Breaking Undercover:Exploiting Design Flaws andNonuniform Human Behavior

Toni Perković1

joint work with

Asma Mumtaz2, Yousra Javed2,Shujun Li3, Syed Ali Khayam2 and Mario Čagalj1

1FESB, University of Split, Croatia2 National University of Science and Technology, Pakistan3 Zukunftskolleg, University of Konstanz, Germany

21/07/2011

Outline

2

• Introduction

• How does Undercover work?– Implementation 1 @ CHI’2008– Implementation 2 @ Pervasive’2009

• Breaking Undercover– Timing attack– Intersection attack

• Can Undercover be enhanced?– Attempt #1– Attempt #2

• Generalizing timing attacks

• Summary

Introduction

• Classical PIN-entry methods (via keyboards, keypads and alike) are all vulnerable to observation attacks

3

• Shoulder surfing attacks

• Phishing attacks

• Malware based attacks

Thinkst.com – July 2011

[Kuhn2004]

http://www.isgafrica.org/blog

• Solution: A challenge-response protocol

• User (P) and Verifier (V) share secret S

– V P: challenges C1(S), …, Ct(S)

– P V: responses R1=f1(C1,S), …, Rt=ft(Ct,S)

– V: Accept P if all responses are correct

• Goal: design a mapping f such that the attacker cannot recover S• C and R are fully observable to the attacker• C and R are completelly or partially unobservable to the attacker

4

Introduction

[Sobrado02] [Sasamoto08]

Fully observable Partially observable

5

• Designing a usable cognitive PIN-entry method secure against eavesdroppers is truly challenging:

• Matsumoto-Imai scheme (EuroCrypt’91) – NOT secure (Wang et al., EuroCrypt’95)

• Matsumoto protocols (CCS’96)– NOT secure (Hopper & Blum 2001; Li & Shum 2003)

• Hopper-Blum protocols (AsiaCrypt’2001)– NOT usable (166 seconds for login)

• Cognitive Authentication Scheme (S&P’2006)– Neither usable nor secure (S&P’2007)

• Predicate-based Authentication Scheme (ACSAC’2008)– Neither secure nor usable (ACSAC’2009)

• Undercover (CHI’2008)• Is Undercover secure?

• Challenge 1: Security vs. Usability• Challenge 2: Weak humans vs. Powerful attackers

It is difficult to design a secure HCI - Devil is in details

Introduction

• Hirokazu Sasamoto, Nicolas Christin and Eiji Hayashi, “Undercover: Authentication Usable in Front of Prying Eyes”, CHI’2008

• One login session:– 28 pictures: 5 pass-pictures and 23 non-pass– 7 public challenges:

• 5 challenges with one pass-picture• 2 challenges without pass-picture

– Each public challenge contains:• One hidden challenge – trackball covered by hand

Undercover: Implementation 1

6Undercover system

Undercover: Implementation 1

7

• Hidden challenge: “Left”

4

2• Response: 2

• Public challenge

• Example:

• Average login time: ≈ 32 sec

• M. Hasegawa, N. Christin and E. Hayashi, “New Directions in Multisensory Authentication,” Pervasive’2009

• Average login time: ≈ 10 sec. vs 32 sec. with Undercover

• Other solutions:

• VibraPass [De Luca09]• Secure Haptic Key (SHK) [Binachi10]• STL, Mod10 [Perkovic10]

8

Undercover: Implementation 2

PIN digit is 2, hidden digit is 6

Undercover

9

• How safe is Undercover against timing/intersection attacks?• How safe is Alternative Undercover against intersection attacks?

• These problems are due to:– Design flaws– Nonuniform human behavior

• They can be fixed

• The problems are general and not prone to Undercover only

Undercover Alternative Undercover

• Software-based implementation

• PassFaces

10

Undercover: Our Implementation

• Hidden channel

11

• A cooperative usability study at two universities:– FESB, University of Split in Croatia– National University of Science and Technology (NUST) in Pakistan

– 28 users (students and staff members)– Users were asked to login once a day

– Overall success login rate ≈ 84%– Median login rate: 26.5– Median login time: 30.1 sec– 18 used the keyboard, 10 used the mouse as input device

– Compared to original Undercover, the median login time is slightly shorter (32 sec. vs 30.1 sec.)

Breaking Undercover

• A design flaw Non-uniform human behavior• The human response pattern:

• The difference between the user’s responses to “Up” hidden challenges and to other hidden challenges is significant at 5% level.

• Assume that the fastest responsecorresponds to “Up” challenge

12

Timing Attack on Undercover

• Attack procedure:• Step 1: Create 28 counters, C1,…,C28, for the 28 pictures, and initialize all of

them to be 0.• Step 2: For each observed login session, take the fastest response and

assume that it corresponds to an “Up” challenge. Then, if the corresponding public challenge contains a pass-picture i, Ci++.

• Step 3: Rank all the pictures according to the values of the 28 counters, and take the top five pictures as the five pass-pictures forming the password.

• Some settings and enhancements: 1) negative penalty; 2) multiple fastest responses; 3) successful logins only.

13

Timing Attack on Undercover

... ...

Conuter C1 C2 C3 Ci-1 Ci Ci+1 C28

0 0 0 0 0 0 0Session00 0 1 0 0 0 0Session11 0 1 0 0 0 0Session21 0 1 0 0 1 0Session3

SessionN 15 4 10 2 6 9 15

... ... ...

• Theoretical analysis:– pt5 – probabilty of revealed password

– p*t5 - probability where the passpicture

is in the top 5 ranked

• Real performance – best results:– First fastest response, no negative penalty, successful logins– First fastest response, negative penalty, successful logins

• The real performance is similar to the one in the theoretical analysis.

14

Timing Attack on Undercover

• Each pass-picture and decoy picture is shown once and only once in a single authentication process.

Are public challenges fixed or randomized?

• Attack (randomized public challenges):

• Step 1: Set P to be the space of all possible passwords• Step 2: For each observed public challenge, reduce the space of candidate

passwords P by checking each password in P and removing invalid ones• Step 3: Repeat Step 2 until the size of P becomes 1

• Example: observed ithpublic challenge

15

Intersection Attack on Undercover

Reduced candidate passwords

...

...

...

...

... ...

• Results of the attack

• MATLAB simulations with 15 randomly generated login sessions:• On average 7-10 observed login sessions reveal the password

• Real login data collected in our user studies:• On average number 8-11 login sessions reveal the password• Solution: use fixed public challenges• Additionally we asked the authors of Undercover – they used fixed

challenges• The devil is in details 16

Intersection Attack on Undercover

• Example:• PIN digit is 2, hidden digit is 6• The user pushes Button “Left” (◄) and Button “Down” (▼)

• The set of passwords isreduced from 10 to 4(1, 2, 3 and 4)

• Theoretical analysis: PIN “0459” is revealed after 9 login sessions• MATLAB simulations: PINs “1236” and “0459” are revealed after

median number of 11 and 9 logins sessions, respecivelly.

17

Intersection Attack on Alternative Undercover

PIN digitCombinations of

button press patternsOccurrence probability in n responses

0 ▼ + ►►►►4 ▼ + ◄◄◄◄5 ▲ + ►►►►9 ▲ + ◄◄◄◄1 ▼ + ►►► + ◄3 ▼ + ► + ◄◄◄6 ▲ + ►►► + ◄8 ▲ + ► + ◄◄◄2 ▼ + ►► + ◄◄7 ▲ + ►► + ◄◄

Theoretical analisys of Intersection attack

• Change the button maps to make them equally difficult

• Results of the evaluation: It failed!• Reason: “Up” button map is closest to the public challenge

18

Enhancing Undercover: Attempt #1

Before Enhancement

• Equal visual distance from each button map to the public challenge• The hidden challenges are changed to “1”, …, “5”

• Procedure:

• Step1: Find the hidden response in the button layout near to the pass-picture or the “no pass-picture”

• Step2: Press the button at the same location as the hidden response

• Example:

19

Enhancing Undercover: Attempt #2

• Hidden challenge: “2”

• Response: 3

• Enhanced security:– The response times to different hidden challenges are not

significantly different.– None of passwords was fully revealed; the maximum number of

revealed pass-pictures is below 50%• Enhanced usability:

– The average login time ≈ 19 sec vs 30.1 sec. with Undercover– The error rate: 6%

• All users prefered to use this method over Undercover!

20

Enhancing Undercover: Attempt #2

CCS poster [Kune2010]

21

Generalizing Timing Attacks

• Human behavior can be nonuniform and nonlinear in many aspects:

– Response time

– Response error rate

– Mental computation

– Temporal variation

– Personal preference

– Facial expression and hand/body movement

• User interface should be designed in a way that users have NO distinguishable nonuniform behavior.

Mod10 [Perkovic10]

(0+7)mod 10 vs. (6+7) mod 10

Undercover - [Sasamoto2008]

(6+9)mod 10=5 vs. 6-1=5

[Hopper01]

22

Summary

• We presented two attacks on Undercover

• Security weaknes in Undercover is due to some design flaws and nonuniform human behavior

• User behavior reveals sensitive information

• We proposed enhancements – a more secure and usable design

• In future designers of security systems should pay attention to the human-computer interfaces

• Future work:

– Generalization of timing attacks to other Undercover-like designs and other graphical passwords

– Development of new Undercover-like designs with lower login time and error rate

Timing Attacks on cognitive authentication schemeshave to be seriously considered!

Thank you for your attention!

Questions?

23