/
Usable and Secure Human Authentication Usable and Secure Human Authentication

Usable and Secure Human Authentication - PowerPoint Presentation

luanne-stotts
luanne-stotts . @luanne-stotts
Follow
371 views
Uploaded On 2018-03-19

Usable and Secure Human Authentication - PPT Presentation

Jeremiah Blocki Intel Tech Talk 9272016 Memory Experiment 1 2 Person Bill Clinton Action Tickling Object Peach Memory Experiment 3 3 Person Albert Einstein Action Kissing Object ID: 657011

password passwords stories pao passwords password pao stories rehearsal security memory secrets problem unbr3akabl3

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Usable and Secure Human Authentication" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Usable and Secure Human Authentication

Jeremiah Blocki

Intel Tech Talk

9/27/2016Slide2

Memory Experiment 1

2

Person

Bill

ClintonActionTicklingObjectPeachSlide3

Memory Experiment 3

3

Person

Albert Einstein

ActionKissing

Object

PiranhaSlide4

Password Management

Competing Goals:

4

…Slide5

Security (what could go wrong?)

Danger

Three Types of Attacks

5Slide6

Online Attack

password

6

123456

123456

Guess Limit: k-strikes policySlide7

Offline Dictionary Attack

7

Username

jblocki

+

jblocki,

Unbr3akabl3

SHA1(Unbr3akabl389d978034a3f6)=75fe9ccf4a568f31e66b8597b8eb97c2e915e6b1 Hash75fe9ccf4a568f31e66b8597b8eb97c2e915e6b1Salt89d978034a3f6Slide8

A Common Problem

Password breaches at major companies have affected millions of users.

8Slide9

Security Problem

Password breaches at major companies have affected millions of users.Slide10

Security Problem

Password breaches at major companies have affected millions of users.Slide11

Why Should Intel Care

?

Source: CERT Incident Note IN-98.03: Password Cracking Activity

SHA1(“UnBr3akabl3”)

+

“UnBr3akabl3”

“UnBr3akabl3”

“UnBr3akabl3”

11Slide12

Plaintext Recovery Attack

PayPaul.com

12

pwd

pwdSlide13

A Challenging Problem

13

Traditional Security Advice

Not too short

Use mix of lower/upper case letters

Change your passwords every 90 days

Use numbers and letters

Don’t use words/namesUse special symbolsDon’t Write it DownDon’t Reuse PasswordsSlide14

User Frustration

14Slide15

Can We Do Better?

My Answer:

Yes, we can.Slide16

Human memory is not a hard disk

Platters

Read/Write Head

Slide Credit [BS14]Slide17

Human Memory is Vast but

Lossy

Rehearse or Forget!

Does a typical user get sufficient natural rehearsal to remember all of his passwords?

pamazonpgoogle

????

17Slide18

Memory Capability

18

Source: Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords [BKCD15]

Succeeded(i)/Returned(i)

Day050100

150Slide19

Rehearsal Requirement

Expanding Rehearsal Assumption:

user maintains cue-association pair by rehearsing during each interval

[

si, si+1].Day: 1 2 4 5 8

Visit Amazon: Natural Rehearsal

Google

19

Source:

Optimization of Repetition Spacing in the Practice of Learning [WG, 94]Slide20

Rehearsal Requirement

Day: 1 2 4 5 8

Reuse Password

Independent Passwords

Sufficient Rehearsal?

Yes

No

20Slide21

Usability Results

21

Reuse

Password

Strong Random IndependentActive0.0022,938Typical0.0232,974Occasional0.1093,135Infrequent3.2394,024

Usable Unusable

E

[X]: Extra Rehearsals to maintain all passwords over lifetime.m = 75 accounts, s=1.5  Slide22

Our Approach

Object: bike

Public Cue

Private

Action: kicking

Object: penguinSlide23

Login

23Slide24

Login

24Slide25

Sharing Cues

Usability Advantages

Fewer stories to remember!

More Natural Rehearsals!

Security?Day: 1 2 4 5 8

25Slide26

Sharing Cues

Combinatorial Design: Each pairs of accounts has at most

𝛄

secret stories in common.

26Source: Naturally Rehearsing Passwords [BBD13]Slide27

(n,

,

)-Sharing Set Family

 

m – number of passwords {S1,…,Sm}.n – total #secrets the user memorizesl – #secrets per password– max intersection

– secrets for account i.

 

n n

  

  

27Slide28

PAO

Stories

#

Passwords

Security414How Many Passwords?Slide29

PAO

Stories

#

Passwords

Security414How Many Passwords?Adversary with one password is unlikely to guess any other passwordSlide30

7

75+

15

75+

43

75+

PAO

Stories#PasswordsSecurity414

How Many Passwords?30Slide31

Usability Results

31

Reuse

Strong Random Independent

[SC-1]15 PAO Stories[SC-0]7 PAO StoriesActive02,9389.84.0Typical02,974

11.84.5Occasional

03,13515.25.5

Infrequent3.24,02493.225.7ReuseStrong Random Independent[SC-1]15 PAO Stories[SC-0]7 PAO StoriesActive2,9389.84.0

Typical2,97411.84.5Occasional3,13515.25.5Infrequent3.24,02493.225.7E[X]: Extra Rehearsals to maintain all

passwords over lifetime.  Slide32

Future Directions

Shared Cues as Browser Extension

Gradual Password Strengthening

Recovering Forgotten Secrets

Intrusion DetectionSlide33

Other Research Interests

Making Hashed Passwords as hard as possible to crack

Memory Hard Functions

Security Games

Human Computable Challenge-Response Style AuthenticationSlide34

Thanks for Listening!

34Slide35