reu summer research in computer security

REU Summer Research in Computer Security

Phillip G. BradfordPhillip G. BradfordComputer Science Computer Science

DepartmentDepartmentThe University of AlabamaThe University of Alabama

04/22/2304/22/23 Computer Security: Summer 2003Computer Security: Summer 2003

OutlineOutline• GoalsGoals• MotivationMotivation• The ChallengeThe Challenge

– Visual Authentication for Small Wireless Visual Authentication for Small Wireless DevicesDevices•Built in Java 2Built in Java 2

– Target to have it ported to J2METarget to have it ported to J2ME


ObjectiveObjective• My Goal for your SummerMy Goal for your Summer

– Project Consists ofProject Consists of•Research & Design System [1-2 weeks]Research & Design System [1-2 weeks]•Build & Perform Analysis [4-5 weeks]Build & Perform Analysis [4-5 weeks]•Tuning and Write Up [3-4 weeks]Tuning and Write Up [3-4 weeks]

– Potential Submission to JOSHUA or other Potential Submission to JOSHUA or other venuevenue• Journal of Science and Health at UAJournal of Science and Health at UA


Starting at the BeginningStarting at the Beginning• Computer PasswordsComputer Passwords

– What makes a good password?What makes a good password?•For whom?For whom?

– Easy to recall for the humanEasy to recall for the human Relationship chasingRelationship chasing

– Easy to guess for the attackerEasy to guess for the attacker•Dictionary AttacksDictionary Attacks•Many responsesMany responses

– Check your own users!Check your own users!– TimeoutsTimeouts


Mobile and Wireless IssuesMobile and Wireless Issues• Passwords Hard to typePasswords Hard to type• PDAs are “one-hand” devicesPDAs are “one-hand” devices

– MobilityMobility• Physical InsecurityPhysical Insecurity


Graphical PasswordsGraphical PasswordsUndergrad Project: Sobrado and Undergrad Project: Sobrado and BirgetBirget• Classical Passwords are Alpha-numericClassical Passwords are Alpha-numeric

– Often with strong relationship to the userOften with strong relationship to the user– Easy to define search spaceEasy to define search space

• Enlist another human association powerEnlist another human association power– Graphical & visual cognition!Graphical & visual cognition!– Consider human face recognitionConsider human face recognition

•Much security is based on face recognitionMuch security is based on face recognition


Graphical PasswordsGraphical Passwords• Human ability to recognize faces is extraordinary! Human ability to recognize faces is extraordinary!

– Use human ability to recognize facesUse human ability to recognize faces• Not the computer’s inabilities!Not the computer’s inabilities!

• How can we create a password schemeHow can we create a password scheme– That builds on Human Face recognition? That builds on Human Face recognition?

• See citations in See citations in Sobrado and Birget for history and Sobrado and Birget for history and backgroundbackground


Start with a Famous UrnStart with a Famous Urn


Define Sequence of ClicksDefine Sequence of ClicksIn Specific PlacesIn Specific Places

41

2

3


Pros and ConsPros and Cons• The bad newsThe bad news

– ““Shoulder Surfing”Shoulder Surfing”•Even worse than for typed passwordsEven worse than for typed passwords

• The good newsThe good news– Quick and Easy for humans to processQuick and Easy for humans to process

• To Help correct for Shoulder SurfingTo Help correct for Shoulder Surfing– Challenge-Response AuthenticationChallenge-Response Authentication


Random Scatter-GramsRandom Scatter-Grams


Challenge-Response Challenge-Response AuthenticationAuthentication• Alice proves to Bob that she knows Alice proves to Bob that she knows

their common secrettheir common secret– Without letting an observer know the Without letting an observer know the

secret!secret!• This allows us to foil shoulder surfersThis allows us to foil shoulder surfers• It also happens to have both It also happens to have both

– Important applications, and Important applications, and – Deep theoretical foundationsDeep theoretical foundations


Project StructureProject Structure• Read: Read:

http://www.ece.cmu.edu/~adrian/projects/validation/validation.http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdfpdf

• Understand the ChallengeUnderstand the Challenge• How Strong is a Visual Security System?How Strong is a Visual Security System?

– 36361010 for length 10 “random” password for length 10 “random” password•From {a,b,…,z; 0,1,2,…,9}From {a,b,…,z; 0,1,2,…,9}

– K-common objects from N totalK-common objects from N total•N Choose k; N=1000 and k=10 gives about 36N Choose k; N=1000 and k=10 gives about 361515


Project StructureProject Structure• Read: Read:

http://www.ece.cmu.edu/~adrian/projects/validation/validation.http://www.ece.cmu.edu/~adrian/projects/validation/validation.pdfpdf

• Define Small Variable-size ScreenDefine Small Variable-size Screen• Challenge-Authentication Challenge-Authentication

– Using “Random” Hash FunctionUsing “Random” Hash Function•Geometric ObjectsGeometric Objects

– Variable StrengthVariable Strength– Testable & PortableTestable & Portable


Project StructureProject Structure• Test-bed for human threshold limitsTest-bed for human threshold limits• Can we add “Lamport’s Hash Chain” Can we add “Lamport’s Hash Chain”

Technology?Technology?• Document Code and Write-up projectDocument Code and Write-up project

reu summer research in computer security

Documents

timeoutscomputer security

j2mecomputer security

backgroundcomputer security

uacomputer security

visual security system

famous urncomputer security

reu summer research

project structureread