skip to main content
research-article

Exploiting Behavioral Side Channels in Observation Resilient Cognitive Authentication Schemes

Published:28 September 2020Publication History
Skip Abstract Section

Abstract

Observation Resilient Authentication Schemes (ORAS) are a class of shared secret challenge–response identification schemes where a user mentally computes the response via a cognitive function to authenticate herself such that eavesdroppers cannot readily extract the secret. Security evaluation of ORAS generally involves quantifying information leaked via observed challenge–response pairs. However, little work has evaluated information leaked via human behavior while interacting with these schemes. A common way to achieve observation resilience is by including a modulus operation in the cognitive function. This minimizes the information leaked about the secret due to the many-to-one map from the set of possible secrets to a given response. In this work, we show that user behavior can be used as a side channel to obtain the secret in such ORAS. Specifically, the user’s eye-movement patterns and associated timing information can deduce whether a modulus operation was performed (a fundamental design element) to leak information about the secret. We further show that the secret can still be retrieved if the deduction is erroneous, a more likely case in practice. We treat the vulnerability analytically and propose a generic attack algorithm that iteratively obtains the secret despite the “faulty” modulus information. We demonstrate the attack on five ORAS and show that the secret can be retrieved with considerably less challenge–response pairs than non-side-channel attacks (e.g., algebraic/statistical attacks). In particular, our attack is applicable on Mod10, a one-time-pad-based scheme, for which no non-side-channel attack exists. We field test our attack with a small-scale eye-tracking user study.

References

  1. Hassan Jameel Asghar, Shujun Li, Ron Steinfeld, and Josef Pieprzyk. 2013. Does counting still count? Revisiting the security of counting based user authentication protocols against statistical attacks. In Proceedings of the 20th Annual Network and Distributed System Security Symposium. 1--18.Google ScholarGoogle Scholar
  2. Hassan Jameel Asghar, Josef Pieprzyk, and Huaxiong Wang. 2010. A new human identification protocol and Coppersmith’s baby-step giant-step algorithm. In Proceedings of the International Conference on Applied Cryptography and Network Security. Springer, 349--366.Google ScholarGoogle ScholarCross RefCross Ref
  3. Hassan Jameel Asghar, Ron Steinfeld, Shujun Li, Mohamed Ali Kaafar, and Josef Pieprzyk. 2015. On the linearization of human identification protocols: Attacks based on linear algebra, coding theory, and lattices. IEEE Trans. Inf. Forens. Secur. 10, 8 (2015), 1643--1655.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the 4th USENIX Conference on Offensive Technologies. USENIX, 1--7.Google ScholarGoogle Scholar
  5. Tadas Baltrušaitis, Peter Robinson, and Louis-Philippe Morency. 2016. Openface: An open source facial behavior analysis toolkit. In Proceedings of the Applications of Computer Vision (WACV’16). IEEE, 1--10.Google ScholarGoogle ScholarCross RefCross Ref
  6. Sacha Brostoff and M. Angela Sasse. 2000. Are passfaces more usable than passwords? A field trial investigation. In People and Computers XIV—Usability or Else! Springer, 405--424.Google ScholarGoogle ScholarCross RefCross Ref
  7. Mario Čagalj, Toni Perković, and Marin Bugarić. 2015. Timing attacks on cognitive authentication schemes. IEEE Trans. Inf. Forens. Secur. 10, 3 (2015), 584--596.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Liang Cai and Hao Chen. 2011. TouchLogger: Inferring keystrokes on touch screen from smartphone motion. In Proceedings of the 6th USENIX Conference on Hot Topics in Security. USENIX.Google ScholarGoogle Scholar
  9. Jagmohan Chauhan, Benjamin Zi Hao Zhao, Hassan Jameel Asghar, Jonathan Chan, and Mohamed Ali Kaafar. 2017. BehavioCog: An observation resistant authentication scheme. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 39--58.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Edwin S. Dalmaijer, Sebastiaan Mathôt, and Stefan Van der Stigchel. 2014. PyGaze: An open-source, cross-platform toolbox for minimal-effort programming of eyetracking experiments. Behavior Research Methods 46, 4 (2014), 913–921.Google ScholarGoogle ScholarCross RefCross Ref
  11. Rachna Dhamija, Adrian Perrig, et al. 2000. Deja vu-a user study: Using images for authentication. In Proceedings of the USENIX Security Symposium, Vol. 9.Google ScholarGoogle Scholar
  12. Lior Elazary and Laurent Itti. 2010. A bayesian model for efficient visual search and recognition. Vis. Res. 50, 14 (2010), 1338--1352.Google ScholarGoogle ScholarCross RefCross Ref
  13. Fabian Pedregosa, Gaël Varoquaux, Alexandre Gramfort, Vincent Michel, Bertrand Thirion, Olivier Grisel, Mathieu Blondel, Peter Prettenhofer, Ron Weiss, Vincent Dubourg, Jake Vanderplas, Alexandre Passos, David Cournapeau, Matthieu Brucher, Matthieu Perrot, and Édouard Duchesnay. 2011. Scikit-learn: Machine learning in Python. J. Mach. Learn. Res. 12 (2011), 2825--2830.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Denis Foo Kune and Yongdae Kim. 2010. Timing attacks on PIN input devices. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS’10). ACM, New York, NY, 678--680. DOI:https://doi.org/10.1145/1866307.1866395Google ScholarGoogle Scholar
  15. Ian Goodfellow, Yoshua Bengio, Aaron Courville, and Yoshua Bengio. 2016. Deep Learning. Vol. 1. MIT Press, Cambridge, MA.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Dan Witzner Hansen and Qiang Ji. 2010. In the eye of the beholder: A survey of models for eyes and gaze. IEEE Trans. Pattern Anal. Mach. Intell. 32, 3 (2010), 478--500.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Nicholas J. Hopper and Manuel Blum. 2001. Secure human identification protocols. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. Springer, 52--66.Google ScholarGoogle Scholar
  18. Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2013. The impact of pattern length, pattern compactness, and mathematical operators on the usability and security of system-assigned graphical one-time PINs. In Proceedings of the International Conference on Financial Cryptography and Data Security. 34--51.Google ScholarGoogle ScholarCross RefCross Ref
  19. Kyle Krafka, Aditya Khosla, Petr Kellnhofer, Harini Kannan, Suchendra Bhandarkar, Wojciech Matusik, and Antonio Torralba. 2016. Eye tracking for everyone. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2176--2184.Google ScholarGoogle ScholarCross RefCross Ref
  20. Daniel LeBlanc, Alain Forget, and Robert Biddle. 2010. Guessing click-based graphical passwords by eye tracking. In Proceedings of the 2010 8th Annual International Conference on Privacy Security and Trust (PST’10). IEEE, 197--204.Google ScholarGoogle ScholarCross RefCross Ref
  21. Jo-Anne LeFevre, Gregory S. Sadesky, and Jeffrey Bisanz. 1996. Selection of procedures in mental addition: Reassessing the problem size effect in adults. J. Exp. Psychol. Learn. Mem. Cogn. 22, 1 (1996), 216.Google ScholarGoogle ScholarCross RefCross Ref
  22. Shujun Li and Heung Yeung Shum. 2005. Secure human-computer identification (interface) systems against peeping attacks: SecHCI. Cryptology ePrint Archive, Report 2005/268, 2005. https://eprint.iacr.org/2005/268.Google ScholarGoogle Scholar
  23. Tsutomu Matsumoto. 1998. Human–computer cryptography: An attempt. J. Comput. Secur. 6, 3 (1998), 129--149.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Hanchuan Peng, Fuhui Long, and Chris Ding. 2005. Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy. IEEE Trans. Pattern Anal. Mach. Intell. 27, 8 (2005), 1226--1238.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Hirokazu Sasamoto, Nicolas Christin, and Eiji Hayashi. 2008. Undercover: Authentication usable in front of prying eyes. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 183--192.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Krebson Security. [n.d.]. Hidden Cameras on Automated Teller Machines (ATMs). Retrieved Novemenber 30, 2018 from https://krebsonsecurity.com/tag/atm-skimmer/.Google ScholarGoogle Scholar
  27. Laurent Simon and Ross Anderson. 2013. Pin skimmer: Inferring pins through the camera and microphone. In Proceedings of the 3rd ACM workshop on Security and Privacy in Smartphones 8 Mobile Devices. ACM, 67--78.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. James Victor Uspensky. 1937. Introduction to Mathematical Probability. McGraw-Hill, New York, NY, 23--24.Google ScholarGoogle Scholar
  29. Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, and Jean-Camille Birget. 2006. Design and evaluation of a shoulder-surfing resistant graphical password scheme. In Proceedings of the Working Conference on Advanced Visual Interfaces. ACM, 177--184.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Gordon Thomas Wilfong. 1999. Method and apparatus for secure PIN entry. Patent number: 5940511, August 1999.Google ScholarGoogle Scholar
  31. Qiang Yan, Jin Han, Yingjiu Li, and Robert H. Deng. 2012. On limitations of designing leakage-resilient password systems: Attacks, principles and usability. In Proceedings of the 19th Annual Network and Distributed System Security Symposium. Citeseer.Google ScholarGoogle Scholar
  32. Qinggang Yue, Zhen Ling, Xinwen Fu, Benyuan Liu, Kui Ren, and Wei Zhao. 2014. Blind recognition of touched keys on mobile devices. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1403--1414.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Exploiting Behavioral Side Channels in Observation Resilient Cognitive Authentication Schemes

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Article Metrics

          • Downloads (Last 12 months)20
          • Downloads (Last 6 weeks)0

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!