50371067 graphical password
TRANSCRIPT
1
The Design and Analysis of Graphical Passwords
Presenter : Ta Duy Vuong
Ian JermynNew York University
Alain Mayer, Fabian Monrose, Michael
K.ReiterBell Labs, Lucent
Technologies
Aviel D.RubinAT&T Labs-Research
2
OUTLINE
1. Introduction2. Textual Passwords with Graphical
Assistance3. Purely Graphical Passwords4. Other graphical password scheme5. Summary6. References
3
1.INTRODUCTION
• Passwords: method of choice for user authentication.
• In practice, passwords are susceptible to attacks.
• Exploit features of graphical input displays to achieve better security.
4
1.INTRODUCTION
•Used for any devices with graphical input display •Primarily for PDAs: Palm Pilot, HP iPAQ,…
5
1.INTRODUCTION• Observation: temporal order &
position• Textual password input via keyboard:
• Graphical password
simplepass123456789
6
2.TEXT WITH GRAPHICAL ASSISTANCE
GRAPHICAL PASSWORD
TEXTUAL PASSWORD WITH GRAPHICAL ASSISTANCE
DRAW-A-SECRET SCHEME
7
2.TEXT WITH GRAPHICAL ASSISTANCE
• Use textual passwords augmented by some graphical capabilities.
• Aim: to decouple temporal order & position of input.
8
2.TEXT WITH GRAPHICAL ASSISTANCE
• Example: password is “tomato”.• Usual way of input:
Conventional
9
2.TEXT WITH GRAPHICAL ASSISTANCE
With graphical assistance
10
2.TEXT WITH GRAPHICAL ASSISTANCE
• Formally:
•k : number of characters in password •A : set of allowed characters•m : number of positions (m>=k)
• Textual : f = {1,…,k} A• Graphical : f’ = {1,…,k} A x
{1,…,m}
11
2.TEXT WITH GRAPHICAL ASSISTANCE
• One k-character conventional password yields:
m!/(m-k)! graphical passwords
Ex: Password is “ILoveNus”• k=8 (characters)• Choose m=10 (positions) approximately 1.8 x 106 graphical
passwords
12
3.DRAW-A-SECRET (DAS) SCHEME
GRAPHICAL PASSWORD
TEXTUAL PASSWORD WITH GRAPHICAL ASSISTANCE
DRAW-A-SECRET SCHEME
13
3.DRAW-A-SECRET (DAS) SCHEME
3.1 Introduction• Password is picture drawn on a grid.
• Users freed from having to remember alphanumeric string.
• What is good about picture-based password?
14
3.DRAW-A-SECRET (DAS) SCHEME
3.2 Password input
(5,5) is pen-up indicator(2,2) (3,2) (3,3) (2,3) (2,2)
(2,1) (5,5)
15
3.DRAW-A-SECRET (DAS) SCHEME
3.3 Encryption Tool for PDA
Process of making keys for Triple-DES
Key k
Triple-DES
Sequence of coordinates of password P
Hashed using SHA-1
Derived to make keys
•Use Triple-DES to encrypt/decrypt data stored on PDA
16
3.DRAW-A-SECRET (DAS) SCHEME
3.3 Encryption Tool for PDA
ressult = P ??
Key k’
restult=Dk’(Ek(P))
Sequence of coordinates P’
Hashed using SHA-1
Process of verifying password
Store Ek(P)
Key k
Ek(P)
Sequence of coordinates P
Hashed using SHA-1
Process of setting password
17
3.DRAW-A-SECRET (DAS) SCHEME
3.4 Security of the DAS Scheme
• Textual passwords are susceptible to attacks because:– Users do not choose passwords uniformly.– Attackers have significant knowledge about
the• distribution of user passwords (users often
choose passwords based their own name…)• information about gross properties (words in
English dictionary are likely to be chosen)
18
3.DRAW-A-SECRET (DAS) SCHEME
3.4 Security of the DAS Scheme
• Knowledge about the distribution of user password is essential to adversary.
• DAS scheme gives no clues about user choice of passwords.
• Harder to collect data on PDAs than networked computers.
19
3.DRAW-A-SECRET (DAS) SCHEME
3.4 Security of the DAS Scheme• Size of Password space:
Lmax P : password∏(Lmax,G) = ∑ P(L,G) Grid size GxG
L=1 L : length of passwordLmax : maximum length of
password l=L N: number of strokes
P(L,G) = ∑ P(L-l,G)N(lG) l : length of stoke l=1
N(l,G) = ∑ n(x,y,l,G) n : number of strokes of length l (x,y)∈[1..G]x[1..G] (x,y) : ending cell
20
3.DRAW-A-SECRET (DAS) SCHEME
3.4 Security of the DAS Scheme
• New password scheme cannot be proven better than old scheme because of human factor !
• However, above table shows raw size of graphical password space surpasses that of textual passwords.
21
4. Another graphical password scheme
•To login, user is required to click within the circled red regions (chosen when created the password) in this picture. The choice for the four regions is arbitrary •Known since the mid 1990s, starting with G.Blonder in his paper “Graphical Passwords”
22
5. SUMMARY
• Textual passwords with graphical assistance: conventional passwords equipped with graphical capabilities.
• Improvements over textual passwords:– Decouple positions of input from temporal
order– Larger password space
23
5. SUMMARY
• Draw-A-Secret (DAS) Scheme:– Pictures are easier to remember– Attackers have no knowledge of the
distribution of passwords– Larger password space– Decouple position of inputs from
temporal order
24
6. REFERENCES• “The Design and Analysis of Graphical Passwords
” by Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K.Reiter, Aviel D.Rubin
• “Graphical passwords” by Leonardo Sobrado, Jean-Camille Birget, Department of Computer Science, Rutgers University
• “Graphical Dictionaries and the Memorable Space of Graphical Passwords” by Julie Thorpe, P.C. van Oorschot
• “Human Memory and the Graphical Password” by David Bensinger, Ph.D.
• “Passwords: the weakest link?” CNET News.com
25
THANK YOU .