A Graphical PIN Authentication
Mechanism with Applications to Smart
Cards and Low-Cost devices
Luigi Catuogno
Università di Salerno
Clemente Galdi
Università di Napoli “Federico II”
Outline
• Problem overview
– User authentication
– Graphical passwords
– Shoulder surfing attacks
• Our proposal
– Deterministic and user randomized schemes
– Security evaluation
• Application to device-device authentication
User authentication
• U.A. is a well established area in security
• Different types of services require
different levels of security
–
–
–
–
–
–
Checking email
Withdrawing money at ATMs
On-line banking
…
Access to military bases
Nuke activation procedures
Human authentication
• If the required level of security is
not high
– “Text-based” authentication is still the
mostly used one
• Username-password
• Strip/smart-card + PIN
• One Time Password Tokens
One time password
Authentication through insecure channels
• In order to be authenticated, the
user has to prove that she knows the
secret x
– The system issues a challenge C
– The user compute the proof P=F(x,C)
• Often the user compute F() by means a
personal crypto-device
– The user sends P to the system
– The system verifies the proof…etc.
Graphical password
• A one-time password mechanism
where:
– The system issues a graphical challenge
• Often called “scene”
– The user computes the proof by means a
cognitive function of what she sees on
the screen
• whithout the effort of any external device
Cognitive functions
• Image recognition
• Image position recognition
• Answering simple queries about the
scene
• Repeating a sequence of actions in a
scene
PassFaces
(www.realusers.com)
• The system choses
three passfaces
for the user
PassFaces/2
• During the logon, the
system shows to the
user three scenes
each one containig one
of user’s passfaces
• The user has to
recognize her
passfaces in each
scene
• The user select the
passfaces by
– Mouse clicks,
– Tapping by the stylus
A useful application…
• Everybody uses ATM and POS
terminals everyday.
– PINs and passwords are frequently
subject to attacks and frauds
– PINs are not user-friendly
• Graphical PINs could be a good
improvement
The Problem
The Problem
But…
But..
• Many G.P. schemes requires non trivial
visualization and pointing devices
• ATM machines, POS terminals, Cellular
phones….
– Small sized and low resolution displays
– No pointing devices (mouse, touch screen…)
– Poor computational resources (slow processors,
small memory…)
Requirements
• The authentication scheme should be
independent from the specific set of
objects
– Improves (human) usability
– Allow the adaptation to device-device
authentication
• (Very) Low computational overhead
• The “user” should only “recognize” objects
– No need of crypto-devices
• Resiliency to eavesdropping
Basic Idea
• Objects:
– Let k,a be two integers and q=ka
– O={o1,o2,…,oq} be a set of q objects
• Secret:
– A secret is an object in O
• Challenge:
– Partition the objects in O into a distinct sets, each
containing k objects
– “Visualize” the challenge on a matrix with a rows and k
columns
• Response:
– The row number containing the secret object.
Naïve Protocol
• Secret:
– Let m be an integer
– Let s=(s1,s2,…,sm) be a sequence of m objects
• There exist qm possible secrets
• Response:
– The sequence of m indices of the rows containing the m
objects
A prototype
http://www.dia.unisa.it/GRAPE
GRAPE/2
• Handles authentication
by means of a
numerical one-time
PIN
• The graphical challange
is composed of lowresolution objects
• Challange generation
and proof validation
require poor
computational
resources
GRAPE/3
• The user’s secret is a
sequence of queries formed
like:
– “On which row is the object
x?”
• Where the object x is a
geometrical shape like:
–
–
–
–
Purple full rectangle
Red empty rectangle
White empty exagon
…
GRAPE/4
The user types the PIN here,
each digit is the row number of the
corresponding object
34643
GRAPE/5
• The graphical challenge can be effectively
visualized both through cheap and small-sized
displays and through hi-res monitors
• The user response can be composed through a
numeric keypad as well as through other
sophisticated pointing devices
• Challenge generation and proof validation are
affordable for small devices (e.g. smart-cards
and old-fashioned cell phones)
• The user is simply required to recognize the
position of some objects on the screen
GRAPE/6
• Naive protocol
– The user correctly answers to all the m queries
• Randomized protocol: Correct or random
– The user correctly answers to at least m-r
queries
– The user randomly answers to r queries
• Randomized protocol: Correct or Wrong
– The user correctly answers to exactly m-w
queries
– The user wrongly aswers to w queries
Security Evaluation
• Basic assumption:
– Three unsuccessful trials lead to block of the
account
• Blind attacks:
– Prob. of guessing an “authentication” secret
– Needs to be reasonably low
• Recording attacks (eavesdropping):
– Gaining access to a service after analyzing a
number of transcripts
Naïve protocol
• Blind attack success probability
– a=number of rows in the matrix
– m=secret lenght
– p=1/am
• The value of a cannot be to high!
• If a=4 and m=7, success prob < 10-5
– The number of rows in the matrix should be low
Naïve protocol
• Attack goal:
– Secret extraction.
– The user needs to answer correctly to
all the queries
– Assuming three unsuccessful trials block
the system
Naïve protocol
• Attack description: The adversary
– is provided with as many transcripts she wants
– associates to each object m counters
• one for each component in the secret
– For each transcript (challenge, response),
increases the counter for all the objects in the
row corresponding to the user answer
– Stops when, for each component of the secret,
there exist one object with maximum counter
• This attack always recover the user secret!
Naïve Protocol
• Average number of transcripts m=15
Naïve Protocol
• Average number of transcripts (a=2)
Naïve Protocol
• We can derive that the average
number of transcripts needed to
recover the secret increases if:
– The number of rows (a) in the challenge
decreases
– The length of the secret (m) increases
– The number of objects (q) increases
Correct-randon: blind attack
• In the following
– c=number of correct answers
– m=secret length
m 1  1 
h ah 1 a 
h c
m
mh
Correct-randon: blind attack
• The number c of correct answers must be
greater than m/a
– Otherwise blind attack is easy!
• Example:
– Let a=2 and c=m/3.
• Authentication is granted if the users correcty
guesses at least m/3 components of the secret
– The adversary can randomly guess with high
probability m/2 correct answers
User-randomized protocols
• In user-randomized protocols the
“counting attack” does not work
anymore.
– Due to randomization, objects with
high frequency might not belong to
the secret
• We need to modify attack strategy
User-randomized protocols
• Attack description: The adversary
– is provided with t transcripts
– associates to each object m counters
• one for each component in the secret
– For each transcript, increases the counter for the
objects in the row corresponding to the user answer
– Outputs the objects with maximum value for the
counters.
• Output classification:
– Good: Contains all the m objects in the secret
– Valid: Contains at least c objects from the secret
– Wrong: Contains less than c objects from the secret
Correct-random
Percentage of good and valid secrets
Correct-wrong: blind attack
• In the following
– c=number of correct answers
– m=secret length
m 1  1 
  c 1 
c a  a 
mc
Correct-wrong
• In the correct-wrong case, there is no
“trivial” limit on the number of wrong
answers
– The users needs to
• answer correctly to exactly c queries and
• give wrong answers to exactly m-c queries.
• If c is too low, blind attack has still high
success probability, but strictly less than 1.
– E.g., m=15, r=8, a=2 -> p(succ)=0.19
Correct-wrong
Percentage of good and valid secrets
does not strongly depend on q
QuickTime™ and a
decompressor
are needed to see this picture.
Correct-wrong
Percentage of good and valid secrets strongly
depends on a
– If a=2 the adversary might not be able to extract a valid
secret
QuickTime™ and a
decompressor
are needed to see this picture.
Correct-wrong
Percentage of good and valid secrets
strongly depends on r
QuickTime™ and a
decompressor
are needed to see this picture.
A variation
• Assume the user needs to answer a
specific set of queries correctly
– User and terminal share also a common
sequence, e.g., generated by a PRNG.
• Let a=2
• Blind attack success probability becomes
1/2c(1-1/2)(m-c)=1/2m
• In this case it is possible to use r=m/2
– The adversary does not manage to extract even
a valid sequence.
A variation
• Why?
– Intuitively:
• P(counter increased)=1/2 for every object
independently from the fact that it belongs to the
secret or not!
– The counting attack fails.
• It focuses on the single secret’s component
– Does not consider that:
• “In every transcript there exist exactly c correct
answers”
A SAT-based attack
• Write a boolean formula whose truth
assignment corresponds to the user secret
• Associate to each object oiO m boolean
variables xi,1,…, xi,m
• Let C be a challenge consisting of a=2 rows
– Let (i1,…,ip) be the indices of the objects on the
first row
– Let (ip+1,…,iq) be the indices of the objects on
the second row
A SAT-based attack
• The j-th component of the secret belongs
to one of the two rows of the challenge.
0, j  xi , j  xi , j ... xi
1
1, j  xi


p1 ,
2
j
p,
j
 xip2 , j ... xiq , j

A SAT-based attack
• Let:
– =(1,…, m) be a single user reply
– Am={a=(a1,…,am){0,1}m| w(a)=m/2}
• ai=0 -> I-th answer is correct.
• The following formula is satisfiable:


m
 ( j a j (1  j )a j )
(a1 ,..., a m )A m j1
• There exists one aAm such that the j-th
component of the secret is in row jaj for j=1,…m
A SAT-based attack
• Extending the formula to k
transcripts, it is possible to show
that the following formula is
satisfiable
t
  
(k )
k1
• Note: (k) are formulae over the same
literals

A SAT-based attack
• Finally, since for each component, there
exists exactly one object
m q
    (x1, j ...x i1, j  x i, j x i1, j ...x q, j )
j1 i1
• So = is satisfiable and its truth
assignment corresponds to the user secret.
What about “devices”
• The proposed scheme is not limited to
human authentication.
– Simply modify the set of objects to a list of
numbers/strings.
– The device needs to recognize binary strings
– If a device (smart card/RFID) is able to run a
PRNG:
• The device can authenticate the reader
– Need to generate the challenge
– Instead of being authenticated by a reader.
• It can implement the “variant” of our scheme
– Or store a list of sequences…
Usability evaluation
• Average login time
• Error rate
Conclusions
• Presented an authentication mechanism
“implementable” by humans and devices
• Counting attacks lead to (valid) secret
extraction in reasonable time
– 10-12 sessions for naïve protocol
– Up to 36 for correct wrong
• To be done.
– Implement the SAT based attack
• The size of the formula is exponential in the secret
length…