Abstract
Designing leakage resilient password (LRP) systems for unaided users remains a challenge today despite two decades of intensive research. Most systems were broken soon after their proposals, while the remnants are very difficult to use. This chapter addresses the fundamental limitations on the general design aspects of such systems. First, it is revealed that most of existing LRP systems are subject to two types of generic attacks, the brute force attacks and the statistical attacks. Second, several principles are identified for the design of LRP systems so as to achieve leakage resilience in the presence of these attacks. It is also shown that the attacks cannot be effectively mitigated without sacrificing the usability of LRP systems significantly under certain constraints. Third, a quantitative analytical framework on the usability cost is proposed for better understanding of the tradeoff between security and usability. Decomposing the authentication process of existing LRP systems into some atomic cognitive operations in psychology, the framework justifies that a secure LRP system always imposes a considerable amount of cognitive workload on its users in the case that the users do not leverage any secure channel when interacting with the system. This inherent limitation implies that designing a highly usable and secure LRP system must incorporate certain type of secure channels.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Asghar, H.J., Li, S., Pieprzyk, J., Wang, H.: Cryptanalysis of the convex hull click human identification protocol. In: Proceedings of the 13th international conference on information security, pp. 24–30 (2010)
Asghar, H.J., Pieprzyk, J., Wang, H.: A new human identification protocol and coppersmith’s baby-step giant-step algorithm. In: Proceedings of the 8th international conference on applied cryptography and network security, pp. 349–366 (2010)
Baddeley, A.D.: The Essential Handbook of Memory Disorders for Clinicians, Chapter 1, pp. 1–13. Wiley, New York (2004)
Bai, X., Gu, W., Chellappan, S., Wang, X., Xuan, D., Ma, B.: Pas: predicate-based authentication services against powerful passive adversaries. In: Proceedings of the 2008 annual computer security applications conference, pp. 433–442 (2008)
Biddle, R., Chiasson, S., van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. In: Technical Report TR-11-01 (2011)
Campbell, J.I.D., Xue, Q.: Cognitive arithmetic across cultures. J. Exp. Psychol. Gen. 130(2), 299–315 (2001)
Corbina, L., Marquer, J.: Effect of a simple experimental control: the recall constraint in Sternberg’s memory scanning task. Eur. J. Cogn. Psychol. 20(5), 913–935 (2008)
Coskun, B., Herley, C.: Can “something you know” be saved? In: Proceedings of the 11th international conference on information security, pp. 421–440 (2008)
Cowan, N.: The magical number 4 in short-term memory: a reconsideration of mental storage capacity. Behav. Brain Sci. 24(1), 87–114 (2001)
Craik, F.I., McDowd, J.M.: Age differences in recall and recognition. J. Exp. Psychol. 13(3), 474–479 (1987)
Dunphy, P., Heiner, A.P., Asokan, N.: A closer look at recognition-based graphical passwords on mobile devices. In: Proceedings of the sixth symposium on usable privacy and security, pp. 3:1–3:12 (2010)
Fisher, D.L.: Central capacity limits in consistent mapping, visual search tasks: four channels or more? Cogn. Psychol. 16(4), 449–484 (1984)
Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme (extended abstract). In: Proceedings of the 2007 IEEE symposium on security and privacy, pp. 66–70 (2007)
Hogan, R.M., Kintsch, W.: Differential effects of study and test trials on long-term recognition and recall. J. Verbal Learn. Verbal Behav. 10(5), 562–567 (1971)
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Proceedings of the 7th international conference on the theory and application of cryptology and information security: advances in cryptology, pp. 52–66 (2001)
Horowitz, T.S., Wolfe, J.M.: Search for multiple targets: remember the targets, forget the search. Percept. Psychophys. 63(2), 272–285 (2001)
Lei, M., Xiao, Y., Vrbsky, S.V., Li, C.-C., Liu, L.: A virtual password scheme to protect passwords. In: Proceedings of IEEE international conference on communications, pp. 1536–1540 (2008)
Li, S., Asghar, H.J., Pieprzyk, J., Sadeghi, A.-R., Schmitz, R., Wang, H.: On the security of PAS (predicate-based authentication service). In: Proceedings of the 2009 annual computer security applications conference, pp. 209–218 (2009)
Li, S., Khayam, S.A., Sadeghi, A.-R., Schmitz, R.: Breaking randomized linear generation functions based virtual password system. In: Proceedings of the 2010 IEEE international conference on communications, pp. 23–27 (2010)
Li, S., Shum, H.-Y.: Secure human-computer identification (interface) systems against peeping attacks: SecHCI. In: Cryptology ePrint Archive, Report 2005/268 (2005)
Long, J., Wiles, J.: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Syngress, Rockland (2008)
Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Proceedings of the 10th annual international conference on theory and application of cryptographic techniques, pp. 409–421 (1991)
Nobel, P.A., Shiffrin, R.M.: Retrieval processes in recognition and cued recall. J. Exp. Psychol. 27(2), 384–413 (2001)
Rohrer, D., Wixted, J.T.: An analysis of latency and interresponse time in free recall. Mem. Cogn. 22(5), 511–524 (1994)
Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder surfing. In: Proceedings of the 11th ACM conference on computer and communications security, pp. 236–245 (2004)
Sasamoto, H., Christin, N., Hayashi, E.: Undercover: authentication usable in front of prying eyes. In: Proceeding of the twenty-sixth annual SIGCHI conference on human factors in computing systems, pp. 183–192 (2008)
Sternberg, S.: Memory-scanning: mental processes revealed by reaction-time experiments. Am. Sci. 57, 421–457 (1969)
Unsworth, N., Engle, R.W.: The nature of individual differences in working memory capacity: active Maintenance in primary memory and controlled search from secondary memory. Psychol. Rev. 114(1), 104–132 (2007)
Vogel, E.K., Machizawa, M.G.: Neural activity predicts individual differences in visual working memory capacity. Nature 428(6984), 748–751 (2004)
Weinshall, D.: Cognitive authentication schemes safe against spyware (short paper). In: Proceedings of the 2006 IEEE symposium on security and privacy, pp. 295–300 (2006)
Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.-C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces, pp. 177–184 (2006)
Woodman, G.F., Chun, M.M.: The role of working memory and long-term memory in visual search. Vis. Cogn. 14(4–8), 808–830 (2006)
Woodman, G.F., Luck, S.J.: Visual search is slowed when visuospatial working memory is occupied. Psychon. Bull. Rev. 11(2), 269–274 (2004)
Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing usable leakage-resilient password systems: attacks, principles and usability. In: Proceedings of the 19th network & distributed system security symposium (NDSS) (2012)
Zhao, H., Li, X.: S3PAS: a scalable shoulder-surfing resistant textual-graphical password authentication scheme. In: Proceedings of the 21st international conference on advanced information networking and applications workshops, vol. 02, pp. 467–472 (2007)
Author information
Authors and Affiliations
Appendix: Atomic Cognitive Operations and Human Cognitive Workload Calculation
Appendix: Atomic Cognitive Operations and Human Cognitive Workload Calculation
There are four types of atomic cognitive operations commonly used in human-computer authentication systems. Their definitions and performance models are introduced in this appendix, which characterize the relation between experiment parameters and reaction time (RT) of an average human. These performance models can be used to evaluate the cognitive workload for typical LRP systems, as shown in Table 1.2.
1.1.1 Single/Parallel Recognition
Recognition is the process to correctly judge whether a presented item has been encountered before. Recognition can be considered as a matching process of comparing presented items with those stored in memory. The reaction time of a recognition operation depends on the number of items which a subject memorizes. The item set in the subject’s memory is referred to as a positive set. For single item recognition, that is, only one item is shown to the subject each time, one of the most well-known recognition models [27] evaluates the reaction time as \(\mathit{RT} = 0.3964 + 0.0383 \cdot k\), where k is the size of the positive set. When multiple items are present simultaneously, the subject can perform recognition in parallel. According to the working memory capacity theory [9, 12, 29], the maximum number of parallel recognition channels is limited to 4 for an average subject. The reaction time of recognizing x items displayed simultaneously can be estimated as \(\mathit{RT} = (0.3964 + 0.0383 \cdot k) \cdot \lceil x/4\rceil \).
Recognition is a common operation in LRP designs. Recognition is used by a subject to judge whether an element appearing in the challenge belongs to the positive set. The high-complexity CAS scheme [30] is an example for single item recognition, where the subject is asked to recognize an image in the current position before deciding which image should be recognized in the next move. The low-complexity CAS scheme [30] and SecHCI [20] are examples of parallel recognition. In the low-complexity CAS scheme, the subject is required to find out the first and the last secret images appearing in a window consisting of 20 images, while in SecHCI, the subject is required to identify all of his/her secret images among 30 candidate images.
1.1.2 Free/Cued Recall
Besides recognition, recall is the other principal method of memory retrieval [3], which is defined as reproducing the stimulus items. Compared to recognition, the recall process is much slower [10, 23]. The common interpretation is that recall is associated with greater resource costs than recognition [10]. Recall might be carried out as a slow process of serial search while recognition as a fast process of parallel retrieval [23].
Free recall and cued recall are two basic recall types. In free recall, a subject is given a list of items to remember and then is tested by recalling them in any order [24]. In cued recall, the subject is given a list of items with cues to remember, and the cues are given in the test. The cues act as guides to what the subject is supposed to remember. For example, given “a body of water”, the phrase is the cue for the word “pond” [10]. Many psychological experiments have shown that the reaction time of free recall increases exponentially as the size of positive set [24, 28]. In contrast, the reaction time for cued recall is much shorter and it increases linearly [10, 23].
Some LRP systems require a subject to recall all his/her secret items during an authentication process. The LPN scheme [15] and the APW scheme [2] are two examples, where the subject is required to recall all the secret items and their corresponding locations in order to identify a challenge digit associated with each secret item. These recall processes should be classified as free recall since no cues are presented. However, no experimental data have been provided in the psychology literature for a large positive set of 15 items as required by these schemes, while the common size for a positive set is 8 for free recall. Since it is difficult to decide whether the exponential trend still holds when the positive set is large, we use the reaction time of the cued recall as a conservative estimate for the free recall which is used in these schemes. According to the experimental results in [7, 23], the formula for the reaction time of the cued recall is \(\mathit{RT} = (0.3964 + 0.0383 \cdot \varphi \cdot \gamma \cdot k)\), where \(\varphi\) is the ratio of the cued recall compared to single item recognition (\(\varphi = 1.969\) in [23]), while γ is the additional penalty if the subject is required to simultaneously recall the position of an item (γ = 1. 317 in [7]).
1.1.3 Single-Target/Multi-Target Visual Search
Visual search is a perceptual task that involves an active scan of the visual environment for particular targets among other distracters. The measure of the attention in visual search is often manifested as a slope of the function of response time over the number of items displayed (which is referred to as window size) [32]. For a single-target visual search, which is the search of a single target among a set of items, its reaction time is believed to be linear to the window size [32, 33] and it can be estimated as \(\mathit{RT} = 0.583 + 0.0529 \cdot w\) [33], where w is the window size. For a multi-target visual search, the reaction time is accelerated as the number of targets increases in a fixed-sized window [16].
Visual search is usually used in LRP systems which use simple challenges. PAS [4] and CHC [31] are two examples of using single-target visual search and multi-target visual search, respectively. In PAS, a subject is asked to scan a table cell containing 13 random letters and check whether a secret letter is present or not. In CHC, a subject is required to locate 3 secret elements in a window so as to form a triangle. According to the results given in [16], the reaction time of 3-targets visual search in CHC is approximately 1.8 times longer than that of single-target visual search with the same window size.
1.1.4 Simple Cognitive Arithmetic
Simple cognitive arithmetic is a mental task to solve simple problems involving basic arithmetic operations (e.g., 3 + 4, 7 − 3, 3 × 4, 12 ÷ 3). The simple arithmetic problems can be further divided into three subsets: small, large, and zero-and-one problems [6]. For both addition and multiplication, small problems are defined as those with the product of two operands smaller than or equal to 25, and large problems are defined as those with the product of two operands larger than 25. The small and large problems in subtraction and division are defined on the basis of the inverse relationships between addition and subtraction and between multiplication and division. Zero-and-one problem is defined as involving 0 or 1 as an operand or answer. The common instances of zero-and-one problems include counting, exclusive-or, and mod 2. As reported in the experiments of [6], the average reaction time is 0.773 s for small addition, 0.959 s for small division, 0.924 s for large addition, and 0.738 s for zero-and-one problems.
Simple cognitive arithmetic is usually used in the counting-based schemes [15, 20], where a subject is asked to count the number of secret icons appearing in a challenge, and use the count value to calculate a response based on a simple algebraic function.
Rights and permissions
Copyright information
© 2015 The Author(s)
About this chapter
Cite this chapter
Li, Y., Yan, Q., Deng, R.H. (2015). Leakage Resilient Password Systems: Attacks, Principles, and Usability. In: Leakage Resilient Password Systems. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-17503-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-17503-4_1
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17502-7
Online ISBN: 978-3-319-17503-4
eBook Packages: Computer ScienceComputer Science (R0)