reu summer research in computer security
DESCRIPTION
REU Summer Research in Computer Security. Phillip G. Bradford Computer Science Department The University of Alabama. Outline. Goals Motivation The Challenge Visual Authentication for Small Wireless Devices Built in Java 2 Target to have it ported to J2ME. Objective. - PowerPoint PPT PresentationTRANSCRIPT
REU Summer Research in Computer Security
Phillip G. BradfordPhillip G. BradfordComputer Science Computer Science
DepartmentDepartmentThe University of AlabamaThe University of Alabama
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
OutlineOutline• GoalsGoals• MotivationMotivation• The ChallengeThe Challenge
– Visual Authentication for Small Wireless Visual Authentication for Small Wireless DevicesDevices•Built in Java 2Built in Java 2
– Target to have it ported to J2METarget to have it ported to J2ME
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
ObjectiveObjective• My Goal for your SummerMy Goal for your Summer
– Project Consists ofProject Consists of•Research & Design System [1-2 weeks]Research & Design System [1-2 weeks]•Build & Perform Analysis [4-5 weeks]Build & Perform Analysis [4-5 weeks]•Tuning and Write Up [3-4 weeks]Tuning and Write Up [3-4 weeks]
– Potential Submission to JOSHUA or other Potential Submission to JOSHUA or other venuevenue• Journal of Science and Health at UAJournal of Science and Health at UA
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Starting at the BeginningStarting at the Beginning• Computer PasswordsComputer Passwords
– What makes a good password?What makes a good password?•For whom?For whom?
– Easy to recall for the humanEasy to recall for the human Relationship chasingRelationship chasing
– Easy to guess for the attackerEasy to guess for the attacker•Dictionary AttacksDictionary Attacks•Many responsesMany responses
– Check your own users!Check your own users!– TimeoutsTimeouts
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Mobile and Wireless IssuesMobile and Wireless Issues• Passwords Hard to typePasswords Hard to type• PDAs are “one-hand” devicesPDAs are “one-hand” devices
– MobilityMobility• Physical InsecurityPhysical Insecurity
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Graphical PasswordsGraphical PasswordsUndergrad Project: Sobrado and Undergrad Project: Sobrado and BirgetBirget• Classical Passwords are Alpha-numericClassical Passwords are Alpha-numeric
– Often with strong relationship to the userOften with strong relationship to the user– Easy to define search spaceEasy to define search space
• Enlist another human association powerEnlist another human association power– Graphical & visual cognition!Graphical & visual cognition!– Consider human face recognitionConsider human face recognition
•Much security is based on face recognitionMuch security is based on face recognition
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Graphical PasswordsGraphical Passwords• Human ability to recognize faces is extraordinary! Human ability to recognize faces is extraordinary!
– Use human ability to recognize facesUse human ability to recognize faces• Not the computer’s inabilities!Not the computer’s inabilities!
• How can we create a password schemeHow can we create a password scheme– That builds on Human Face recognition? That builds on Human Face recognition?
• See citations in See citations in Sobrado and Birget for history and Sobrado and Birget for history and backgroundbackground
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Start with a Famous UrnStart with a Famous Urn
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Define Sequence of ClicksDefine Sequence of ClicksIn Specific PlacesIn Specific Places
41
2
3
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Pros and ConsPros and Cons• The bad newsThe bad news
– ““Shoulder Surfing”Shoulder Surfing”•Even worse than for typed passwordsEven worse than for typed passwords
• The good newsThe good news– Quick and Easy for humans to processQuick and Easy for humans to process
• To Help correct for Shoulder SurfingTo Help correct for Shoulder Surfing– Challenge-Response AuthenticationChallenge-Response Authentication
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Random Scatter-GramsRandom Scatter-Grams
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Challenge-Response Challenge-Response AuthenticationAuthentication• Alice proves to Bob that she knows Alice proves to Bob that she knows
their common secrettheir common secret– Without letting an observer know the Without letting an observer know the
secret!secret!• This allows us to foil shoulder surfersThis allows us to foil shoulder surfers• It also happens to have both It also happens to have both
– Important applications, and Important applications, and – Deep theoretical foundationsDeep theoretical foundations
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Project StructureProject Structure• Read: Read:
http://www.ece.cmu.edu/~adrian/projects/validation/validation.http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdfpdf
• Understand the ChallengeUnderstand the Challenge• How Strong is a Visual Security System?How Strong is a Visual Security System?
– 36361010 for length 10 “random” password for length 10 “random” password•From {a,b,…,z; 0,1,2,…,9}From {a,b,…,z; 0,1,2,…,9}
– K-common objects from N totalK-common objects from N total•N Choose k; N=1000 and k=10 gives about 36N Choose k; N=1000 and k=10 gives about 361515
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Project StructureProject Structure• Read: Read:
http://www.ece.cmu.edu/~adrian/projects/validation/validation.http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdfpdf
• Define Small Variable-size ScreenDefine Small Variable-size Screen• Challenge-Authentication Challenge-Authentication
– Using “Random” Hash FunctionUsing “Random” Hash Function•Geometric ObjectsGeometric Objects
– Variable StrengthVariable Strength– Testable & PortableTestable & Portable
04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003
Project StructureProject Structure• Test-bed for human threshold limitsTest-bed for human threshold limits• Can we add “Lamport’s Hash Chain” Can we add “Lamport’s Hash Chain”
Technology?Technology?• Document Code and Write-up projectDocument Code and Write-up project