SlideShare a Scribd company logo

Human Factors in Cyber Security: User authentication as a use case

Shujun Li, profile picture
Shujun Li

The document discusses the significance of human factors in cybersecurity, particularly regarding user authentication and the vulnerabilities associated with passwords. It highlights the security-usability dilemma where stronger passwords improve security but are harder for users to remember, leading to a preference for weaker, more memorable options. Additionally, the document explores various methods to enhance password security and usability, including password checkers, managers, strong policies, and graphical passwords.

Science
Related topics:
Cyber-SecurityHuman Factors Overview Information Security
1 of 98
Downloaded 59 times
1
2
3
4
5
Most read
6
7
8
9
10
11
12
Most read
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Human Factors in Cyber Security: User Authentication as a Use Case Dr Shujun LI (李树钧) Deputy Director, Surrey Centre for Cyber Security (SCCS) Reader, Department of Computer Science University of Surrey http://www.hooklee.com/ @hooklee75
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Humans = The Weakest Link?
3 Security is a process, NOT a product. - A product is secure.  A process is secure. - Bruce Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, Inc., 2004
4 Social engineering does work well! - Hackers only need to break the weakest link in a process – humans! - Weak human users vs. Strong hackers
5 A real hacker’s testimony Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. Kevin D. Mitnick and William L. Simon The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons Inc., 2003
6 Social engineering everywhere: Phishing, SMiShing, vishing, … - Getting your password from you.
7 A recent book on social engineering - Christopher Hadnagy, Social Engineering: The Art of Human Hacking, John Wiley & Sons, Inc., 2010
8 Different kinds of weak humans - Weak designers - Weak programmers - Weak assemblers - Weak distributors - Weak deployers - Weak maintainers - Weak users - Weak …  Security holes in the delivered products  Security holes in the deployed system Strong Hackers
9 Are you a weak link of your system? - Have you installed any encryption software (such as GPG) for your email client or your web browser (for web mail)?
10 Are you a weak link of your system? - For those who said YES for the previous question: How often do you use the above encryption software to protect your personal emails?
11 Are you a weak link of your system? - Do you know how digital certificates are used with secure web sites such as online banking sites?
12 Are you a weak link of your system? - If YES to the previous question: How often do you check digital certificate’s contents against the claimed owner?
13 Are you a weak link of your system? - Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired or self-signed certificate, etc.)?
14 Are you a weak link of your system? - If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt you could trust the website(s) you were visiting? ?
15 Are you a weak link of your system? - Have you written one or more of your passwords down (on paper, on mobile phone, …) at least once to avoid forgetting them?
16 Are you a weak link of your system? - Are you reusing passwords over multiple web sites? - SSO (Single-Sign-On password is not counted).
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Security vs. Usability Dilemma S U
18 What does security mean? - The classic CIA/AIC traid: Confidentiality, Integrity, Availability - Many extensions - PAIN: Privacy, Availability/Authentication, Integrity, Non- Repudiation - 4A model: Authentication, Authorization, Availability, Authenticity - 5A model: Admissibility, Authentication, Authorization, Availability, Authenticity - Parkerian Hexad: Confidentiality, Possession or Control, Integrity, Authenticity, Availability, Utility (Usefulness) - Information Assurance & Security (IAS) Octave (2013): confidentiality, integrity, availability, privacy, authenticity & trustworthiness, non-repudiation, accountability and auditability - Different attacks and threats are behind those terms.
19 More security principles - OECD Guidelines for the Security of Information Systems and Networks (2002): 9 principles - Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment - NIST Special Publication 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A (2004): 33 principles - 4 in security foundations - 7 risk based - 4 about ease of use (usability) - 8 about resilience - 6 about reducing vulnerability - 4 about network
20 What does usability mean? - ISO standards (ISO/TC 159/SC 4) - ISO 9241 Ergonomics of human-system interaction (a series) - ISO 9241-11 Guidance on Usability: “The extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.” - Effectiveness: “accuracy and completeness with which users achieve specified goals” (normally measure by “success rate”) - Efficiency: “resources expended in relation to the accuracy and completeness with which users achieve goals” - Satisfaction: “freedom from discomfort, and positive attitudes towards the use of the product” (good user experience as a whole) - ISO 11064 Ergonomic design of control centres (multi-part) - ISO 14915 Software ergonomics for multimedia user interfaces - A 2006 (good even though a bit outdated) overview of such standards can be found at Usability Net.
21 What does usability mean? My personal views on usability in the context of cyber security: - Psychological Acceptability - A computer system should be designed for easy and correct use with reasonably low error rate by all legitimate users of the system. - Economic Acceptability - A computer system should be acceptable to target organisations and end users with reasonable (application-dependent!) costs. - Reconfigurability/Scalability/Sustainability/Manageability/D eployability/Portability/… - Accessibility = Usability for the Disabled - …
22 Security-usability dilemma - Security is often NOT what users want – users want their work done and they don’t know what security really means! - Security often requires users to make HARD decisions, but they do NOT have enough time or experience! - Higher security often requires more computation.  Higher costs, slower process, more difficult to understand and use, user’s tendency to misuse (intentional or unintentional), … - Large systems involve many components and different groups of users.  Requirements of different components and users may conflict. - Different aspects (C, I, A) of security may conflict with each other as well, which further complicate the problem. - …
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: (Textual) Passwords (inc. PINs)
24 Textual passwords everywhere
25 How many passwords are there? - 4 digits (PINs): 104=10 thousand≈213.3 - 6 digits (PINs): 106=1 million≈220 - Lowercase letters only, 7 characters: 267≈8 million≈233 - Lowercase letters + digits, 7 characters: 367≈78.4 million≈236 - Lowercase & uppercase letters + digits, 7 characters: 627≈10 trillion≈242 - Lowercase & uppercase letters + digits, 11 characters: 6211≈52 quintillion≈265.5
26 How fast are today’s supercomputers? 10EFlops =1019263
27 What passwords are being used? - Dinei Florêncio and Cormac Herley, “A Large- Scale Study of Web Password Habits,” in Proc. WWW 2007, W3C/ACM - Real passwords collected from 544,960 web users in three months in 2006.
28 What (4-digit) PINs are being used? - DataGenetics, PIN analysis, 3rd September 2012 - 3.4 million leaked passwords composed of 4 digits. xy00 9999 00xy 19xy mmdd xyxy
29 Password cracking: 1979 - R. Morris and K. Thomson, “Password security: A case history,” Communications of the ACM, vol. 22, no.11, 1979 - In a collection of 3,289 passwords… - 15 were a single ASCII character - 72 were strings of two ASCII characters - 464 were strings of three ASCII characters - 477 were strings of four alphamerics - 706 were five letters, all upper-case or all lower-case - 605 were six letters, all lower-case - 492 appeared in dictionaries, name lists, and the like 2,831 passwords
30 Password cracking: 1990 - Daniel V. Klein, “Foiling the Cracker: A Survey of, and Improvements to, Password Security,” in Proc. USENIX Workshop on Security, 1990 - In a set of 15,000 passwords - 25% were cracked within 12 CPU months - 21% were cracked in the first week - 2.7% were cracked within the first 15 minutes
31 Password cracking: 2005 - Arvind Narayanan and Vitaly Shmatikov, “Fast dictionary attacks on passwords using time- space tradeoff,” in Proc. CCS’2005, ACM - In a collection of 142 real user passwords - 67.6% (96) were cracked with a searching complexity 2.17×109≈231 31
32 Password cracking: 2013 - Dan Goodin, “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” , 28 May 2013 - Three professional crackers were given 16,449 hashed passwords and the best of them was able to crack 90% of the passwords. - Remark 1: All the passwords are considered harder ones because they are what remained uncracked in a much larger database of leaked passwords. - Remark 2: Nate Anderson, Ars deputy editor and a self- admitted newbie to password cracking, was able to crack around 50% of the passwords within a few hours.
33 How modern password cracks work - hashcat as an example - Dictionary attack: trying all words in a list; also called “straight” mode - Combinator attack: concatenating words from multiple wordlists (mode 1) - Brute-force attack (a.k.a. Mask attack): trying all characters from given charsets, per position (mode 3) - Hybrid attack: combining wordlists+masks (mode 6) and masks+wordlists (mode 7); can also be done with rules - Rule-based attack: applying rules to words from wordlists; combines with wordlist-based attacks (attack modes 0, 6, and 7)
34 What can we learn from reality? - The security-usability dilemma - Stronger passwords are securer but harder to remember by humans. - Weaker passwords are easier to remember by humans but also easier to be cracked. - Strong passwords for humans  Strong passwords for automated password crackers - End users have a tendency of choosing usability over security: using easy-to-remember passwords. - End users have not changed their ways of using (weak) passwords very much since 1970s!
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Solutions to Textual Passwords?
36 Password checkers - A password checker checks the strength of a given password and warns the user about its weakness. - Proactive password checkers work at the client side when the user is entering his/her password. - Reactive password checkers work at the server side after the user set his/her passwords (by scanning all passwords of all users). - All password checkers are based on one or more password meters which estimate the strength of any passwords given, but there are also standalone password meters.
37 Password managers - A password manager is a software/hardware tool managing credentials of multiple accounts of the user. - A master password is normally required to manage all passwords. - Local password managers run from a local computer (could be a smart phone) and store the data locally. - Web-based password managers run from the Web or the cloud and store the data remotely in a remote web site. - Cloud-based password managers run from local computer or the Web and store the data remotely in a cloud. - Data across devices could be synchronized.
38 Strong password policies - Minimum length - Minimum password strength estimated by a password meter - Blacklist of forbidden passwords - Dictionary words, old passwords, personal information, … - Mixed cases - Alphanumeric - Special characters - Regular password expiration - …
39 Passphrases: xkcd
40 Passphrases: Cyber Aware
41 Passphrases+: Get Safe Online
42 GCHQ/NCSC password guidance
43 Password expiry policy
44 Password expiry policy @ Surrey
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Graphical Passwords
46 Why may graphical passwords help? - An old saying: “A picture is worth a thousand words.”
47 Why may graphical passwords help? - 一图胜千言。
48 Why may graphical passwords help? - Graphics and images contain richer information than texts, and harder to be exactly described by both humans and computers. -  Larger password space -  Less weak passwords -  More difficult to construct dictionary -  Easier to remember and harder to forget -  Harder to tell them to others (at least via phone ) -  A better balance between usability and security?
49 Yet another advantage - Graphical passwords are more secure against side channel attacks: - Martin Vuagnoux and Sylvain Pasini, “Compromising Electromagnetic Emanations of Wired and Wireless Keyboards,” in Proc. USENIX Security Symposium 2009 - Kehuan Zhang and XiaoFeng Wang, “Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi- User Systems,” Proc. USENIX Security Symposium 2009
50 A classification of graphical passwords - Class 1: Drawing-based passwords - Class 2: Location-based graphical passwords - Class 3: Recognition-based graphical passwords - Class X: Hybrid graphical passwords?
51 Class 1: DAS (Draw-A-Secret) - I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter and A. D. Rubin, “The Design and Analysis of Graphical Passwords,” in Proc. USENIX Security Symposium 1999 (Best paper and best student paper awards!)
52 Class 1: Android unlocking patterns - A variant of DAS has been adopted by Google for its Android OS as an unlocking scheme and widely used by Android users.
53 Class 2: PassPoints - S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy and N. Memon, “PassPoints: Design and longitudinal evaluation of a graphical password system,” Int. J. Human-Computer Studies, Vol. 63, pp. 102-127, 2005, Elsevier
54 Class 3: Passfaces and DéjàVu - PassfacesTM - DéjàVu (Dhamija & Perrig, USENIX Security 2000) Random art http://www.random- art.org
55 Users’ choices are not random! - Darren Davis, Fabian Monrose and Michael K. Reiter, “On User Choice in Graphical Password Schemes,” in Proc. USENIX Security Symposium 2004 Users tend to choose faces of beautiful women and/or of people in their own race.
56 Dictionary attacks come back! - Julie Thorpe and P.C. van Oorschot, “Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords,” in Proc. USENIX Security Symposium 2007 A dictionary of click points (hotspots) can be harvested from a set of human users (at the attacker’s disposal), or automatically determined by some image processing algorithms.  For automated attack, 8% passwords were cracked within 232 guesses.
57 Dictionary attacks come back! - Amirali Salehi-Abari, Julie Thorpe, and P.C. van Oorschot, “On Purely Automated Attacks and Click-Based Graphical Passwords,” in Proc. ACSAC’2008, IEEE Computer Society An improved dictionary attack: 16% passwords cracked using a dictionary of less than 231.4 entries.
58 Dictionary attacks come back! - P.C. van Oorschot, Amirali Salehi-Abari and Julie Thorpe, “Purely Automated Attacks on PassPoints-Style Graphical Passwords,” IEEE Trans. Information Forensics and Security, 5(3), 2010 Improved dictionary attacks: 7-16% passwords cracked using a dictionary of 226 entries, 48-54% passwords using a dictionary of 235 entries.
59 Dictionary attacks come back! - Julie Thorpe, P.C. van Oorschot, “Graphical Dictionaries and the Memorable Space of Graphical Passwords,” in Proc. USENIX Security Symposium 2004 - Mirror symmetric DAS passwords are used to construct a dictionary The sub-password-space is exponentially smaller than the full space.
60 Dictionary attacks come back! - Ziming Zhao, Gail-Joon Ahn, Jeong-Jin Seo, Hongxin Hu, “On the Security of Picture Gesture Authentication,” in Proc. USENIX Security Symposium 2013 - 10K Windows 8 Picture passwords were collected from 800 users. - A training based approach: 24% of passwords cracked in one database with a dictionary of size is 219 (total password space 231).
61 Dictionary attacks come back! - Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz, “Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns,” in Proc. ACM CCS 2013 - High bias in the pattern selection process - Security equivalent to three-digit PINs for guessing 20% of all pass- patterns
62 Usability problems! - Karen Renaud and Antonella De Angeli, “My password is here! An investigation into visuo-spatial authentication mechanisms,” Interacting with Computers, vol. 16, pp. 1017-1041, Elsevier, 2004 - Problem 1: the incredible difficulty related to choosing the background image. - Problem 2: the user’s difficulty in pin-pointing a good pass- point. -  “The cognitive aspects of visual information processing would appear to make the use of spatial position untenable for authentication systems.”
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Biometrics
64 Three main classes of biometrics - Physical Biometrics - Fingerprint, palm, hand geometry, iris, retina, … - Behavioural Biometrics - Handwriting, signature, speech, gait, mouse/keystroke dynamics, … - Chemical/Biological Biometrics - Perspiration, skin luminescence, DNA, body odour, … This one is often forgotten (or ignored) in common definitions of biometrics because it is less used in computers.
65 Biometrics for user authentication - Input: live template, ID Data Acquisition Database Feature Extraction Comparison Decision ID Biometric Data Template Enrolled Template Measure of Similarity Same / Different
66 Performance evaluation: Security vs. Usability - False match rate = False accept rate (FAR = False positive rate): User 1 is verified/identified as User 2. - False non-match rate = False reject rate (FRR = False negative rate): User 1 is not verified/identified as User 1. - Failure to enroll (FTE) rate 4 6 8 10 12 14 16 18 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Real non- match Real matchThreshold False non- match False match
67 A major challenge: Spoofing - Many biometric modalities can be easily spoofed. - Fingerprint, face, speech, … - Liveness detection is being detect spoofing, but …
68 Multimodal biometrics - Use more than one biometric technology. - Can be more accurate than a single biometric technology. - Can lower failure to enroll and failure to acquire. - If one biometric template cannot be measured, switch to the other. - Increase the population coverage. - More difficult to spoof the system. - Interface is more complicated. - More difficult to manage. - Cost will be higher. - Why more if less is sufficient or nothing is sufficient?
69 Why biometrics? - Intrinsic features of human users so no need to create one. - Intrinsic features of human users so cannot be forgotten or lost. - Can be more difficult (may still be possible) to steal. - Can be more difficult to forge than non-biometric ones. - Can be more secure than non-biometric systems. - Accuracy high enough for some biometric systems (iris, fingerprint, face) - Human user identification is possible without a given ID. - …
70 Why not biometrics? - Many biometrics systems are NOT secure! - May cause privacy issues: biometric features can be misused. - Private/Anonymous biometrics can mitigate this problem. - Can cause danger to owners of biometric features. - Example: in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal the car. - Cannot be easily changed or replaced. - Cancellable biometric can solve this problem by using a reconfigurable distortion on biometric features. - Device dependent: a biometric device is always required to capture biometric features. - …
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Even More Solutions
72 One-time passwords (OTPs) - Paper-based OTPs (e.g. iTANs used by German banks) - SMS-based OTPs - Now discouraged due to its insecurity - OTPs generated by mobile apps - OTPs generated by special hardware devices (OTP generators like RSA® SecurID hardware tokens) - OTPs generated from a static password and a random challenge (e.g. GrIDsure) - Not true OTPs!
73 Challenge-response protocols - A secret S (password) shared between prover/human (H) and verifier/computer (C) - Authentication is a challenge-response protocol - C  H: t challenges C1(S), …, Ct(S) - H  C: t responses R1=f1(C1(S),S), …, Rt=ft(Ct(S),S) - C: Accept H only if all the t responses are correct. - Responses are normally done by a hardware token or a bespoke software tool (e.g. a mobile app).
74 Hardware tokens: problems? - Higher costs - Tokens, infrastructure, training, … - Always need to bring them - Need theft / lost protection (passwords/PINs!) - Nightmare of many hardware tokens - Is it worse than many passwords? - When a mobile device is used as the hardware token, it becomes a software based solution! - …
75 Mobile devices: problems? - They are not really secure! - You still need a passcode or a PIN or a unlock pattern or a biometric-based user authentication scheme to protect it!
76 Context-based authentication - Location  Environment / Context  Behaviour Problem: They (even Google’s) are FAR from intelligent enough.
77 Multi-factor authentication (MFA) - Four factors 1. What you know (knowledge-based) 2. What you have / possess (hardware token based) 3. Who you are (biometrics) 4. Where you are (context) - It has been required or recommended at least two factors are used for important accounts. - Payment Card Data Security Standards (PCI-DSS) now requires two of the first three factors being used. - Surrey new remote access service requires two factors (password + phone-based OTP) now after being heavily attacked by phishers.
78 Single Sign-On (SSO) - Using one authentication service to handle sign-on of many services (based on ticketing protocols). - Reduce number of credential one must have. - Reduce time to re-authenticate to multiple services. - No SSO can handle all services.  One still have to use multiple SSO services.  Some people call it Reduced Sign-On (RSO). - May be based on a single or multiple factors. - Examples - Social login (social sign-in): Facebook Connect, Google Account, LinkedIn SSO, Sina MicroBloging (新浪微博) SSO, … - Microsoft Azure Active Directory SSO support (e.g. Office 365) - University libraries: - …
79 My personal recommendations - Use password managers as much as you can. - Use random passwords generated by password managers as much as you can. - Choose a VERY VERY VERY strong master password for your password manager! - Be aware biometrics can be broken! - Use MFA (especially hardware tokens) for important accounts (e.g. banking).
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 A Brand New Solution? Pass∞ (PassInfinity)
81 - A new technology being developed at Surrey - A UK patent application has been filed. - A market research project was funded by DCMS and Innovate UK. - It allows user-centric combinations of diverse authentication actions (across different factors), while keeping backward compatibility with textual passwords. - It can be seen a password generator based on a multi-factor user authentication framework. - It empowers the user to remember a simple sequence of authentication actions (good usability) which lead to a strong password very difficult to crack (high security). Pass∞ (PassInfinity)?
82 A web-based prototype
83 Client-server architecture Pass∞ can also be implemented purely at the client side e.g. on a mobile app working as an advanced password generator/manager. The password policy control can still work if external servers follow a standard to expose the policies.
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Observer-Resistant Password Systems (ORPSs)
85 Passwords and many observers! - Shoulder-surfers - Hidden cameras - Keyloggers and other password recording devices - Password stealing software tools - Attacks based on electromagnetic / optical / acoustic emanations - Phishers - Malware - Man-in-the-middle/browser/computer/phone - Public terminals (@ cafés, airports, hotels, …) - …
86 Passive vs. Active observers - Passive observers = Observers who only observe all authentication sessions passively (without manipulating any communications).
87 Passive vs. Active observers - Active observers = Observers who also try to manipulate the communications (e.g. to choose part of the authentication sessions). This is harder!
88 Manuel Blum’s words - HUMANOIDs is a protocol that allows a naked human inside a glass house to authenticate securely to a non-trusted terminal. “Naked” means that the human carries nothing: no smart cards, no laptops, no pencil or paper. “Glass house” means that anybody can see what the human is doing, including everything that the human is typing. - Special case: PhoneOIDs = HUMANOIDs over phone
89 Two basic requirements 1. The password should remain secret after a number of (ideally infinite or practically large) authentication sessions are observed by an untrusted party (= observer). 2. Any computation in the authentication process must be conducted by the human user alone. = The process should be human-executable. = Any computing devices beyond the human user’s brain are untrusted. Here, the word “password” is a loose term referring to a secret shared between a human user (client) and a computer verifier (server).
90 Modelling observers (main attacks) - The aim: Given n observed / chosen successful authentication sessions (= nt challenge-response pairs), try to solve the secret S with a computational complexity smaller than brute force (of S). - R1 (1)=f1(C1 (1)(S),S) … Rt (1)=ft(Ct (1)(S),S) … R1 (n)=f1(C1 (n)(S),S) … Rt (n)=ft(Ct (n)(S),S)  S=? Complexity << #(S) (An equivalent of S is sufficient: S*  S.)
91 - Security requires fi(Ci(S),S) to be sufficiently complicated for observers to calculate S out of a number of (Ci(S), Ri) pairs. - Usability requires fi(Ci(S),S) to be sufficiently simple for humans to understand and execute. - Observers are computationally bounded adversaries, but they have access to computers as auxiliary computing resources. - Human users have only their brains as the computing resources. - The only advantage human users have is knowledge of S. -  We need a human-executable one-way function. An asymmetric war
92 - Random guess (base line “attack”) - Statistical attacks (frequency analysis) - Algebraic attacks - Intersection attacks - Divide and conquer attacks - SAT solver based attacks - Meet-in-the-middle attacks - Side channel attacks - Human behavior related attacks - “Smarter” brute force attacks - Partially-known-password attacks - … A large number of attacking strategies!
93 - 7 example ORPS schemes compared [Yan et al. NDSS 2012] (a smaller usability score is better) Bad news: An unsolved open problem! ORPS Scheme Usability Score Security Level HB protocol (LPN) 33,874 No major attacks APW protocol 18,787 No major attacks CAS high 8,594 Best known attack: O(10) observed authentication sessionsCAS low 7,818 Foxtail 3,513 Best known attack: O(100) observed authentication sessions CHC 1,575 Best known attack: O(10) observed authentication sessions PAS 924 Best known attack: O(10) observed authentication sessions No ORPSs proposed have a truly acceptable balance between security and usability yet!
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Take-Home Message: Human/User-Centric Security
95 Help users, not blame them!
96 - Better tools for all humans involved - Better user interfaces - More useful data - More user control - Visualisation & gamification - Personalisation & contextualisation - Human-in-the-loop - … - Better guidance for all humans involved - Awareness campaigns, education, training, serious games, more user-friendly and consistent guidelines and policies, … How to help users?
97 GCHQ/NCSC password guidance We need more such GOOD guidance.
IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Thanks for Your Attention!

More Related Content

PPTX
Cyber security and current trends
Shreedeep Rayamajhi
 
PPT
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
PPTX
Network-security-ppt.pptx...............
AkilSayyad2
 
PPTX
Cyber security laws
Sri Manakula Vinayagar Engineering College
 
PPTX
Law and Ethics in Information Security.pptx
EdFeranil
 
PDF
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
PPTX
Chapter1 Cyber security Law & policy.pptx
Nargis Parveen
 
PPTX
Chapter 9: Access Control Management
Nada G.Youssef
 
Cyber security and current trends
Shreedeep Rayamajhi
 
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Network-security-ppt.pptx...............
AkilSayyad2
 
Cyber security laws
Sri Manakula Vinayagar Engineering College
 
Law and Ethics in Information Security.pptx
EdFeranil
 
Ethical hacking and social engineering
Sweta Kumari Barnwal
 
Chapter1 Cyber security Law & policy.pptx
Nargis Parveen
 
Chapter 9: Access Control Management
Nada G.Youssef
 

What's hot (20)

PPT
Information security management
UMaine
 
PPTX
User authentication
CAS
 
PDF
User Authentication: Passwords and Beyond
Jim Fenton
 
PPTX
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
PPTX
Computer forensic ppt
Priya Manik
 
PDF
Incident response methodology
Piyush Jain
 
PDF
Digital forensic principles and procedure
newbie2019
 
PDF
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 
PDF
Social Media Forensics
John J. Carney, Esq.
 
PPT
Cyber Crime and Security
Dipesh Waghela
 
PPTX
Social Engineering Techniques
Neelu Tripathy
 
PPTX
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Qazi Anwar
 
PPTX
Privacy & Data Protection
sp_krishna
 
PPTX
Phishing Attack : A big Threat
sourav newatia
 
PDF
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
PDF
Access Control Presentation
Wajahat Rajab
 
PPTX
Human factors in cybersecurity
Rick van der Kleij
 
PDF
Cyber Security Awareness
Ramiro Cid
 
PDF
Cyber Forensics Module 2
Manu Mathew Cherian
 
PPTX
Physical security
Tariq Mahmood
 
Information security management
UMaine
 
User authentication
CAS
 
User Authentication: Passwords and Beyond
Jim Fenton
 
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Computer forensic ppt
Priya Manik
 
Incident response methodology
Piyush Jain
 
Digital forensic principles and procedure
newbie2019
 
Cybersecurity Awareness Training Presentation v2021.08
DallasHaselhorst
 
Social Media Forensics
John J. Carney, Esq.
 
Cyber Crime and Security
Dipesh Waghela
 
Social Engineering Techniques
Neelu Tripathy
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Qazi Anwar
 
Privacy & Data Protection
sp_krishna
 
Phishing Attack : A big Threat
sourav newatia
 
CS6004 Cyber Forensics
Kathirvel Ayyaswamy
 
Access Control Presentation
Wajahat Rajab
 
Human factors in cybersecurity
Rick van der Kleij
 
Cyber Security Awareness
Ramiro Cid
 
Cyber Forensics Module 2
Manu Mathew Cherian
 
Physical security
Tariq Mahmood
 
Ad

Similar to Human Factors in Cyber Security: User authentication as a use case (20)

PPTX
Human/User-Centric Security
Shujun Li
 
PPSX
Usable Security: When Security Meets Usability
Shujun Li
 
PPTX
Human_Factors_KA_webinar_-_slides.pptx
Muddasarahmed5
 
PPTX
Lorrie Cranor - Usable Privacy & Security
Amy Lenzo
 
PDF
Security And Usability Designing Secure Systems That People Can Use Lorrie Fa...
timeogeury
 
PPTX
05-Authentication.pptx Software Security
RahmathMohammed4
 
PPT
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos De Pedro
 
PPTX
Access Control authentication and authorization .pptx
birhanugirmay559
 
PPTX
USG_Security_Awareness_Primer (1).pptx
ssuser59e4b8
 
PPTX
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
PPTX
Awareness Security 123.pptx
RajuSingh730938
 
PPTX
USG_Security_Awareness_Primer.pptx
sumita02
 
PDF
Getting users to care about security
Alison Gianotto
 
PPTX
CS5032 L20 cybersecurity 2
Ian Sommerville
 
PDF
Human Error in Cyber Security
Antti Ollila
 
PPTX
Information security consciousness
Ciarán Mc Mahon
 
PPTX
System Security
Reddhi Basu
 
PPTX
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
PDF
Bar Camp 11 Oct09 Hacking
Barcamp Kerala
 
PPTX
Passwords
Sonia Rose Mary Karungi
 
Human/User-Centric Security
Shujun Li
 
Usable Security: When Security Meets Usability
Shujun Li
 
Human_Factors_KA_webinar_-_slides.pptx
Muddasarahmed5
 
Lorrie Cranor - Usable Privacy & Security
Amy Lenzo
 
Security And Usability Designing Secure Systems That People Can Use Lorrie Fa...
timeogeury
 
05-Authentication.pptx Software Security
RahmathMohammed4
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos De Pedro
 
Access Control authentication and authorization .pptx
birhanugirmay559
 
USG_Security_Awareness_Primer (1).pptx
ssuser59e4b8
 
USG_Security_Awareness_Primer.pptx
BilmyRikas
 
Awareness Security 123.pptx
RajuSingh730938
 
USG_Security_Awareness_Primer.pptx
sumita02
 
Getting users to care about security
Alison Gianotto
 
CS5032 L20 cybersecurity 2
Ian Sommerville
 
Human Error in Cyber Security
Antti Ollila
 
Information security consciousness
Ciarán Mc Mahon
 
System Security
Reddhi Basu
 
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
Bar Camp 11 Oct09 Hacking
Barcamp Kerala
 
Passwords
Sonia Rose Mary Karungi
 
Ad

Recently uploaded (20)

PPTX
Protein & Amino Acid Structures Levels of protein structure (primary, seconda...
Muhammad Sajid Afridi
 
PDF
IFIT3 RNA-binding activity primores influenza A viruz infection and translati...
saracelre
 
PPTX
SCIENCE10 Q1 5 WK8 Evidence Supporting Plate Movement.pptx
ROLANARIBATO3
 
PDF
bbec55_b34400a7914c42429908233dbd381773.pdf
agambirev
 
PPTX
cpcsea ppt.pptxssssssssssssssjjdjdndndddd
amolpawasesng123
 
PPTX
Derivatives of integument scales, beaks, horns,.pptx
Dr Showkat Ahmad Wani
 
PPTX
microscope-Lecturecjchchchchcuvuvhc.pptx
jaylaurencenobleza
 
PPTX
Vitamins & Minerals: Complete Guide to Functions, Food Sources, Deficiency Si...
Muhammad Sajid Afridi
 
PPTX
DRUG THERAPY FOR SHOCK gjjjgfhhhhh.pptx.
vipvivek704
 
PPT
Chemical bonding and molecular structure
karthikeyan
 
PPTX
GEN. BIO 1 - CELL TYPES & CELL MODIFICATIONS
breeysal7
 
PDF
diccionario toefl examen de ingles para principiante
Karla Montoya
 
PPT
The World of Physical Science, • Labs: Safety Simulation, Measurement Practice
joybejerano
 
PDF
HPLC-PPT.docx high performance liquid chromatography
darshanambiga1633
 
PPTX
2. Earth - The Living Planet earth and life
markjustinebarolobau
 
PPTX
The KM-GBF monitoring framework – status & key messages.pptx
pensoftservices
 
PPTX
INTRODUCTION TO EVS | Concept of sustainability
manumaddy15198
 
PPTX
ECG_Course_Presentation د.محمد صقران ppt
lelouchml1995
 
PPTX
Cell Membrane: Structure, Composition & Functions
Muhammad Sajid Afridi
 
PPTX
Introduction to Fisheries Biotechnology_Lesson 1.pptx
Esther Pongcol
 
Protein & Amino Acid Structures Levels of protein structure (primary, seconda...
Muhammad Sajid Afridi
 
IFIT3 RNA-binding activity primores influenza A viruz infection and translati...
saracelre
 
SCIENCE10 Q1 5 WK8 Evidence Supporting Plate Movement.pptx
ROLANARIBATO3
 
bbec55_b34400a7914c42429908233dbd381773.pdf
agambirev
 
cpcsea ppt.pptxssssssssssssssjjdjdndndddd
amolpawasesng123
 
Derivatives of integument scales, beaks, horns,.pptx
Dr Showkat Ahmad Wani
 
microscope-Lecturecjchchchchcuvuvhc.pptx
jaylaurencenobleza
 
Vitamins & Minerals: Complete Guide to Functions, Food Sources, Deficiency Si...
Muhammad Sajid Afridi
 
DRUG THERAPY FOR SHOCK gjjjgfhhhhh.pptx.
vipvivek704
 
Chemical bonding and molecular structure
karthikeyan
 
GEN. BIO 1 - CELL TYPES & CELL MODIFICATIONS
breeysal7
 
diccionario toefl examen de ingles para principiante
Karla Montoya
 
The World of Physical Science, • Labs: Safety Simulation, Measurement Practice
joybejerano
 
HPLC-PPT.docx high performance liquid chromatography
darshanambiga1633
 
2. Earth - The Living Planet earth and life
markjustinebarolobau
 
The KM-GBF monitoring framework – status & key messages.pptx
pensoftservices
 
INTRODUCTION TO EVS | Concept of sustainability
manumaddy15198
 
ECG_Course_Presentation د.محمد صقران ppt
lelouchml1995
 
Cell Membrane: Structure, Composition & Functions
Muhammad Sajid Afridi
 
Introduction to Fisheries Biotechnology_Lesson 1.pptx
Esther Pongcol
 

Human Factors in Cyber Security: User authentication as a use case

  • 1. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Human Factors in Cyber Security: User Authentication as a Use Case Dr Shujun LI (李树钧) Deputy Director, Surrey Centre for Cyber Security (SCCS) Reader, Department of Computer Science University of Surrey http://www.hooklee.com/ @hooklee75
  • 2. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Humans = The Weakest Link?
  • 3. 3 Security is a process, NOT a product. - A product is secure.  A process is secure. - Bruce Schneier, Secrets and Lies: Digital Security in a Networked World, John Wiley & Sons, Inc., 2004
  • 4. 4 Social engineering does work well! - Hackers only need to break the weakest link in a process – humans! - Weak human users vs. Strong hackers
  • 5. 5 A real hacker’s testimony Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it. Kevin D. Mitnick and William L. Simon The Art of Deception: Controlling the Human Element of Security, John Wiley & Sons Inc., 2003
  • 6. 6 Social engineering everywhere: Phishing, SMiShing, vishing, … - Getting your password from you.
  • 7. 7 A recent book on social engineering - Christopher Hadnagy, Social Engineering: The Art of Human Hacking, John Wiley & Sons, Inc., 2010
  • 8. 8 Different kinds of weak humans - Weak designers - Weak programmers - Weak assemblers - Weak distributors - Weak deployers - Weak maintainers - Weak users - Weak …  Security holes in the delivered products  Security holes in the deployed system Strong Hackers
  • 9. 9 Are you a weak link of your system? - Have you installed any encryption software (such as GPG) for your email client or your web browser (for web mail)?
  • 10. 10 Are you a weak link of your system? - For those who said YES for the previous question: How often do you use the above encryption software to protect your personal emails?
  • 11. 11 Are you a weak link of your system? - Do you know how digital certificates are used with secure web sites such as online banking sites?
  • 12. 12 Are you a weak link of your system? - If YES to the previous question: How often do you check digital certificate’s contents against the claimed owner?
  • 13. 13 Are you a weak link of your system? - Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired or self-signed certificate, etc.)?
  • 14. 14 Are you a weak link of your system? - If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt you could trust the website(s) you were visiting? ?
  • 15. 15 Are you a weak link of your system? - Have you written one or more of your passwords down (on paper, on mobile phone, …) at least once to avoid forgetting them?
  • 16. 16 Are you a weak link of your system? - Are you reusing passwords over multiple web sites? - SSO (Single-Sign-On password is not counted).
  • 17. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Security vs. Usability Dilemma S U
  • 18. 18 What does security mean? - The classic CIA/AIC traid: Confidentiality, Integrity, Availability - Many extensions - PAIN: Privacy, Availability/Authentication, Integrity, Non- Repudiation - 4A model: Authentication, Authorization, Availability, Authenticity - 5A model: Admissibility, Authentication, Authorization, Availability, Authenticity - Parkerian Hexad: Confidentiality, Possession or Control, Integrity, Authenticity, Availability, Utility (Usefulness) - Information Assurance & Security (IAS) Octave (2013): confidentiality, integrity, availability, privacy, authenticity & trustworthiness, non-repudiation, accountability and auditability - Different attacks and threats are behind those terms.
  • 19. 19 More security principles - OECD Guidelines for the Security of Information Systems and Networks (2002): 9 principles - Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment - NIST Special Publication 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A (2004): 33 principles - 4 in security foundations - 7 risk based - 4 about ease of use (usability) - 8 about resilience - 6 about reducing vulnerability - 4 about network
  • 20. 20 What does usability mean? - ISO standards (ISO/TC 159/SC 4) - ISO 9241 Ergonomics of human-system interaction (a series) - ISO 9241-11 Guidance on Usability: “The extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use.” - Effectiveness: “accuracy and completeness with which users achieve specified goals” (normally measure by “success rate”) - Efficiency: “resources expended in relation to the accuracy and completeness with which users achieve goals” - Satisfaction: “freedom from discomfort, and positive attitudes towards the use of the product” (good user experience as a whole) - ISO 11064 Ergonomic design of control centres (multi-part) - ISO 14915 Software ergonomics for multimedia user interfaces - A 2006 (good even though a bit outdated) overview of such standards can be found at Usability Net.
  • 21. 21 What does usability mean? My personal views on usability in the context of cyber security: - Psychological Acceptability - A computer system should be designed for easy and correct use with reasonably low error rate by all legitimate users of the system. - Economic Acceptability - A computer system should be acceptable to target organisations and end users with reasonable (application-dependent!) costs. - Reconfigurability/Scalability/Sustainability/Manageability/D eployability/Portability/… - Accessibility = Usability for the Disabled - …
  • 22. 22 Security-usability dilemma - Security is often NOT what users want – users want their work done and they don’t know what security really means! - Security often requires users to make HARD decisions, but they do NOT have enough time or experience! - Higher security often requires more computation.  Higher costs, slower process, more difficult to understand and use, user’s tendency to misuse (intentional or unintentional), … - Large systems involve many components and different groups of users.  Requirements of different components and users may conflict. - Different aspects (C, I, A) of security may conflict with each other as well, which further complicate the problem. - …
  • 23. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: (Textual) Passwords (inc. PINs)
  • 25. 25 How many passwords are there? - 4 digits (PINs): 104=10 thousand≈213.3 - 6 digits (PINs): 106=1 million≈220 - Lowercase letters only, 7 characters: 267≈8 million≈233 - Lowercase letters + digits, 7 characters: 367≈78.4 million≈236 - Lowercase & uppercase letters + digits, 7 characters: 627≈10 trillion≈242 - Lowercase & uppercase letters + digits, 11 characters: 6211≈52 quintillion≈265.5
  • 26. 26 How fast are today’s supercomputers? 10EFlops =1019263
  • 27. 27 What passwords are being used? - Dinei Florêncio and Cormac Herley, “A Large- Scale Study of Web Password Habits,” in Proc. WWW 2007, W3C/ACM - Real passwords collected from 544,960 web users in three months in 2006.
  • 28. 28 What (4-digit) PINs are being used? - DataGenetics, PIN analysis, 3rd September 2012 - 3.4 million leaked passwords composed of 4 digits. xy00 9999 00xy 19xy mmdd xyxy
  • 29. 29 Password cracking: 1979 - R. Morris and K. Thomson, “Password security: A case history,” Communications of the ACM, vol. 22, no.11, 1979 - In a collection of 3,289 passwords… - 15 were a single ASCII character - 72 were strings of two ASCII characters - 464 were strings of three ASCII characters - 477 were strings of four alphamerics - 706 were five letters, all upper-case or all lower-case - 605 were six letters, all lower-case - 492 appeared in dictionaries, name lists, and the like 2,831 passwords
  • 30. 30 Password cracking: 1990 - Daniel V. Klein, “Foiling the Cracker: A Survey of, and Improvements to, Password Security,” in Proc. USENIX Workshop on Security, 1990 - In a set of 15,000 passwords - 25% were cracked within 12 CPU months - 21% were cracked in the first week - 2.7% were cracked within the first 15 minutes
  • 31. 31 Password cracking: 2005 - Arvind Narayanan and Vitaly Shmatikov, “Fast dictionary attacks on passwords using time- space tradeoff,” in Proc. CCS’2005, ACM - In a collection of 142 real user passwords - 67.6% (96) were cracked with a searching complexity 2.17×109≈231 31
  • 32. 32 Password cracking: 2013 - Dan Goodin, “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” , 28 May 2013 - Three professional crackers were given 16,449 hashed passwords and the best of them was able to crack 90% of the passwords. - Remark 1: All the passwords are considered harder ones because they are what remained uncracked in a much larger database of leaked passwords. - Remark 2: Nate Anderson, Ars deputy editor and a self- admitted newbie to password cracking, was able to crack around 50% of the passwords within a few hours.
  • 33. 33 How modern password cracks work - hashcat as an example - Dictionary attack: trying all words in a list; also called “straight” mode - Combinator attack: concatenating words from multiple wordlists (mode 1) - Brute-force attack (a.k.a. Mask attack): trying all characters from given charsets, per position (mode 3) - Hybrid attack: combining wordlists+masks (mode 6) and masks+wordlists (mode 7); can also be done with rules - Rule-based attack: applying rules to words from wordlists; combines with wordlist-based attacks (attack modes 0, 6, and 7)
  • 34. 34 What can we learn from reality? - The security-usability dilemma - Stronger passwords are securer but harder to remember by humans. - Weaker passwords are easier to remember by humans but also easier to be cracked. - Strong passwords for humans  Strong passwords for automated password crackers - End users have a tendency of choosing usability over security: using easy-to-remember passwords. - End users have not changed their ways of using (weak) passwords very much since 1970s!
  • 35. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Solutions to Textual Passwords?
  • 36. 36 Password checkers - A password checker checks the strength of a given password and warns the user about its weakness. - Proactive password checkers work at the client side when the user is entering his/her password. - Reactive password checkers work at the server side after the user set his/her passwords (by scanning all passwords of all users). - All password checkers are based on one or more password meters which estimate the strength of any passwords given, but there are also standalone password meters.
  • 37. 37 Password managers - A password manager is a software/hardware tool managing credentials of multiple accounts of the user. - A master password is normally required to manage all passwords. - Local password managers run from a local computer (could be a smart phone) and store the data locally. - Web-based password managers run from the Web or the cloud and store the data remotely in a remote web site. - Cloud-based password managers run from local computer or the Web and store the data remotely in a cloud. - Data across devices could be synchronized.
  • 38. 38 Strong password policies - Minimum length - Minimum password strength estimated by a password meter - Blacklist of forbidden passwords - Dictionary words, old passwords, personal information, … - Mixed cases - Alphanumeric - Special characters - Regular password expiration - …
  • 45. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Graphical Passwords
  • 46. 46 Why may graphical passwords help? - An old saying: “A picture is worth a thousand words.”
  • 47. 47 Why may graphical passwords help? - 一图胜千言。
  • 48. 48 Why may graphical passwords help? - Graphics and images contain richer information than texts, and harder to be exactly described by both humans and computers. -  Larger password space -  Less weak passwords -  More difficult to construct dictionary -  Easier to remember and harder to forget -  Harder to tell them to others (at least via phone ) -  A better balance between usability and security?
  • 49. 49 Yet another advantage - Graphical passwords are more secure against side channel attacks: - Martin Vuagnoux and Sylvain Pasini, “Compromising Electromagnetic Emanations of Wired and Wireless Keyboards,” in Proc. USENIX Security Symposium 2009 - Kehuan Zhang and XiaoFeng Wang, “Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi- User Systems,” Proc. USENIX Security Symposium 2009
  • 50. 50 A classification of graphical passwords - Class 1: Drawing-based passwords - Class 2: Location-based graphical passwords - Class 3: Recognition-based graphical passwords - Class X: Hybrid graphical passwords?
  • 51. 51 Class 1: DAS (Draw-A-Secret) - I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter and A. D. Rubin, “The Design and Analysis of Graphical Passwords,” in Proc. USENIX Security Symposium 1999 (Best paper and best student paper awards!)
  • 52. 52 Class 1: Android unlocking patterns - A variant of DAS has been adopted by Google for its Android OS as an unlocking scheme and widely used by Android users.
  • 53. 53 Class 2: PassPoints - S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy and N. Memon, “PassPoints: Design and longitudinal evaluation of a graphical password system,” Int. J. Human-Computer Studies, Vol. 63, pp. 102-127, 2005, Elsevier
  • 54. 54 Class 3: Passfaces and DéjàVu - PassfacesTM - DéjàVu (Dhamija & Perrig, USENIX Security 2000) Random art http://www.random- art.org
  • 55. 55 Users’ choices are not random! - Darren Davis, Fabian Monrose and Michael K. Reiter, “On User Choice in Graphical Password Schemes,” in Proc. USENIX Security Symposium 2004 Users tend to choose faces of beautiful women and/or of people in their own race.
  • 56. 56 Dictionary attacks come back! - Julie Thorpe and P.C. van Oorschot, “Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords,” in Proc. USENIX Security Symposium 2007 A dictionary of click points (hotspots) can be harvested from a set of human users (at the attacker’s disposal), or automatically determined by some image processing algorithms.  For automated attack, 8% passwords were cracked within 232 guesses.
  • 57. 57 Dictionary attacks come back! - Amirali Salehi-Abari, Julie Thorpe, and P.C. van Oorschot, “On Purely Automated Attacks and Click-Based Graphical Passwords,” in Proc. ACSAC’2008, IEEE Computer Society An improved dictionary attack: 16% passwords cracked using a dictionary of less than 231.4 entries.
  • 58. 58 Dictionary attacks come back! - P.C. van Oorschot, Amirali Salehi-Abari and Julie Thorpe, “Purely Automated Attacks on PassPoints-Style Graphical Passwords,” IEEE Trans. Information Forensics and Security, 5(3), 2010 Improved dictionary attacks: 7-16% passwords cracked using a dictionary of 226 entries, 48-54% passwords using a dictionary of 235 entries.
  • 59. 59 Dictionary attacks come back! - Julie Thorpe, P.C. van Oorschot, “Graphical Dictionaries and the Memorable Space of Graphical Passwords,” in Proc. USENIX Security Symposium 2004 - Mirror symmetric DAS passwords are used to construct a dictionary The sub-password-space is exponentially smaller than the full space.
  • 60. 60 Dictionary attacks come back! - Ziming Zhao, Gail-Joon Ahn, Jeong-Jin Seo, Hongxin Hu, “On the Security of Picture Gesture Authentication,” in Proc. USENIX Security Symposium 2013 - 10K Windows 8 Picture passwords were collected from 800 users. - A training based approach: 24% of passwords cracked in one database with a dictionary of size is 219 (total password space 231).
  • 61. 61 Dictionary attacks come back! - Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz, “Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns,” in Proc. ACM CCS 2013 - High bias in the pattern selection process - Security equivalent to three-digit PINs for guessing 20% of all pass- patterns
  • 62. 62 Usability problems! - Karen Renaud and Antonella De Angeli, “My password is here! An investigation into visuo-spatial authentication mechanisms,” Interacting with Computers, vol. 16, pp. 1017-1041, Elsevier, 2004 - Problem 1: the incredible difficulty related to choosing the background image. - Problem 2: the user’s difficulty in pin-pointing a good pass- point. -  “The cognitive aspects of visual information processing would appear to make the use of spatial position untenable for authentication systems.”
  • 63. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Biometrics
  • 64. 64 Three main classes of biometrics - Physical Biometrics - Fingerprint, palm, hand geometry, iris, retina, … - Behavioural Biometrics - Handwriting, signature, speech, gait, mouse/keystroke dynamics, … - Chemical/Biological Biometrics - Perspiration, skin luminescence, DNA, body odour, … This one is often forgotten (or ignored) in common definitions of biometrics because it is less used in computers.
  • 65. 65 Biometrics for user authentication - Input: live template, ID Data Acquisition Database Feature Extraction Comparison Decision ID Biometric Data Template Enrolled Template Measure of Similarity Same / Different
  • 66. 66 Performance evaluation: Security vs. Usability - False match rate = False accept rate (FAR = False positive rate): User 1 is verified/identified as User 2. - False non-match rate = False reject rate (FRR = False negative rate): User 1 is not verified/identified as User 1. - Failure to enroll (FTE) rate 4 6 8 10 12 14 16 18 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Real non- match Real matchThreshold False non- match False match
  • 67. 67 A major challenge: Spoofing - Many biometric modalities can be easily spoofed. - Fingerprint, face, speech, … - Liveness detection is being detect spoofing, but …
  • 68. 68 Multimodal biometrics - Use more than one biometric technology. - Can be more accurate than a single biometric technology. - Can lower failure to enroll and failure to acquire. - If one biometric template cannot be measured, switch to the other. - Increase the population coverage. - More difficult to spoof the system. - Interface is more complicated. - More difficult to manage. - Cost will be higher. - Why more if less is sufficient or nothing is sufficient?
  • 69. 69 Why biometrics? - Intrinsic features of human users so no need to create one. - Intrinsic features of human users so cannot be forgotten or lost. - Can be more difficult (may still be possible) to steal. - Can be more difficult to forge than non-biometric ones. - Can be more secure than non-biometric systems. - Accuracy high enough for some biometric systems (iris, fingerprint, face) - Human user identification is possible without a given ID. - …
  • 70. 70 Why not biometrics? - Many biometrics systems are NOT secure! - May cause privacy issues: biometric features can be misused. - Private/Anonymous biometrics can mitigate this problem. - Can cause danger to owners of biometric features. - Example: in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal the car. - Cannot be easily changed or replaced. - Cancellable biometric can solve this problem by using a reconfigurable distortion on biometric features. - Device dependent: a biometric device is always required to capture biometric features. - …
  • 71. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 User Authentication: Even More Solutions
  • 72. 72 One-time passwords (OTPs) - Paper-based OTPs (e.g. iTANs used by German banks) - SMS-based OTPs - Now discouraged due to its insecurity - OTPs generated by mobile apps - OTPs generated by special hardware devices (OTP generators like RSA® SecurID hardware tokens) - OTPs generated from a static password and a random challenge (e.g. GrIDsure) - Not true OTPs!
  • 73. 73 Challenge-response protocols - A secret S (password) shared between prover/human (H) and verifier/computer (C) - Authentication is a challenge-response protocol - C  H: t challenges C1(S), …, Ct(S) - H  C: t responses R1=f1(C1(S),S), …, Rt=ft(Ct(S),S) - C: Accept H only if all the t responses are correct. - Responses are normally done by a hardware token or a bespoke software tool (e.g. a mobile app).
  • 74. 74 Hardware tokens: problems? - Higher costs - Tokens, infrastructure, training, … - Always need to bring them - Need theft / lost protection (passwords/PINs!) - Nightmare of many hardware tokens - Is it worse than many passwords? - When a mobile device is used as the hardware token, it becomes a software based solution! - …
  • 75. 75 Mobile devices: problems? - They are not really secure! - You still need a passcode or a PIN or a unlock pattern or a biometric-based user authentication scheme to protect it!
  • 76. 76 Context-based authentication - Location  Environment / Context  Behaviour Problem: They (even Google’s) are FAR from intelligent enough.
  • 77. 77 Multi-factor authentication (MFA) - Four factors 1. What you know (knowledge-based) 2. What you have / possess (hardware token based) 3. Who you are (biometrics) 4. Where you are (context) - It has been required or recommended at least two factors are used for important accounts. - Payment Card Data Security Standards (PCI-DSS) now requires two of the first three factors being used. - Surrey new remote access service requires two factors (password + phone-based OTP) now after being heavily attacked by phishers.
  • 78. 78 Single Sign-On (SSO) - Using one authentication service to handle sign-on of many services (based on ticketing protocols). - Reduce number of credential one must have. - Reduce time to re-authenticate to multiple services. - No SSO can handle all services.  One still have to use multiple SSO services.  Some people call it Reduced Sign-On (RSO). - May be based on a single or multiple factors. - Examples - Social login (social sign-in): Facebook Connect, Google Account, LinkedIn SSO, Sina MicroBloging (新浪微博) SSO, … - Microsoft Azure Active Directory SSO support (e.g. Office 365) - University libraries: - …
  • 79. 79 My personal recommendations - Use password managers as much as you can. - Use random passwords generated by password managers as much as you can. - Choose a VERY VERY VERY strong master password for your password manager! - Be aware biometrics can be broken! - Use MFA (especially hardware tokens) for important accounts (e.g. banking).
  • 80. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 A Brand New Solution? Pass∞ (PassInfinity)
  • 81. 81 - A new technology being developed at Surrey - A UK patent application has been filed. - A market research project was funded by DCMS and Innovate UK. - It allows user-centric combinations of diverse authentication actions (across different factors), while keeping backward compatibility with textual passwords. - It can be seen a password generator based on a multi-factor user authentication framework. - It empowers the user to remember a simple sequence of authentication actions (good usability) which lead to a strong password very difficult to crack (high security). Pass∞ (PassInfinity)?
  • 83. 83 Client-server architecture Pass∞ can also be implemented purely at the client side e.g. on a mobile app working as an advanced password generator/manager. The password policy control can still work if external servers follow a standard to expose the policies.
  • 84. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Observer-Resistant Password Systems (ORPSs)
  • 85. 85 Passwords and many observers! - Shoulder-surfers - Hidden cameras - Keyloggers and other password recording devices - Password stealing software tools - Attacks based on electromagnetic / optical / acoustic emanations - Phishers - Malware - Man-in-the-middle/browser/computer/phone - Public terminals (@ cafés, airports, hotels, …) - …
  • 86. 86 Passive vs. Active observers - Passive observers = Observers who only observe all authentication sessions passively (without manipulating any communications).
  • 87. 87 Passive vs. Active observers - Active observers = Observers who also try to manipulate the communications (e.g. to choose part of the authentication sessions). This is harder!
  • 88. 88 Manuel Blum’s words - HUMANOIDs is a protocol that allows a naked human inside a glass house to authenticate securely to a non-trusted terminal. “Naked” means that the human carries nothing: no smart cards, no laptops, no pencil or paper. “Glass house” means that anybody can see what the human is doing, including everything that the human is typing. - Special case: PhoneOIDs = HUMANOIDs over phone
  • 89. 89 Two basic requirements 1. The password should remain secret after a number of (ideally infinite or practically large) authentication sessions are observed by an untrusted party (= observer). 2. Any computation in the authentication process must be conducted by the human user alone. = The process should be human-executable. = Any computing devices beyond the human user’s brain are untrusted. Here, the word “password” is a loose term referring to a secret shared between a human user (client) and a computer verifier (server).
  • 90. 90 Modelling observers (main attacks) - The aim: Given n observed / chosen successful authentication sessions (= nt challenge-response pairs), try to solve the secret S with a computational complexity smaller than brute force (of S). - R1 (1)=f1(C1 (1)(S),S) … Rt (1)=ft(Ct (1)(S),S) … R1 (n)=f1(C1 (n)(S),S) … Rt (n)=ft(Ct (n)(S),S)  S=? Complexity << #(S) (An equivalent of S is sufficient: S*  S.)
  • 91. 91 - Security requires fi(Ci(S),S) to be sufficiently complicated for observers to calculate S out of a number of (Ci(S), Ri) pairs. - Usability requires fi(Ci(S),S) to be sufficiently simple for humans to understand and execute. - Observers are computationally bounded adversaries, but they have access to computers as auxiliary computing resources. - Human users have only their brains as the computing resources. - The only advantage human users have is knowledge of S. -  We need a human-executable one-way function. An asymmetric war
  • 92. 92 - Random guess (base line “attack”) - Statistical attacks (frequency analysis) - Algebraic attacks - Intersection attacks - Divide and conquer attacks - SAT solver based attacks - Meet-in-the-middle attacks - Side channel attacks - Human behavior related attacks - “Smarter” brute force attacks - Partially-known-password attacks - … A large number of attacking strategies!
  • 93. 93 - 7 example ORPS schemes compared [Yan et al. NDSS 2012] (a smaller usability score is better) Bad news: An unsolved open problem! ORPS Scheme Usability Score Security Level HB protocol (LPN) 33,874 No major attacks APW protocol 18,787 No major attacks CAS high 8,594 Best known attack: O(10) observed authentication sessionsCAS low 7,818 Foxtail 3,513 Best known attack: O(100) observed authentication sessions CHC 1,575 Best known attack: O(10) observed authentication sessions PAS 924 Best known attack: O(10) observed authentication sessions No ORPSs proposed have a truly acceptable balance between security and usability yet!
  • 94. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Take-Home Message: Human/User-Centric Security
  • 95. 95 Help users, not blame them!
  • 96. 96 - Better tools for all humans involved - Better user interfaces - More useful data - More user control - Visualisation & gamification - Personalisation & contextualisation - Human-in-the-loop - … - Better guidance for all humans involved - Awareness campaigns, education, training, serious games, more user-friendly and consistent guidelines and policies, … How to help users?
  • 97. 97 GCHQ/NCSC password guidance We need more such GOOD guidance.
  • 98. IEEE SMC Society Summer School on Human Factors in Systems Safety and Security 2017 Thanks for Your Attention!