3,658 research outputs found
Naturally Rehearsing Passwords
We introduce quantitative usability and security models to guide the design
of password management schemes --- systematic strategies to help users create
and remember multiple passwords. In the same way that security proofs in
cryptography are based on complexity-theoretic assumptions (e.g., hardness of
factoring and discrete logarithm), we quantify usability by introducing
usability assumptions. In particular, password management relies on assumptions
about human memory, e.g., that a user who follows a particular rehearsal
schedule will successfully maintain the corresponding memory. These assumptions
are informed by research in cognitive science and validated through empirical
studies. Given rehearsal requirements and a user's visitation schedule for each
account, we use the total number of extra rehearsals that the user would have
to do to remember all of his passwords as a measure of the usability of the
password scheme. Our usability model leads us to a key observation: password
reuse benefits users not only by reducing the number of passwords that the user
has to memorize, but more importantly by increasing the natural rehearsal rate
for each password. We also present a security model which accounts for the
complexity of password management with multiple accounts and associated
threats, including online, offline, and plaintext password leak attacks.
Observing that current password management schemes are either insecure or
unusable, we present Shared Cues--- a new scheme in which the underlying secret
is strategically shared across accounts to ensure that most rehearsal
requirements are satisfied naturally while simultaneously providing strong
security. The construction uses the Chinese Remainder Theorem to achieve these
competing goals
An algorithm for automatically choosing distractors for recognition based authentication using minimal image types
<p>When a user logs on to a recognition based authentication system, he or she is presented with a number of images, one of which is their pass image and the others are distractors. The user must recognise and select their own image to enter the system. If any of the distractors is too similar to the target, the user is likely to become confused and may well choose a distractor by mistake.</p>
<p>It is simple for humans to rule on image similarity but such a labour intensive approach hinders the wider uptake of these mechanisms. Automating image similarity detection is a challenging problem but somewhat easier when the images being used are minimal image types such as hand drawn doodles and Mikons constructed using a computer tool.</p>
<p>We have developed an algorithm, which has been reported earlier, to automatically detect if two doodle images are similar. This paper reports a new experiment to discover the amount of similarity in collections of doodles and Mikons, from a human perspective. This information is used to improve the algorithm and confirm that it also works well with Mikons.</p>
Remote booting in a hostile world: to whom am I speaking? [Computer security]
“This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder." “Copyright IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.”Today's networked computer systems are very vulnerable to attack: terminal software, like that used by the X Window System, is frequently passed across a network, and a trojan horse can easily be inserted while it is in transit. Many other software products, including operating systems, load parts of themselves from a server across a network. Although users may be confident that their workstation is physically secure, some part of the network to which they are attached almost certainly is not secure. Most proposals that recommend cryptographic means to protect remotely loaded software also eliminate the advantages of remote loading-for example, ease of reconfiguration, upgrade distribution, and maintenance. For this reason, they have largely been abandoned before finding their way into commercial products. The article shows that, contrary to intuition, it is no more difficult to protect a workstation that loads its software across an insecure network than to protect a stand-alone workstation. In contrast to prevailing practice, the authors make essential use of a collision-rich hash function to ensure that an exhaustive off-line search by the opponent will produce not one, but many candidate pass words. This strategy forces the opponent into an open, on-line guessing attack and offers the user a defensive strategy unavailable in the case of an off-line attack.Peer reviewe
Secure Authentication Using Click Draw Based Graphical Password Scheme
Graphical passwords are an alternative to alphanumeric passwords in which users click on images to authenticate themselves rather than type alphanumeric strings. We have developed one such system, called Secure Authentication using Click Draw Based graphical password scheme, and evaluated it with human users. Secure Authentication using Click Draw Based graphical password scheme, including USAbility and security evaluations, and implementation considerations. An important USAbility goal for knowledge-based authentication systems is to support users in selecting passwords of higher security, in the sense of being from an expanded effective security pace. We use the sequence of multiple images along with a dummy image and alsoa pattern on any single image to influence user choice in click draw based graphical passwords, encouraging users to select more random, and hence more difficult to guess patterns
Towards Human Computable Passwords
An interesting challenge for the cryptography community is to design
authentication protocols that are so simple that a human can execute them
without relying on a fully trusted computer. We propose several candidate
authentication protocols for a setting in which the human user can only receive
assistance from a semi-trusted computer --- a computer that stores information
and performs computations correctly but does not provide confidentiality. Our
schemes use a semi-trusted computer to store and display public challenges
. The human user memorizes a random secret mapping
and authenticates by computing responses
to a sequence of public challenges where
is a function that is easy for the
human to evaluate. We prove that any statistical adversary needs to sample
challenge-response pairs to recover , for
a security parameter that depends on two key properties of . To
obtain our results, we apply the general hypercontractivity theorem to lower
bound the statistical dimension of the distribution over challenge-response
pairs induced by and . Our lower bounds apply to arbitrary
functions (not just to functions that are easy for a human to evaluate),
and generalize recent results of Feldman et al. As an application, we propose a
family of human computable password functions in which the user
needs to perform primitive operations (e.g., adding two digits or
remembering ), and we show that .
For these schemes, we prove that forging passwords is equivalent to recovering
the secret mapping. Thus, our human computable password schemes can maintain
strong security guarantees even after an adversary has observed the user login
to many different accounts.Comment: Fixed bug in definition of Q^{f,j} and modified proofs accordingl
- …