Lecture slides

brasscoffeeAI and Robotics

Nov 17, 2013 (3 years and 1 month ago)

71 views

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

1

Local
Authentication for
mobile devices

Andreas Heiner

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

2

Authentication




Feeling secure





Being secure

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

3

Overview


Cognition and Social dimension



Authentication


Alphanumeric


Graphical (recall)


Graphical (rule)


Graphical (secret)



Stepping back



Biometrics


CAPTCHAs

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

4


Cognition and Social Dimension

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

5

Human centric


Cognitive dimension


Attention to one task


Preventing psychological pitfalls


Information filtering


Observing, processing, attention span


Emotions: Feeling of security



Social dimension


Social embedding


Privacy


Economy


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

6

Cognition / Vision


Salience


What pops out



Search


Analyze image



Notification


Focus v. Peripheral view


Colors and motions


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

7


Cognition / Vision

Find the painting and the mug

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

8

Cognition / Memory


Memory


Sensory


Short
-
term


Permanent


Flash memory



Memory different for different senses


Short
-
term: vocal content > images


Long
-
term: images >> vocal content



Forgetting


Mnemonic training


Spaced repetition


Is it interesting


interference

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

9

Cognition / Psychology



Positive outcome bias (wishful thinking)



Illusory superiority



Feel secure


Lock front door, not backdoor


Visible


invisible


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

10

Social dimension



Impersonation



Social pressure


“Not done”


“Not invited for a birthday”




Who’s the real one?

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

11


Authentication

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

12

Authentication


Typical (future) use


Photos, Facebook


PIM ((alendar, addresses)


Company data


E
-
banking, E
-
payment, E
-
government


E
-
health (insurance companies)





Design criteria


What do we use it for?


What is “acceptable loss”


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

13

Authentication


Attack models


Stealing / Physical force


Lunchtime attack


intersection attack


shoulder surfing


SAT attack


Brute force




Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

14

Authentication


Level 1


Minimal Assurance


Little or no assurance on the asserted identity


Authentication Error might at worst result in minimal inconvenience, financial loss,
distress, damage to reputation


no risk of harm to agency programs or public interests, release of sensitive
information, civil or criminal violations or to personal safety



Typical PIN
-
security

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

15

Authentication



Level 2


Low Assurance


“On the balance of probabilities” there is confidence in the asserted identity


Authentication Error might at worst result in minor inconvenience, financial loss,
distress, damage to reputation


no risk of harm to agency programs, public interests, release of sensitive information
or personal safety


civil or criminal violations not normally subject to agency enforcement efforts



“Strong” passwords done tolerably well


What is “strong”?

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

16

Authentication


Level 3


Substantial Assurance


Transactions that are “official in nature”


High confidence in the asserted identity


Authentication error might at worst result in


significant inconvenience, financial loss, distress,


damage to reputation, harm to agency programs & public interests


a significant release of sensitive information civil or criminal violations normally subject to
agency enforcement efforts


no risk to personal safety



very strong passwords done really well


What’s very strong and done really well?

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

17

Authentication


Level 4


High Assurance


Very high confidence in the asserted identity


Authentication error might result in


considerable inconvenience, financial loss, distress, damage to reputation, harm to agency
programs & public interests


extensive release of sensitive information


considerable risk of an egregious criminal act


civil or criminal violations of special importance to agency enforcement efforts


risk to personal safety



Is that possible?

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

18

Authentication


Text



Images



Draw
-
a
-
Secret



Biometrics

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

19


Alphanumerical Passwords

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

20

Passwords / alphanumeric

Password database

Password “recovery” tool ($1399)

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

21

Passwords / Alpha
-
numeric


Social engineering


FCBarcelona, Liverpool



Recycle and renumber


?FCBarcelona1, ?FCBarcelona2 (64%)


Password checkers

unpredictable




Unknown


words in dictionary


Dutch
-
> Dutch dictionary


Mnemonics




!FCBarcelona

strong

4

1

1

2

6

3

5

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

22

PIN code


Social attack


Birthdate of …



Wear and tear



Skimmers


How
-
to 1



Brute force

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

23


Graphical Passwords

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

24

Graphical passwords


Advantage


Excellent image recall (1 day training, up to 2500)



Recognition / Recall



Cognitive (secret images + rules)



Image as a secret


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

25

Pass faces (recall)


Pass faces


Locate the assigned images


Brute force 1
-
9^(# sreens)



Advantage


People have good face recognition



Disadvantage


Machines have good face recognition


Gender / race bias


Relatively weak


SAT


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

26

déjà vu (recall)


Deja Vu


Locate the chosen images


Subset is shown



Advantage


Strong visual recall


Good differentiator



Disadvantage


Always one / screen


Color bias (like blue)


SAT

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

27

Cued Click Points (recall)


User selects features that


lead to next image



Advantage


straightforward


Disadvantage


Salience attack


3
-
5^(tree depth)


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

28

PicturePin (recall)


Key
-
decoy


Subset


System
-
assigned images



Advantage


Shoulder surfing


Brute force


Intersection


No user bias



Disadvantage


# images needed?


Long search time


SAT


Show your friends the nice photos


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

29

Rule
-
based (cognitive)


Select enclosed secret images



Advantage


Hard for an attacker


Shoulder surfing


Brute force resilience



Disadvantage


Too many images


Complexity (search)


Intersection?


SAT

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

30

Rule
-
based (cognitive)


Find the right path



Advantage


Hard for an attacker


Shoulder surfing


Brute force resilience



Disadvantage


Too many images


Complexity (search)


Intersection?


SAT

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

31

Draw
-
a
-
secret


Brute force:


30^(occupied cells)



Open issues


Connected cells ?


Cell ambiguities?


Variable shape?



Background
-
DAS


Image suggests drawing


2

3

5

4

1

6

2

3

5

4

1

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

32

Draw a secret



Scribble
-
a
-
Secret


Qualitative
-
DAS



Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

33

Human side of security




Feeling secure





Being secure

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

34

Stepping back


Authentication schemes


Alpha
-
numeric


Pass faces, Déjà vu, click points, PicturePIN


Rule
-
based



Where did it go wrong?


Not interesting


To complex


Training phase


Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

35

Stepping back


Human
-
centric design


Memory


“fun” and entertaining


Usable


Task flow!



Peer pressure


Shoulder surfing



Device characteristics

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

36


CAPTCHA

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

37

CAPTCHA


Text



Image based


Different animals (Asirra)


Rotate objects


Identify objects


ESP
-
PIX
,
SQUIGL
-
PIX
.



Cognition


Logical sequence


Stories



Attacks


Image recognition


Artificial Intelligence

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

38


Biometrics

Company Confidential

© 2008 Nokia


V1
-
Filename.ppt / YYYY
-
MM
-
DD / Initials

39



Methods


Fingerprint


Speaker recognition


Face


Speaking (Face dynamics + Voice)


Iris / retina, DNA



Fakes and revocation


BiometricEvaluation
-
v1.0.ppt

Biometrics