutios [,8-,4,5,7,8,36,4] 3 Udercover: Origial Desig Udercover is based o the idea of partially observable challeges : the challeges C are split ito public challeges C p ad hidde challeges C h For Udercover, the relatioship betwee the challege, the respose ad the shared secret becomes R=f(C p,c h,s), where oly C p ad R are observable to the attacker Clearly, if C h ad S have the same umber of possible values ad the same etropy, it is possible to coceal S perfectly with C h The device used i Udercover is a haptic device covered by the user s palm, which is supposed to be uobservable to passive attackers I the prototype system reported i [43], a trackball drive by two servo motors is used as the haptic device The trackball has five differet vibrate modes (ie, hidde challeges): upward rotatio, dowward rotatio, leftward rotatio, rightward rotatio, ad vibratio The five hidde challeges are referred to as Left, Right, Up, Dow ad Ceter i this paper, respectively Each hidde challege correspods to a differet layout of five buttos as show i Figure, which is used to iput the respose by pressig oe of the five buttos,, 3, 4 ad 5 locatig ear the trackball The iput device of the Udercover prototype is a box as show i Figure Figure : Five butto layouts of the Udercover prototype, correspodig to the five hidde challeges (Fig 7 i [43]) The Udercover prototype is built o top of a graphical password scheme The user selects five pass-pictures from a image pool to form his/her password The system selects 3 more distractor 3

4 pictures to create the user s portfolio Each logi sessio is composed of seve challeges, ad each challege cotais: ) a hidde challege trasmitted via the trackball, ad ) a public challege four pictures ad a o pass-picture ico show o the moitor of the termial computer (see Figure 3) Figure : The iput device box of the Udercover prototype (Fig 5a i [43]) Figure 3: A public challege composed of four pictures ad a o pass-picture ico (Fig 9b i [43]) To avoid potetial security problems, the Udercover prototype system is desiged so that five public challeges cotai oe passpicture ad the other two cotai o pass-picture Each passpicture ad distractor picture i a user s portfolio is show oce ad oly oce i a logi sessio However, [43] does ot make it clear how the seve public challeges should be geerated i each logi sessio Oe may uderstad that the public challeges are fixed over all logi sessios or radomized from sessio to sessio I Sec 43 we will show isecurity agaist a itersectio attack whe radomized public challeges are used To make a correct respose to a challege, the user eeds to derive a hidde respose first: ) if there is a pass-picture i the public challege, derive the hidde respose (,, 3, or 4) accordig to the positio of the pass-picture amog the four pictures; ) if there is o pass-picture, the hidde respose is 5 (ie, the positio of the o pass-picture ico) The, the user looks for the hidde respose i the butto layout correspodig to the hidde challege ad presses the butto matchig the locatio of the hidde respose i the correct butto layout For istace, if the hidde respose is 3 (ie, the third picture i the public challege is a pass-picture) ad the hidde challege is Right, the user eeds to press butto because the hidde respose appears o the d butto of the Right butto layout Give oe observed logi sessio, the password space of the 5 5 Udercover prototype is C , which is larger tha a 4-digit PIN Uder the assumptio that the hidde challeges are uobservable, the Udercover system is believed secure eve if a ifiite umber of logi sessios are observed From a iformatio-theoretic poit of view, this is equal to the claim that the password-related iformatio leaked i each logi sessio is The media logi time of the Udercover prototype system is 3 secods, which is much better tha previous solutios The overall failure rate is 6%, which is rather high but could be sigificatly reduced after the user becomes more familiar with the system Hayashi et al also proposed to show distorted pictures i the public challege to icrease the security of the system agaist huma observers (as proposed i []) However, this method is ot very useful for attacks performed by hidde cameras so it will ot be cosidered i this paper 3 Udercover: Alterative Desigs I additio to the origial Udercover desig, i [] Hasegawa et al from the same research group proposed two alterative desigs The mai goal is to reduce the size of the system To further simplify the desig, a 4-digit PIN is used as the uderlyig password ad the public challege C p is removed Oe desig is based o six vibratig tactile devices covered by the user s five figers ad his/her palm To geerate a hidde challege, oe of the tactile devices covered by the user s five figers will vibrate to select a colum of the 5 matrix show i Figure 4 The tactile device covered by the user s palm vibrates to determie the row of the 5 matrix The vibratig statuses of all the six tactile devices the determie a hidde challege a specific elemet of the 5 matrix Note that the te elemets of the 5 matrix are labeled with umbers from to 9 So the hidde challege is actually a umber betwee ad 9, which will heceforth be referred to as the hidde digit i this paper Figure 4: A alterative Udercover desig (Fig b i []) To make a correct respose, the user eeds to fid out his/her curret PIN digit i the 5 matrix ad the presses the four arrow buttos i Figure 4 to show a route from the PIN digit to the hidde digit This process repeats four times so that the user ca iput all the four PIN digits Aother desig proposed i [] is similar to the tactile oe, but the hidde challeges are set to the user via a audio chael, ie, via a headphoe set 33 Similar Solutios There are some other early desigs for huma autheticatio based o haptic/tactile devices with/without usig the cocept of hidde challeges The mai goal of these systems is maily to resist shoulder-surfers, the simplest form of observatio attacks The solutio i [36] ivolves pressure of a haptic pe as part of the password, thus makig the password iput partly uobservable to shoulder surfers The solutio called TAS (Tactile Autheticatio System) i [7,8] uses the VT Player tactile mouse to trasmit hidde challeges to the user for eterig the password without the worry of beig observed The desig reported i [5] is very similar to TAS but the VT player tactile mouse is replaced by soleoids pis that ca raise ad lower their 4

5 positios The solutio i [] aalyzes haptic iformatio i hadwritte sigatures to achieve the goal of user idetificatio Some more solutios were ispired by Udercover At CHI 9, De Luca et al proposed a scheme called VibraPass, which uses the user s mobile phoe as the receiver of hidde challeges (a sigal tellig the user to make a true or false respose) to avoid possible maipulatio of the haptic devices by attackers [4] De Luca et al oticed a possible timig attack related to cofused waitig (the user respods slower to false hidde challeges due to cofusio) that ca lead to password disclosure At CHI, Biachi et al proposed a solutio called Secure Haptic Keypad (SHK), which combies the tactile device ad iput buttos to make a ui-modal haptic password [] SHK ca achieve similar usability to the origial Udercover desig i terms of average logi time I [8,9], Biachi et al proposed a umber of other ui-modal desigs based o haptic ad audio hidde cues (ie, hidde challeges) to achieve user idetificatio Their user studies showed that a shorter average logi time ad a logi error rate ca be achieved with the ui-modal desigs At FC, Perković et al proposed three alterative desigs based o audio chaels, which have a much shorter average logi time (less tha 3 secods) [4] Perković et al also poited out that a side chael timig attack ca reduce the PIN digit etropy, due to the user s ouiform respose time to challeges 4 PROPOSED ATTACKS I theory, Udercover-like solutios ca achieve perfect secrecy sice the shared secret S ca be perfectly ecrypted by the hidde challege C h Ufortuately, this is ot always true because careless desigs ca leak iformatio about S ad/or C h Our studies o the origial Udercover desig i [43] ad the two alterative desigs i [] led to the discovery of such desig flaws, which allow a attacker to completely break the password with cosiderably high probability with oly O() observed logi sessios or reduce the password space if a isufficiet umber of logi sessios are collected We have developed two attacks: a timig attack o the origial Udercover desig ad a itersectio attack o all Udercover desigs The timig attack is based o a careless desig flaw of the butto layout, which leads to ouiform behavior of the user s resposes to hidde challeges I the followig, we separately describe the two attacks ad their real performace verified via user studies o our ow implemetatio of Udercover 4 Our implemetatio of Udercover Before itroducig the two attacks, we first briefly describe how we implemeted Udercover ad how we collected the data to aalyze the performace of the attacks To ease our study, we avoided usig ay special hardware ad implemeted the whole system i software We use the audio chael to trasmit the hidde challeges ad Passfaces [4] as the uderlyig graphical scheme The same butto layouts i the origial Udercover desig are used The five buttos are show as press buttos o our software GUI Users are allowed to make resposes via mouse (by pressig oe of the push buttos) or keyboard (by pressig <>, <>, <3>, <4> or <5>) Those chages have o ifluece o the security of Udercover agaist the proposed attacks Figure 5 shows what a public challege looks like i our implemetatio We mask the faces i Figure 5 to avoid violatig the affected people s privacy We performed user studies o our implemetatio at two uiversities located i two coutries: the Uiversity of Split i Croatia ad the Natioal Uiversity of Sciece ad Techology (NUST) i Pakista Neither uiversity requires IRB reviews o research work ivolvig huma subjects, so the user studies were carried out without such a review The Uiversity of Kostaz has o established policy o usable security research, but a approval from the Chair of the Ethics Committee was secured Although a formal IRB review was ot required, we took all possible measures to make sure that all legal ad ethical issues we could thik of were properly hadled For istace, all users were well iformed i advace (before the user studies) about the purpose of the study ad how the data would be processed ad used i our paper All the data collected from users was shared oly amog the coauthors of the paper Figure 5: Our Udercover implemetatio Part of the reaso why we ra the user studies i two differet coutries is to see if users with differet cultural backgrouds ad of differet races share similar ouiform huma behavior that makes the timig attack a uiversal attack I total, 8 users participated All users are uiversity studets ad staff members i departmets of electroic egieerig ad computer sciece Amog the 8 users, 9 performed the study at the Uiversity of Split i Croatia ad 9 at the Natioal Uiversity of Sciece ad Techology (NUST) i Pakista The geder ratio is :6 ( males ad 6 females) The ages of the 8 users rage from to 4 years old All the participats were voluteers who were asked to help our research, ad oe of them was ecoomically compesated/motivated, so we believe that our data is ot biased towards positive results of our proposed attacks At the begiig of the user studies, the users were give a short tutorial of the system A questioaire was issued to each user to collect persoal iformatio ad kowledge o computer/web techology ad password security The, they were asked to log i at least oce a day durig a oe-moth period To have a better cotrol over the eviromet of the user studies, we set up a computer ruig the Udercover system i our labs ad users eeded to come to our labs physically for performig the logis Users who forgot to come withi 4 hours were automatically remided via s Despite the remidig mechaism, ot all users followed our request strictly, so at the ed of our user studies differet users have differet umbers of recorded logi sessios, but o user dropped durig the course of the user studies The miimum umber of logi attempts made by a user is, the maximum umber is 66, ad the media is 65 I total we collected 98 logi attempts, amog which 77 are successful oes, leadig to a overall logi success rate aroud 84% The 5

6 logi success rates of all users rage from 6667% to % ad the media rate is 848% Amog all the 8 users, 8 used the keyboard as the iput device while others used the mouse Logi data of the 8 users were stored i a XML database for further processig The logi data provide iformatio icludig public/hidde challeges ad resposes, the respose time of each challege, the overall logi time, iput device used to make each respose, if a logi attempt is successful, at which locatio the logi attempt was made, which user made each logi attempt Compared with the origial Udercover implemetatio i [43], our implemetatio has comparable usability i terms of average logi time The media logi time is 3 secods, slightly shorter tha the origial Udercover implemetatio (3 secods) Note that the average logi time steadily decreased as the users became more familiar with the system After logis, the media logi time decreased to 8 secods The data collected from Croatia ad Pakistai participats show some statistical differeces, eg, most Pakistai participats used mouse while most Croatia participats used keyboard as the iput device, but our aalysis showed that such differeces do ot have a major impact o the effectiveess of the proposed attacks The differet choices o iput devices may be partly explaied by the persoal choices of our coordiators to demostrate the system durig the itroductio stage: the Pakistai ad Croatia coordiators used the mouse ad the keyboard, respectively 4 Timig Attack 4 Nouiform huma behavior i respodig to differet hidde challeges Observig the five butto layouts i Figure, we ca see that the butto layout correspodig to Up hidde challege is 345, exactly the origial layout of the five buttos that the user eeds to press I compariso, the other four butto layouts are all circularly rotated editios of the origial butto layout Sice users do ot eed to do butto rotatio for the origial butto layout, we hypothesized that they may make resposes to Up hidde challeges faster ad with a lower error rate, compared to the other four hidde challeges Our user study cofirmed this hypothesis Figure 6 ad Figure 7 show the average respose times ad error resposes rates of all users to the five hidde challeges, respectively Paired t-tests revealed that the differece betwee the user s resposes to Up hidde challeges ad to other hidde challeges is sigificat at 5% level Average respose time (secods) Up Dow Left Right Ceter Hidde challege Figure 6: The ouiform huma behavior i the average respose time to differet hidde challeges Error respose time (secods) Up Dow Left Right Ceter Hidde challege Figure 7: The ouiform huma behavior i the average error respose rate to differet hidde challeges Figure 8: Probability that the fastest respose i a logi sessio correspods to a Up hidde challege This ouiform huma behavior i respodig to differet hidde challeges ispired us to propose a timig attack Deotig the 8 pictures by 8 itegers (from to 8), the attack works as follows Step : Create 8 couters, C,,C 8, for the 8 pictures, ad iitialize all of them with Step : For each observed logi sessio, take the fastest respose ad assume that it correspods to a Up challege The, if the correspodig public challege cotais a pass-picture i, icrease C i by oe Step 3: Rak all the pictures accordig to the values of the 8 couters, ad take the top five pictures as the five passpictures formig the password If there is more tha oe way to select the top five pictures (which ca happe whe some pictures have the same couter value), radom shuffle all pictures with the same couter value as the fifth oe, re-rak all the 8 pictures, ad the take the ew top five as the passpictures The radom shufflig process is to avoid the bias towards pictures with smaller idices Note that the radom shufflig process i Step 3 meas the timig attack may produce differet results for differet rus I Sectio of the Appedix, we theoretically explai why the above timig attack works ad the estimate its performace To further improve the performace of the above timig attack, two additioal measures ca be further adopted: ) egative pealty mechaism for each distiguished decoy picture i i 6

7 Step, decrease C i by oe; ) multiple fastest resposes use the fastest m= or 3 resposes i Step Both measures ca potetially icrease differeces betwee couter values of passpictures ad decoy pictures Theoretical aalysis of the geeralized timig attack is very complex, so we oly show experimetal results i the ext sub-sectio I the followig, we describe the performace of the timig attack by applyig it to the real logi data collected i our user studies 4 Real performace of the timig attack We applied the timig attack to the logi data collected i our user study, i order to verify its real performace uder the followig 3 = differet settigs: Number of fastest respose(s): m=,, 3; Negative pealty mechaism: o, off; Logi sessios used: all, successful oes oly Success rate of breakig passwords Success rate of breakig pass-pictures Number of observed logi sessios Number of observed logi sessios Figure 9: Success rates of breakig passwords ad passpictures applyig the timig attack to real logi data The performace of the above settigs of the timig attack o real logi data is show i Figure 9 The two sub-figures correspod to p t5 ad p, respectively It is iterestig that the * t5 real performace is similar to the oe estimated i the theoretical aalysis Amog all the settigs, Settigs 3 (solid lie marked with ), 4 (solid lie marked with ) ad 8 (dashed lie marked with ) have a better performace, which correspod to m=, without egative pealty, successful logis oly, m=, with egative pealty, successful logis oly, ad m=, with egative pealty, successful logis oly, respectively 43 Yet aother potetial timig attacks The huma behavior has may differet kids of ouiformities we may exploit Yet aother ouiformity we oticed is that most users ted to respod more slowly to public challeges with o pass-picture Figure shows the average respose times of all users with respect to the five differet hidde resposes Oe ca see that the average respose time is loger whe the hidde respose is 5, ie, whe the public challege does ot cotai a pass-picture This pheomeo ca be explaied by the fact that the user has to look at all the four pictures (potetially twice) to make sure there is ideed o ay pass-picture We tested this ew timig attack usig the same strategy: ) pick the m slowest resposes i each logi sessio; ) assumig this respose correspod to a public challege with o pass-picture, decrease the couters of the four distiguished decoy pictures by oe; 3) rak the couters of all pictures ad pick the top five raked pictures to form the password Simulated attacks o the real logi data did ot produce good results Noe of the users passwords was completely broke, ad the success rate of breakig passpictures rages from to 4 We attribute the failure of the attack to the larger variace of the respose time to the public challege with o pass-picture (which ca be see i Figure ) Although this timig attack was usuccessful o our dataset, it remais a potetial threat sice some pass-pictures may still be broke Average respose time (secods) hidde respose Figure : Average respose times with respect to differet hidde resposes 43 Itersectio Attack Itersectio attack is ot ew ad has bee reported i previous research o other huma autheticatio systems especially graphical passwords [6] The basic idea behid itersectio attack is to fuse the iformatio obtaied i multiple observed logi sessios to reduce the space of password space (ie, the password etropy) This subsectio presets itersectio attacks o the origial ad alterative desigs of Udercover i [43,] 43 Breakig the origial Udercover desig with radomized public challeges I [43], the system is desiged so that each pass-picture ad decoy picture is show oce ad oly oce i a sigle autheticatio process Ufortuately, showig each picture oly oce is ot a sufficiet coditio to maitai the security I fact, how the public challeges are geerated also matters I this subsubsectio, we show that the password ca be exposed with O() observed logi sessios if radomized public challeges are used I [43] it was ot made clear how public challeges should be geerated Our commuicatios with the authors of [43] revealed 7

8 that they implemeted their prototype system with fixed public challeges, so their prototype does ot suffer from the security problem discussed i this sub-subsectio However, sice this issue was ot discussed i [43], a reader might assume that radomizig public challeges is still fie or eve beeficial because radomess ofte helps ehace the security of a system Therefore, the itersectio attack i this sub-subsectio shows how importat such small desig details are for a secure system Each public challege exposes a sigificat amout of iformatio about the password due to the followig fact: each public challege (ie, a set of four pictures) cotais at most oe (ie, either oe or oe) pass-picture This meas that a cadidate password ca be excluded if two or more pass-pictures i this cadidate password appear i a public challege I other words, observatio of oe public challege ca lead to a reductio of the password space Therefore, as the umber of observed public challeges icreases, the password space will become smaller ad smaller ad fially the real password will be revealed after a umber of logi sessios are observed For give observed public challeges, the reduced password space ca be mathematically calculated as the itersectio of the reduced password spaces correspodig to the public challeges; hece we call this attack a itersectio attack The real attack is performed i a simpler way: Step : Set P to be the space of all possible passwords Step : For each observed public challege, reduce the space of cadidate passwords P by checkig each password i P ad removig ivalid oes Step 3: Repeat Step util all observed challeges are processed or the size of P becomes The above attack ca be theoretically aalyzed to get how quickly the password space is reduced ad how may observed logi sessios may be eeded to get the password with high probability See Sectio of the Appedix for such a theoretical aalysis Size of reduced password space Number of logi sessios Figure : The size of reduced password space i a itersectio attack o the origial Udercover desig To verify the real performace of the above itersectio attack, we did MATLAB simulatios o the origial Udercover system with 5 radomly geerated logi sessios (ie, 5 public challeges) The experimetal results showed that the actual umber of observed logi sessios for uiquely revealig the password is seve to te i most cases A typical simulatio result is show i Figure We performed the itersectio attack o real logi data collected i our user studies, ad the passwords of all 8 users were successfully broke The umber of required logi sessios rages from eight to eleve, ad the media umber is ie 43 Breakig alterative Udercover desigs For the two alterative desigs proposed i [], the same itersectio attack still works but i a slightly differet way Now o public challege is available, but the user s respose becomes the source of iformatio leakage This is due to a flaw i the alterative desigs: for differet PIN digits ad hidde digits, the user eeds to press differet sequeces of arrow buttos to make a correct respose As a result, the buttos presses ad their order ca leak iformatio of the PIN ad hidde digits This problem ca be best explaied by a example Assume the PIN digit is ad the hidde digit is 6 To make a correct respose, the user eeds to press Butto Left ( ) ad Butto Dow ( ) (the order does ot matter) Obviously, pressig Butto Dow leaks the iformatio that the PIN digit is i the first row Similarly, pressig Butto Left reveals that the PIN digit must ot be As a whole, the umber of possible PIN digits is reduced from te to oly four (,, 3 or 4) Butto press patter Possible PIN digits Possible hidde digits,,, 3, 4 5, 6, 7, 8, 9 5, 6, 7, 8, 9,,, 3, 4,, 3, 4, 6, 7, 8, 9,,, 3, 5, 6, 7, 8,,, 3, 5, 6, 7, 8,, 3, 4, 6, 7, 8, 9, 3, 4, 7, 8, 9,,, 5, 6, 7,,, 5, 6, 7, 3, 4, 7, 8, 9 3, 4, 8, 9,, 5, 6,, 5, 6 3, 4, 8, 9 4, 9, 5, 5 4, 9 Table : Iformatio leaked from differet butto presses Combiatios of PIN digit butto press patters * * * * + + * * Occurrece probability i resposes * For the combiatios revealig PIN digits,, 3, 6, 7 ad 8, the secod ad the third butto press patters should appear i two differet resposes to a challege at the same positio of two differet logi sessios; otherwise they will completely or partly cacel each other The first butto press patter ca appear i the same respose as the other two Table : Combiatios of butto presses that are sufficiet to uiquely reveal the te PIN digits Table shows a list of differet butto press patters that ca leak iformatio about PIN digits, where the occurrece probability of For istace, we may have two resposes to the secod challege of two differet logi sessios: ad, which reveal that the secod PIN digit is 8

9 each case assumig that each PIN digit ad each hidde digit distribute uiformly i {,,9} Here, we igore butto presses that cacel each other, eg oe Left followed by oe Right or oe Up followed by oe Dow From Table, we ca see that a combiatio of some butto press patters ca lead to a uique determiatio of the PIN digit Such combiatios of butto press patters are eumerated i Table, with their occurrece probability i resposes to radom challeges (see Sectio 3 of the Appedix for the calculatio of the occurrece probabilities) Note that there is oly oe respose correspodig to each PIN digit i a sigle logi sessio Based o the occurrece probabilities i Table, we ca estimate how may logi sessios are eeded to uiquely recover a PIN digit with probability q: Whe the PIN digit is, 4, 5, or 9: ( 5 )( 8 ) q This iequality ca be solved umerically to get (q) Whe the PIN digit is,, 3, 6, 7, or 8: ( 5 )( 6 8 ) q This iequality ca be solved umerically to get (q) Whe each PIN digit is uiquely determied with probability q, the whole 4-digit PIN is uiquely determied with probability q 4 To make q 4 5, we eed to have q 849 Whe q=849, we ca calculate (q)=9 ad (q)= This meas that, give twelve logi sessios, the 4-digit PIN ca always be uiquely determied with probability o less tha 5 If the PIN is composed of, 4, 5 ad 9 oly, ie observed logi sessios will be eough We did a large umber of MATLAB simulatios to test the real performace of the itersectio attack For a PIN 36, radom attacks showed that the media umber of logi sessios eeded to uiquely reveal the whole PIN is eleve For a PIN 459, the media umber is ie Oe ca see that the attack works very well ad our theoretical aalysis is very accurate Sice we did ot implemet this alterative desig of Udercover, the attack was ot validated by real logi data from a user study But the attack does ot deped o huma behavior at all, so a revalidatio via a user study is ot really ecessary 5 ENHANCING UNDERCOVER As we described above, the two proposed attacks are based o some flaws i the origial ad alterative desigs of Udercover By removig these desig flaws, we ca ehace the security of Udercover To simplify our discussio, here we oly focus o how to ehace the origial Udercover desig To resist the itersectio attack, we should avoid iformatio leaked from public challeges This meas that we eed to use a fixed set of seve public challeges i all logi sessios (as the authors of [43] implemeted their Udercover prototype) If the order of the seve public challeges i each logi sessio ad the order of the four pictures i each public challege should also be fixed is a issue for future study It remais a questio if fixig either order or both ca lead to other ew attacks To resist the timig attack, we eed to make the five butto layouts equally difficult for huma users to hadle Radomly shufflig them is a simple way to achieve this goal The shufflig ca be doe dyamically for each challege to miimize ay potetial ouiformity of huma users respose time to differet hidde challeges We developed a ehaced editio of our Udercover implemetatio by adoptig the above two measures A two-week user study with participats was performed to verify its performace agaist the timig attack, ie, if huma users ca ow respod to hidde challeges more uiformly The same protocol as the user studies o the origial Udercover scheme was followed for this ew user study All participats also atteded the previous user study, except oe ew user who was recruited for testig this ew ehaced desig The average respose times become flatter as show i Figure However, paired t-tests showed that the average respose time to Up hidde challeges is still sigificatly shorter tha the average respose time to hidde challeges Left, Right ad Ceter (although with much smaller p-values) Error respose time (secods) Average respose time (secods) Up Dow Left Right Ceter Hidde challege Up Dow Left Right Ceter Hidde challege Figure : Average respose times ad error respose rates to differet hidde challeges of the Udercover implemetatio ehaced by shufflig butto layouts After discussig with some participats, we oticed a possible explaatio to the still shorter respose time to Up hidde challeges Observig Figure, we ca see that the butto layout correspodig to Up hidde challeges is the closest to the public challege Some participats recalled that they had spet more time i locatig other butto layouts ad verifyig them To further remove the ew kid of ouiformity i huma behavior, we realized that it is importat to re-arrage the user iterface so that the distace betwee each butto layout ad the public challege is equal Further aalysis showed that we should also equalize the distace betwee the pass-picture ad the butto layout used by the user to make the public respose This led to a ew desig of the iterface of the Udercover as show i Figure 3 Now we distribute the four pictures i each public challege uiformly o a circle, ad the o pass-picture ico at the ceter of the circle The five butto layouts are located i the same way as the five pictures To further simplify the user iterface, we also 9

10 chaged the hidde resposes to,, 3, 4 ad 5 ad the user is asked to: ) fid the hidde respose i the butto layout ear to the pass-picture or the o pass-picture ico; ) press the butto at the same locatio as the hidde respose to make the public respose The above chages make the iterface tighter ad the user s task simpler, so we expect the usability of the system ca also be improved agaist passive observers It remais a questio if a eve better desig ca be made to further reduce the average logi time Average respose time (secods) Hidde challege 5 Figure 3: The ew layout of our ehaced Udercover implemetatio I the desig process of the ew ehaced Udercover implemetatio, we oticed a ew kid of ouiformity that may lead to a ew timig attack: if all the 5 pass-pictures have appeared i the first five or six public challeges, the user kows that all the remaiig (oe or two) public challege(s) will cotai o pass-picture so that he/she may be able to respod faster tha the usual case To avoid this problem, we chaged the desig so that the last public challege always cotais oe pass-picture This measure has a side effect o the success rate of radom 5 C 4 / 54 to guess, which is icreased from 7 5 C 6 4 / 536, aroud 4 times larger Sice /536 is still smaller tha 4, the side effect is acceptable A oe-week user study with 9 users was the performed to check if this ew ehacemet works All 9 users are old users who had participated i previous user studies Ulike our previous user studies, each user was asked to logi five to te times per day so that we ca collect eough data for aalysis Figure 4 shows the results obtaied from real logi data Now the paired t-test fails to reject the ull hypothesis that the respose time to Hidde Challege has the same mea as the respose time to other hidde challeges, thus leadig us to believe that the respose times to differet hidde challeges are ot sigificatly differet Simulated attacks o the ehaced Udercover implemetatio showed that oe of the user passwords was broke The success rate of breakig pass-pictures is always below 5% I additio, as we expected, the average logi times ad the logi error rates are both improved compared to the origial Udercover desig: the average logi time is reduced to less tha 9 secods after logis ad the error rate over all 9 users is just aroud 6% We believe that the average logi time ca be reduced to withi secods after the user becomes more familiar with the system ad her password While this is still sigificatly loger tha the average time of eterig a 4-digit PIN, it is likely that we have to pay some additioal costs for gettig the additioal security Error respose time (secods) Hidde challege Figure 4: Average respose times ad error respose rates to differet hidde challeges, of the Udercover implemetatio ehaced with the ew iterface i Figure 3 6 Geeralizig Timig Attack The idea of timig attack may also be geeralized to break other huma autheticatio systems based o hidde challeges For istace, the ui-modal desigs proposed i [8,9] ask the user to rotate a iput device to match a target (which is a secret password item) cued via a tactile or audio chael It is obvious that the respose time depeds o how far the curret cue is from the target I additio, for differet targets, the average respose time should be differet because the average distace from a radom cue to the target is differet For istace, assumig that the list of possible cues/targets are,,9 ad they follow a predetermied fixed order, the the targets 4 ad 5 have the miimum average respose time By further cosiderig the directio of the overall rotatio, oe ca further distiguish 4 ad 5 I the same maer oe ca distiguish all targets If such a timig attack works i practice will be part of our future research Although the timig attack is proposed to break Udercover-like huma autheticatio schemes as ad hoc desigs, the reaso why it works for Udercover has its root i the way how a ormal huma user respods to visual challeges that require metal efforts: she eeds to first look for visual patters of her iterest, iterpret it properly, the compute the correct respose ad fially makes the respose by movig her body ad/or figer(s) If ay of the four steps has a depedecy o the cotets of the challege, the user may respod differetly to differet challeges Such a behavioral differece may lead to a effective timig attack If

11 there is more tha oe kid of such huma behavior, differet combiatios of them may lead to differet timig attacks I case the password caot be completely broke, the iformatio leaked may be useful to reduce the password space thus makig a brute force attack feasible Cosiderig the fact that huma behavior ca be ouiform ad highly oliear i may aspects, the exploitatio space of attack based o huma behavior may be much larger tha what we thik of Note that timig attack may ot be the oly form of huma behavior based attacks I the followig, we briefly discuss differet aspects that may lead to huma behavior attacks o huma autheticatio systems Respose time This has bee show clearly by the timig attack o Udercover desigs proposed i this paper ad previous research o some other systems like PIN iput devices ad VibraPass [3,4,9] There are differet sources of ouiformity that may be exploited by a attacker to lauch a successful timig attack For istace, for graphical password systems based o a image pool [6,,3,5,6,34,4,44,47], the user s respose to a challege may be faster if the (average) distace of the pass-picture(s) to the left upper corer of the displayed challege ad/or the pass-picture(s) are more visually attractive or eye-catchig (due to their colors or patters or sematics) I additio, depedig o the persoal ature of a give user, she may be more sesitive to specific challeges ad respose slower or faster tha average As a typical example, color blid users will respod slower to color patters that fall ito their color visio deficiecy, so a careless desig of the challeges may lead to a additioal risk that does ot exist for users with ormal color visio Cosiderig the fact that a cosiderable percetage of the whole populatio are sufferig from color blidess (eg, 8% Caucasia males ad 5% Caucasia females [8]), this effect may ot be egligible for graphical password systems Recall that Udercover was also desiged to work with distorted images which will likely make the distiguishability of pass-pictures from decoy pictures more depedet o color differeces ad thus may lead to a higher risk of a timig attack o color blid users Respose error rate Similar to ouiform respose time, the ouiformity of respose errors may also be used to develop a similar huma behavior based attack For istace, some graphical password systems (eg, those reported i [3,34] require the user to cout the umber of pass-pictures i each challege, which implies that for some (if ot all) users the respose error rate may icrease as the umber of pass-pictures By observig if a user failed a logi sessio ad how may times she re-tried, a attacker may get some useful iformatio to reduce the password space Note that oce havig made a mistake, the user may be more careful ad be slower i the secod logi attempt ad sped more time o cofusig challeges, therefore, a attacker may further get more useful iformatio about the challege(s) for which the user made wrog resposes I case the attacker is allowed to impersoate the server, he ca preset carefully costructed challeges to iduce logi failures Metal computatio Oe of the reasos why our proposed timig attack works for Udercover is that huma users eed differet amouts of metal efforts to hadle differet hidde challeges Sice all huma autheticatio systems require the user to do some metal computatio (recallig, coutig, recogizig, comparig, calculatig, etc), there is always a potetial risk that some kid of ouiformity exists so that a effective timig attack ca be developed based o it Temporal variatio The respose time ad the respose error rate of a huma user may vary ad evolve durig the course of usig the system It is also possible that a user becomes smarter after usig a password system for a log time so that she creates some shortcuts to make faster resposes to some challeges with a higher probability This may create ew attacks or improvig the performace of existig attacks For istace, the usuccessful timig attack described i Sectio 43 may start workig after the user becomes very familiar with the system ad her passpictures ad the seve fixed public challeges if she ca locate pass-pictures faster ad make quicker resposes tha before Persoal preferece Previous research [] has show the importat role of persoal preferece i the security of graphical password systems It is likely that some users may suffer from a higher risk of timig attack if they select weak passwords liked to their persoal preferece Oe cosequece is a possible chage of the respose patter For the origial Udercover desig, the time gap betwee the respose times to public challeges with ad without pass-pictures may become larger or some ew time gaps may appear Note that it may ot be easy (if ot impossible) to completely avoid persoal preferece for graphical passwords sice the users do eed some sematic clues to help them remember their passwords As a cosequece, i priciple there is always a exploitable persoal preferece that ca potetially be used by a attacker I additio, it deserves otig that the cultural ad religious backgrouds ormally play a importat role i a user s preferece I our user studies, although o exploitable differece was observed betwee the Croatia ad Pakistai groups for the proposed timig attack, it remais a questio if a differet attack ca be developed by exploitig some statistical differeces we missed durig the user study or such a attack exists for other huma autheticatio systems Facial expressio ad had/body movemet For huma autheticatio systems agaist passive observers, the attacker ca istall a hidde video camera to record the logi sessios He may also istall a secodary hidde camera to record the facial expressio ad had/body movemet of the user durig the logi sessios This poit is also discussed i [43], where Sasamoto et al observed that some users moved their hads improperly to leak iformatio about the hidde challege or the pass-picture I additio to had movemet, the user s facial expressio may also leak iformatio about the hidde challege or the pass-picture For istace, whe a public challege without ay pass-picture is show, the user may look less relaxed tha whe a public challege with a pass-picture is preseted Similarly, whe all the five pass-pictures have bee show so the user kows the last public challege will ot cotai ay pass-picture, she may appear very relaxed ad move her eyes towards the butto layout without lookig at the computer scree before makig the last respose The above discussio is very geeral ad ca i priciple apply to all huma autheticatio systems I our opiio, every huma autheticatio system must be carefully evaluated agaist huma behavior attacks by cosiderig all the above poits As a geeral rule, the user iterface should be desiged i such a way that most huma users will ot have distiguishable ouiform behavior I some cases, educatig users may also help mitigate the risk, but it is desirable to avoid user educatio sice users are well-kow for ot behavig very well eve after beig educated I our future work, we will ivestigate if similar huma behavior based attacks exist i other huma autheticatio systems especially other recogitio ad recall based graphical password systems

12 7 CONCLUSION This paper reports two practical attacks to Udercover, a huma autheticatio system proposed at CHI 8 which was believed to be secure agaist observatio attacks We reveal security weakesses i Udercover due to some desig flaws ad isecure huma behaviors We also proposed some ehacemets to make Udercover more secure agaist the proposed attacks User studies were carried out to verify both our proposed attacks ad the performace of the suggested ehacemets Our work has implicatios beyod gaugig the security of Udercover as a ad hoc desig Our results reemphasize that desigers of security systems should pay special attetio to the huma-computer iterfaces of their systems More specifically, the attacks proposed i this paper demostrate that, if meticulous care is ot exercised i measurig how huma users will perceive ad operate a security system, user behavior ca reveal sesitive iformatio that ca be used to break the system Our work o ehacig Udercover also showed that usable solutios to isecure huma behaviors are ot always ituitively obvious I our future work, we pla to geeralize the timig attack to other Udercover-like desigs ad other huma autheticatio systems We will also look for ew Udercover desigs that ca lead to a shorter logi time ad a lower logi error rate Oe possible directio is to explore ui-modal desigs that remove the public challeges sice some previous work suggests that they uecessarily icrease the metal work load of users 8 ACKNOWLEDGMENTS The authors would like to thak the aoymous reviewers ad the shepherd of the paper, Alexader De Luca, for their commets o further ehacemet of the paper The authors also thak the participats of our user studies who made this research possible Shuju Li was supported by a fellowship from the Zukuftskolleg, Uiversity of Kostaz, Germay, as part of the Excellece Iitiative Program of the DFG (Germa Research Foudatio) 9 REFERENCES A Adams ad M A Sasse Users are ot the eemy Commuicatios of the ACM, 4():4-46, 999 F A Alsulaima, J Cha ad A El Saddik User idetificatio based o hadwritte sigatures with haptic iformatio I Haptics: Perceptio, Devices ad Scearios, 6th Iteratioal Coferece, EuroHaptics 8, Proceedigs, Volume 54 of Lecture Notes i Computer Sciece, 4-, Spriger, 8 3 R J Aderso Why cryptosystems fail Commuicatios of the ACM, 37(): 3-49, H J Asghar, S Li, J Pieprzyk ad H Wag Cryptaalysis of the Covex Hull Click huma idetificatio protocol I Iformatio Security, 3th Iteratioal Coferece, ISC, Revised Selected Papers, Volume 653 of Lecture Notes i Computer Sciece, 4-3, Spriger, 5 H J Asghar, J Pieprzyk ad H Wag A ew huma idetificatio protocol ad Coppersmith s baby-step giat-step algorithm I Applied Cryptography ad Network Security, 8th Iteratioal Coferece, ACNS, Proceedigs, Volume 63 of Lecture Notes i Computer Sciece, , Spriger, 6 J Aycock Computer Viruses ad Malware Spriger, 6 7 X Bai, W Gu, S Chellappa, X Wag, D Xua ad B Ma PAS: Predicate-based Autheticatio Services agaist powerful passive adversaries I Proceedigs of the 4th Aual Computer Security Applicatios Coferece (ACSAC 8), , IEEE Computer Society, 8 8 A Biachi, J K Lee, I Oakley ad D S Kwo The Haptic wheel: desig & evaluatio of a tactile password system I Proceedigs of the 8th Iteratioal Coferece o Huma Factors i Computig Systems: Exteded Abstracts (CHI EA ), , ACM, 9 A Biachi, I Oakley, V Kostakos ad D S Kwo The Phoe Lock: audio ad haptic shoulder-surfig resistat PIN etry methods for mobile devices I Proceedigs of the 5th Iteratioal Coferece o Tagible, Embedded, ad Embodied Iteractio (TEI ), 97-, ACM, A Biachi, I Oakley ad D S Kwo The Secure Haptic Keypad: a tactile password system I Proceedigs of the 8th ACM Iteratioal Coferece o Huma Factors i Computig Systems (CHI ), 89-9, ACM, D Davis, F Morose ad M K Reiter O user choice i graphical password schemes I Proceedigs of the 3th USENIX Security Symposium, 5-64, USENIX, 4 A De Luca ad B Frauediest A privacy-respectful iput method for public termials I Proceedigs of the 5th Nordic Coferece o Huma-computer Iteractio: Buildig Bridges (NordiCHI 8), , ACM, 8 3 A De Luca, M Lagheirich ad H Hußma Towards uderstadig ATM security: a field study of real world ATM use I Proceedigs of the 6th Symposium o Usable Privacy ad Security (SOUPS ), Article 6, ACM, 4 A De Luca, E vo Zezschwitz ad H Hußma VibraPass secure autheticatio based o shared lies I Proceedigs of the 7th ACM Iteratioal Coferece o Huma Factors i Computig Systems (CHI 9), 93-96, ACM, 9 5 T Deyle ad V Roth Accessible autheticatio via tactile pi etry Computer Graphics Topics, Issue 3, R Dhamija ad A Perrig Déjà Vu: a user study usig images for autheticatio I Proceedigs of the 9th Coferece o USENIX Security Symposium, 45-58, USENIX, 7 K Duham (Techical Editor) Mobile Malware Attacks ad Defese Sygress Publishig, 8 8 L Flemig Fallo Color blidess I Gale Ecyclopedia of Childre s Health: Ifacy through Adolescece, Volume, , Gale, 5 9 A Forget, S Chiasso ad R Biddle Shoulder-surfig resistace with eye-gaze etry i cued-recall graphical passwords I Proceedigs of the 8th ACM Iteratioal Coferece o Huma Factors i Computig Systems (CHI ), 7-, ACM, P Golle ad D Wager Cryptaalysis of a cogitive autheticatio scheme I Proceedigs of 7 IEEE Symposium o Security ad Privacy (S&P 7), 66-7, IEEE Computer Society, 7 M Hasegawa, N Christi ad E Hayashi New directios i multisesory autheticatio I Adjuct Proceedigs of the

13 Seveth Iteratioal Coferece o Pervasive Computig (Pervasive 9) Late Breakig Results, 9 E Hayashi, N Christi, R Dhamija ad A Perrig Use Your Illusio: secure autheticatio usable aywhere I Proceedigs of the 4th Symposium o Usable Privacy ad Security (SOUPS 8), 35-45, ACM, 8 3 N J Hopper ad M Blum Secure huma idetificatio protocols I Advaces i Cryptology ASIACRYPT, Volume 48 of Lecture Notes i Computer Sciece, 5-66, Spriger, 4 M Jakobsso ad S Myers (Editors) Phishig ad Coutermeasures Joh Wiley & Sos, 7 5 H Jameel, R Shaikh, H Lee ad S Lee Huma Idetificatio through image evaluatio usig secret predicates I Topics i Cryptology CT-RSA 7, Volume 4377 of Lecture Notes i Computer Sciece, 67-84, 7 6 H Jameel, R Shaikh, L Hug, Y Wei, S, Raazi, N Cah, S Lee, H Lee, Y So ad M Ferades Image-feature based huma idetificatio protocols o limited display devices I Iformatio Security Applicatios, 9th Iteratioal Workshop, WISA 8, Revised Selected Papers, Volume 5379 of Lecture Notes i Computer Sciece, -4, Spriger, 9 7 R Kuber ad W Yu Autheticatio usig tactile feedback I Proceedigs of the th British HCI Group Aual Coferece o People ad Computers (HCI 6), Volume, 4-45, British Computer Society, 6 8 R Kuber ad W Yu Feasibility study of tactile-based autheticatio Iteratioal Joural of Huma Computer Studies, 68(3):58-8, 9 D F Kue ad Y Kim Timig attacks o PIN iput devices I Proceedigs of the 7th ACM Coferece o Computer ad Commuicatios Security (CCS ), , ACM, 3 M Lei, Y Xiao, S V Vrbsky, C-C Li ad L Liu A virtual password scheme to protect passwords I Proceedigs of 8 IEEE Iteratioal Coferece o Commuicatios (ICC 8), , IEEE, 8 3 S Li, H J Asghar, J Pieprzyk, A-R Sadeghi, R Schmitz ad H Wag O the security of PAS (Predicate-based Autheticatio Service) I Proceedigs of the 5th Aual Computer Security Applicatios Coferece (ACSAC 9), 9-8, IEEE Computer Society, 9 3 S Li, S A Khayam, A-R Sadeghi ad R Schmitz Breakig radomized liear geeratio fuctios based virtual password system I Proceedigs of IEEE Iteratioal Coferece o Commuicatios (ICC ), IEEE, 33 S Li ad H-Y Shum Secure Huma-Computer Idetificatio agaist peepig attacks (SecHCI): A survey Techical report, S Li ad H-Y Shum Secure Huma-Computer Idetificatio (Iterface) systems agaist peepig attacks: SecHCI IACR s Cryptology eprit Archive: Report 5/68, 5 35 X-Y Li ad S-H Teg Practical huma-machie idetificatio over isecure chaels Joural of Combiatorial Optimizatio, 3(4):347-36, B Malek, M Orozco ad A El Saddik Novel shouldersurfig resistat haptic-based graphical password, I Proceedigs of EuroHaptics 6, 79-84, EuroHaptics Society, 6 37 T Matsumoto Huma-computer cryptography: a attempt I Proc 3rd ACM Coferece o Computer ad Commuicatios Security (CCS 96), 68-75, ACM, T Matsumoto ad H Imai Huma idetificatio through isecure chael I Advaces i Cryptology EUROCRYPT 9, Volume 547 of Lecture Notes i Computer Sciece, 49-4, Spriger, A J Meezes, P C va Oorschot ad S A Vastoe Hadbook of Applied Cryptography CRC Press, Passfaces Corporatio Passfaces: Two Factor Autheticatio for the Eterprise last visited o 6th Jue 4 T Perković, M Čagalj ad N Saxea Shoulder-surfig safe logi i a partially observable attacker model I Fiacial Cryptography ad Data Security: 4th Iteratioal Coferece, FC, Revised Selected Papers, Volume 65 of Lecture Notes i Computer Sciece, , Spriger, 4 V Roth, K Richter ad R Freidiger A PIN-etry method resiliet agaist shoulder surfig I Proceedigs of the th ACM Coferece o Computer ad Commuicatios Security (CCS 4), 36-45, ACM, 4 43 H Sasamoto, N Christi ad E Hayashi Udercover: autheticatio usable i frot of pryig eyes I Proceedig of the 6th ACM Iteratioal Coferece o Huma Factors i Computig Systems (CHI 8), 83-9, ACM, 8 44 L Sobrado ad J C Birget Graphical passwords The Rutgers Scholar, vol 4, 45 F Tari, A A Ozok, ad S H Holde A compariso of perceived ad real shoulder-surfig risks betwee alphaumeric ad graphical passwords I Proceedigs of the d Symposium o Usable Privacy ad Security (SOUPS 6), 56-66, ACM, 6 46 C-H Wag, T Hwag ad J-J Tsai O the Matsumoto ad Imai s huma idetificatio scheme I Advaces i Cryptology EUROCRYPT 95, Volume 9 of Lecture Notes i Computer Sciece, 38-39, Spriger, D Weishall Cogitive autheticatio schemes safe agaist spyware I Proceedigs of 6 IEEE Symposium o Security ad Privacy (S&P 6), 95-3, IEEE Computer Society, 6 48 S Wiedebeck, J Waters, L Sobrado ad J-C Birget Desig ad evaluatio of a shoulder-surfig resistat graphical password scheme I Proceedigs of Iteratioal Workig Coferece o Advaced Visual Iterfaces (AVI 6), 77-84, ACM, 6 49 H Zhao ad X Li S3PAS: a scalable shoulder-surfig resistat textual-graphical password autheticatio scheme I Proceedigs of the st Iteratioal Coferece o Advaced Iformatio Networkig ad Applicatios Workshops (AINAW 7), , IEEE Computer Society, 7 3

14 APPENDIX Theoretical aalysis of the timig attack I this subsectio of the appedix, we give a theoretical aalysis of the performace of the timig attack The success of the timig attack depeds o if a pass-picture has a higher probability of beig distiguished as a pass-picture i Step tha a decoy picture If so, a pass-picture will have a larger couter value tha a decoy picture Thus, pass-pictures will likely be raked higher tha decoy pictures i Step 3 Ituitively, icreasig the umber of logi sessios will icrease the probability that all pass-pictures are raked as the top five pictures i Step 3, thus icrease the success rate of the timig attack I each logi sessio, deote the probability that a pass-picture s couter is icreased by p, the probability that a decoy picture s couter is icreased by p, ad the probability that o couter is icreased by p 3 Based o the origial Udercover desig, 5p +3p +p 3 = should hold There are eight evets we eed to cosider for calculatig the three probabilities: Evet : The logi sessio icludes at least oe Up hidde challege, which happes with a probability 7 p E ( / 5) 793 Evet : The fastest respose correspods to a Up hidde challege, which happes with a user-depedet probability p E Evet 3: The public challege correspodig to the fastest respose icludes a pass-picture, which happes with a probability p E3 5 / Evet 4: Give that we are observig a public challege with a pass-picture, the probability that a specific pass-picture appears i the challege is p E 4 /5 Evet 5a: The user makes a correct respose to a Up hidde challege, which happes with a user-depedet probability p E5a Evet 5b: The user makes a correct respose to a o- Up hidde challege, which happes with a user-depedet probability p E5b Evet 6: A icorrect respose made by the user to a o- Up hidde challege matches the pass-picture if we cosider the hidde challege as Up, which happes with a user-depedet probability p E 6 Evet 7: A icorrect respose made by the user to a Up hidde matches a public challege without a pass-picture, which happes with a user-depedet probability p E 7 The pass-picture uder cosideratio will be distiguished as a pass-picture uder the followig two situatios: Evets,, 3, 4 ad 5a happe; Evet does ot happe, Evets 3, 4 ad 6 happe Assumig that the evets are idepedet of each other, we have p pepepe3pe4pe5a ( pe) pe3pe4p E6 This probability is user depedet because p E ad p E5 are both user depedet To ease our discussio, we use the media probabilities of Evets ad 5 obtaied i our user studies: p 6583, p 5 987, p E5b 965 For Evets 6 ad 7, we assume that the user makes icorrect resposes radomly, so p 6 p 7 /4 5 E E E E a With all the above values of those the user-depedet probabilities, p 865 The probability p 3 is equal to ( pe3) pe3( pe( pe5a) ( pe)( pe5 b)) p E7 894 From p ad p 3, we ca derive p =( 5p p 3 )/3 3 Sice p is p /p 696 times larger tha p, we expect that the timig attack should work well i practice We estimated the values of p ad p of each user from our real logi data The results are show i Figure 5, from which we ca see that the values of p, p ad p 3 are ideed user depedet ad also time varyig The actual value of p /p is less tha the above theoretical estimate, but still sigificatly larger tha for all users ad over the whole course of logis The iaccuracy of the estimate might be attributed to the iaccuracy of the theoretical model itself ad/or some probabilities ivolved i the model p ad p 5 p /p Number of observed logi sessios Number of observed logi sessios Figure 5: Values of p ad p of the media user, estimated from real logi data Although p is much larger tha p, the probability that all the five pass-pictures are raked as top five pictures may ot be high whe the umber of observed logi sessios (deoted heceforth as ) is small I fact, whe <5, this probability is because ot all passpictures ca appear I geeral, this probability ca be reformulated as follows Radomly make attempts of pickig a ball from a box of ifiite umber of balls labeled with Numbers,,8 With probability p, we take a ball with a label betwee ad 5, ad with probability p, we take a ball with a label betwee 6 ad 8 With probability p 3 = 5p 3p, we fail to get a ball At the ed, what is the probability that the umber of balls with label i is larger tha the umber of balls with label j for ay i {,,5} ad j {6,,8}? Deote the above probability by p t5 ad the umber of Objects i by C i, it ca be writte as a sum as follows:! C C5 C6 C8 D pt 5 p p p C! C8! D! mi Ci max Ci, D Ci i i 6 i It is ot trivial to get a explicit form of p t5, so we used the Mote Carlo method to estimate p t5 for a set of values of, which are show i Figure 6 (the lie marked with x ) We ca see p t5 keeps icreasig as icreases Although it is ot very high whe is small, the value is ot egligible either For istace, whe =3, pt 5 84, which meas that 84% of passwords ca be recovered p p 4

15 p t5 vs p t p t5 * p t Number of logi sessios Figure 6: Values of p t5 ad * p t5 for =,, While the success rate of breakig the whole password (ie, all the five pass-pictures) is ot high whe is small, our simulatios showed that the probability that a picture i the top five oes is a pass-picture (deoted by p * t5 ) is sigificatly high The lie marked with + i Figure 6 shows the results Whe =3, although p t5 is oly 84, p is much larger: 658>5 * t5 Theoretical aalysis of the itersectio attack o the origial Udercover desig We ca estimate how quickly the size of P reduces as icreases Assume that the reductio rate of the password space Pi / P i remais stable for all i, where P i deotes the reduced password space after i public challeges are checked To avoid uecessarily complicatig our theoretical aalysis, we igore the fact that there are exactly five public challeges with oe passpicture This will lead to a slightly larger key space (sice less iformatio leakage is couted), but the fial result remais fairly accurate as show i our experimets (see Sec 43) Based o the above assumptios, the reductio rate is the followig: r # P / # P C C C C / C The size of P will be #( P ) r C8r To uiquely reveal the password, the size of the reduced password space eeds to be small eough Sice there has to be at least oe elemet (the true password) i the reduced password space, whe 5 C8r 5 (meaig that the umber of wrog passwords i the reduced password space is smaller tha 5) the probability that the fial reduced password has oly oe elemet will become high, which leads to 5 l 8 / 5 / l / 77 C r Note that oe logi sessio icludes seve public challeges, so 77 / 7 observed logi sessios will be eough for a attacker to uiquely reveal the password with a cosiderably high probability The computatioal complexity of the itersectio attack is determied by the sum of the sizes of all reduced password O 5 i 5 # P O C r O C r /( r ) i i 8 8 spaces: i Sice the value of will ot be much larger tha, the complexity will be upper bouded by OC 5 r /( r) O Occurrece probabilities of combiatios of butto press patters i alterative Udercover desigs The occurrece probability of a specific combiatio of butto press patters i resposes ca be calculated based o the probability of each butto press patter i the combiatio I the followig, we show how the two values i the last colum of Table are derived Whe the PIN digit is, the combiatio icludes two butto press patters: the first oe is, ad the secod is To calculate the occurrece probability of the patter combiatio, we eed to kow the occurrece probabilities of the two patters They ca be derived from the te possible patters combiatios correspodig to the te hidde digits: ) oe; ) ; 3) ; 4) ; 5) ; 6) ; 7) ; 8) ; 9) ; ) Assumig the hidde digit distributes uiformly over {,,9}, each of the above te patter combiatios appears i oe respose with probability This meas that the occurrece probability of ad will be 5 ad, respectively Give resposes, the probabilities that ad appear at least oce are ( 5) 5 ad ( ) 8, respectively Further assumig that the two patters ca appear idepedetly i the resposes, the occurrece probability of the patter combiatio becomes Whe the PIN digit is 4, 5 or 9, followig a similar process to the above oe, we ca derive that the occurrece probability of the 5 8 patter combiatio of iterest is also Whe the PIN digit is, the te patter combiatios correspodig to the te hidde digits are: ) oe; ) ; 3) ; 4) ; 5) ; 6) ; 7) ; 8) ; 9) ; ) Thus, the occurrece probabilities of the patters, ad are 5, ad, respectively Give resposes, appears at least oce with probability ( 5) 5 The probability that both ad appear at least oce is a bit more complicated Let us cosider its complemet evet: does ot appear ad does ot appear The probability of this complemet evet ca be calculated as: ( ) ( ) ( ) 8 6, where ( ) is the probability that either or appears (which has to be subtracted because it is couted twice i the other two terms of the probability) Now we ca immediately derive the probability that both ad appear at least oce: The, combiig the probabilities of, ad, the fial occurrece probability of the patter combiatio + + is Whe the PIN digit is, 3, 6, 7 or 8, followig a similar process to the above oe, we ca derive that probability of the patter combiatio of iterest is also 5