Results 1 to 5 of 5

Thread: Defeating Shoulder Surfing (Tutorial)

  1. #1
    Banned
    Join Date
    May 2003
    Posts
    1,004

    Defeating Shoulder Surfing (Tutorial)

    Defeating Shoulder Surfing (Tutorial)

    Although multi-factor authentication is becoming more and more common password security is still a critical element to an overall security policy. Password security is faced with the following threats:
    • Storage compromise
    • Transmission compromise
    • Artificial agent
    • Psychological evaluation
    • Brute force
    • User dissemination
    • Attacker observation

    If security theory teaches us anything, it is that a single high assurance point of control offers the greatest security. The problem with password security is that the controls used to protect passwords against transmission compromise, artificial agent, psychological evaluation, user dissemination, and attacker observation fall directly on the shoulders of each and every user.
    In the case of transmission compromise it is critical for the user to ensure they are not using a compromised/monitored host or network, a plain text protocol, or a flawed protocol. It is critical that the user ensure they are providing the password to the proper agent. How difficult is it to create a fake login screen?
    In the case of psychological evaluation attacks, users are given the burden of selecting passwords unrelated to personal information (spouse’s name, pet’s name, birthdays, etc.).
    User dissemination via post-it notes or whatever is directly related to the user’s ability to remember their passwords, which in turn is related to both the complexity and quantity of passwords they are required to remember.
    Lastly we have attacker observation, which historically has been limited to a person watching and remembering the password inputs. Technological advancements have made various keystroke recorders as well as easily concealed video recording devices more available to the general public (including of course any potential attackers). This is exceptionally difficult for a user to ensure that no such recording devices are present.

    Unfortunately at this time no single technique (although multi-factor authentication helps) defeats all of these vulnerabilities. Traditional means of strong hashes, strong password, secure channels, frequently changing password, etc fail to address all of these issues, in particular they fail to address input monitoring. Fortunately last October Roth, Richter, and Freidinger published “A PIN-entry method resilient against shoulder surfing” (http://portal.acm.org/citation.cfm?id=1030116), which introduces the idea of Cognitive and Probabilistic Cognitive Trapdoor Games. Although this paper specifically addresses PIN entry, it translates to passwords very easily though perhaps ideally... I will modify and expand on it for my purposes.

    The idea is to discontinue the use of passwords and switch users to smart cards/trusted systems and simple 4-6 digit PINs.

    Storage compromise: shows an increased likelihood of hash compromise
    Transmission compromise: shows no change
    Artificial agent: shows no change
    Psychological evaluation: shows an increased likelihood of correct guessing
    Brute force: shows an increased likelihood of correct guessing, but see below
    User dissemination: shows a clear decrease in likelihood
    Attacker observation: is dramatically reduced

    To elaborate this will increase the likelihood of hash cracking in the event of a system compromise and may exasperate the issue of psychological attacks, as users are likely to pick simple dates (birthday, anniversary, last four digits of their phone number, etc) and lastly brute forcing is easier as there is a shorter key length and simpler data set. With all of these negatives, why in god’s name would I think of this as a good idea?

    Well first and foremost brute forcing will in fact decrease when this PIN is coupled with an account lockout policy and the requirement of the second factor of authentication. Additionally the account lockout policy can require the smart card to be re-keyed preventing a second attempt by the attacker. The account lockout policy may be unusually strict as well due to the limited complexity of the PIN, the user is unlikely to typo repeatedly and impossible to mis-shift.

    User dissemination is far less likely due to the aforementioned reduction in complexity as well, though this issue will never be completely removed so long as users need to remember anything.

    The meat of all of this is the game! The idea is to create a game so simple that any user can win if they know the key, but sufficiently difficult to win for an attacker that doesn’t know the key. Additionally the attacker should not be able to learn the key, even after observing the entire input and output of the authentication transaction.

    The user will be presented with a 10-key display, either touch screen, an actually keypad (for more secure environments), or most likely a display with binary keys defined on the keyboard. (left and right arrow for example) Half of the digits are white text on black keys and the other half or black text on white keys. The touch screen, keypad, or binary keyboard keys will represent both the white and black keys. In order to select a given number select its key color, the result is a high degree of ambiguity for an observer.

    Example (The PIN is 2005):
    Code:
    Round 1:
    Black (1,3,4,7,0) - White(2,5,6,8,9)
    Select - White
    
    Round 2:
    Black (2,3,5,7,0) - White(1,4,6,8,9)
    Select - Black
    
    Round 3:
    Black (1,2,5,8,9) – White (3,4,6,7,0)
    Select - White
    
    Round 4:
    Black (1,4,5,7,0) – White (2,3,6,8,9)
    Select – Black
    In this simple example an observer is left with the following potential PINs:

    2231, 2234, 2235, etc, etc (625 possible for a four digit PIN) however, since the entry method is binary the attacker doesn’t need to know the exact password since each selection has a 50/50 chance of being correct. The odds now of a correct guess are not one in 625 after a single, complete observation (which is much better than one in one after a complete observation) but one in 16 after no observations (which is much, much worse) and unchanged after a single observation.

    Clearly this implementation isn’t that great, but perhaps you see where we’re going with it. In the aforementioned article they use two methods. The first is directed at deterring simple human observation (Cognitive Trapdoor Game), which requires four inputs like the one above for each digit in the PIN, resulting in 16 entries over all. Each entry is presented in real time. The second approach (Probabilistic Cognitive Trapdoor Game) is intended to even defeat observation attacks where the observer acquires all of the input, such as with a recording device. This method presents a sequence of four screens and then prompts the user for black and whites after the sequence; this process is repeated for each digit. The key in the Probabilistic Cognitive Trapdoor Game is that each entry defines two digits instead of one to ensure a level of ambiguity, otherwise after 2-3 selections is it usually possible to isolate which digit is correct… for example:

    First PIN digit
    Code:
    Round 1:
    Black (1,3,4,7,0) – White (2,5,6,8,9)
    Select - Black
    
    Round 2:
    Black (2,3,5,7,0) – White (1,4,6,8,9)
    Select - Black
    
    Round 3:
    Black (1,2,5,8,9) – White (3,4,6,7,0)
    Select - White
    
    Round 4:
    Black (1,4,5,7,0) – White (2,3,6,8,9)
    Select – White
    Using this data we can determine that first digit:

    Round 1: 1,3,4,7,0
    Round 2: 2,3,5,7,0
    Round 3: 3,4,6,7,0
    Round 4: 2,3,6,8,9

    First Elimination: 1,2,4,5
    Second Elimination: 6
    Third Elimination: 7,8,9,0

    Leaving only 3.

    I wish to take a slightly different path, although many are available depending on your given needs. In the system I will present here, the objectives were simplicity and the ability to optionally and seamlessly integrate a duress alarm for critical accounts.

    The user requires:
    [list=1][*]Their smart card[*]Their numerical password[*]Their color[/list=1]
    To authenticate themselves to the system the user must present their smart card (in this case a USB keychain). Next the user is presented with the numerical display and the left arrow key is used to indicate black, the right arrow key for white. The user must enter each digit of their PIN and their color once, while each digit of their password not first presented in their color twice. For example:

    Now let us assume the user password is 1234 and their color is black.

    Code:
    Round 1:
    Black (1,3,4,7,0) – White (2,5,6,8,9)
    Select - Black
    
    Round 2:
    Black (2,3,5,7,0) – White (1,4,6,8,9)
    Select – Black
    Since the users color is black, these digits are entered correctly.
    Code:
    Round 3:
    Black (1,2,5,8,9) – White (3,4,6,7,0)
    Select – White
    Now in this case the digit (0) was a white key, the user must enter the third digit again
    Code:
    Round 4:
    Black (1,4,5,7,0) – White (2,3,6,8,9)
    Select- Black
    This completes the third digit, even if the digit showed as white again.
    Code:
    Round 5:
    Black (1,2,5,6,9) – White (3,4,7,8,0)
    Select- Black
    This conclude the actually data entry portion, (in this case five rounds) to further complicate the issue, since the entry may take up to 12 rounds (six digit password, each time of the none chosen color.) it is best to have all password entry sequences of a fixed length, otherwise the observer may verify the password length. In the given example, the user only entered five rounds leaving seven rounds open.

    In this system we have three types of accounts, and each account makes different use of these empty rounds.

    Type 1: Standard User
    These rounds are blank and the user can enter anything they see fit. This passwords must be at least five digits.

    Type 2: Medium Security User
    These rounds are filled in by running through the password repeatedly (as much as will fit in the 12 rounds).

    Type 3: High Security User
    Same as type two, expect this account is fitted with a duress alarm. After the initial password, the user can error in a predefined manner in the repetition phase. Passwords for this user type can be no longer than five digits.

    My experience is that upon implementing this type of access control system for remote ERP access (sales reps and such) required 30 minutes of training, resulting in initial error rates comparable to standard passwords and after three months error rates roughly 20% lower than standard. Added benefits include of course increased immunity to keystroke recorders and shoulder surfing.

    Cheers,

    catch

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Catch,

    I agree this will indeed recude losses due to shoulder surfing, kerboard logging, and trasmission capturing. And assuming that the only way to enter the password is through the interface you have provided, it should provide resistance to brute force attacks as well. However, would a 4-digit PIN system not signifigantly increase the chances of other brute force methods succeeding?

    I would think that the losses incurred due to the breach of a password file full of 4 digit pin codes would be signifigantly higher than that of a more classical system. A database of thousands could be cracked in mere minutes.

    So this leaves me with the understanding that you are making two assumptions. 1) The likelihood of a password (or PIN) file compromise is sufficiently low that the risk of it is offset by the increased security provided by this system, and 2) you are relying on multi factor authentication.

    I can see where a password file compromise would be sufficiently unlikely that this increased risk would be justified. It is also possible that the information gained from such a compromise would be of little use to an attacker, as would be the case if he were required to make use of it only from authorized point of sale locations.

    But as for point number 2, if you are indeed relying on a secondary form of authentication, would this method not be rendered ineffective? That is to say, is this a proposal where the primary authentication mechanisms provide insufficent security measures without the use of secondary systems? It is my experience that both primary and secondary authentication systems should in and of themselves provide sufficient security measures, in the case that one or the other fails or is compromised.

    So, how can one defend the use of this system when questioned about the costs involved with a password file compromise?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Banned
    Join Date
    May 2003
    Posts
    1,004
    However, would a 4-digit PIN system not signifigantly increase the chances of other brute force methods succeeding?
    Issues of brute forcing would be restricted by limiting the number of attempts to two or so. Also, even though the password is only four digits for the type two/three account (and five for type one) the actually password is much longer. The use of color selection means that a given type one password may be as long as 10 digits, and most likely six. Type two passwords are always 12 digits long and type three has a much narrower margin error thanks to the integration of the duress alarm.
    This is all merely as far as the user is concerned.

    I would think that the losses incurred due to the breach of a password file full of 4 digit pin codes would be signifigantly higher than that of a more classical system. A database of thousands could be cracked in mere minutes.
    So, how can one defend the use of this system when questioned about the costs involved with a password file compromise?
    In a properly designed system, no users... including ISSO accounts should have access to raw user password hashes. That aside, having the PIN alone does not crack the account, you need the smart card, account type, and selected color.
    This aside, the chances of password file compromise is so minimal as to not be a consideration.

    cheers,

    catch

  4. #4
    Junior Member
    Join Date
    Aug 2005
    Posts
    2

    yo

    I believe that the colors should not only be black and white, but also, say, red and green. Also to make it even more secure, the colors should be assigned to Triangle, Square, Circle, and Star on the GUI instead of the actual colors, I believe this would make the auth. process just a slight bit more secure.

  5. #5
    Banned
    Join Date
    May 2003
    Posts
    1,004
    More secure, yes... less usable, also yes.

    It is all a matter of finding the crossover point.

    cheers,

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •