The Design and Analysis of Graphical Passwords

Ian Jermyn New York University Alain Mayer, Fabian Monrose, Michael K.Reiter Bell Labs, Lucent Technologies Aviel D.Rubin AT&T Labs-Research

Presenter : Ta Duy Vuong taduyvuo@comp.nus.edu.sg
1

OUTLINE
1. Introduction 2. Textual Passwords with Graphical Assistance 3. Purely Graphical Passwords 4. Other graphical password scheme 5. Summary 6. References
2

‡ Exploit features of graphical input displays to achieve better security.INTRODUCTION ‡ Passwords: method of choice for user authentication. ‡ In practice. passwords are susceptible to attacks.1. 3 .

HP iPAQ.« 4 .INTRODUCTION ‡Used for any devices with graphical input display ‡Primarily for PDAs: Palm Pilot.1.

INTRODUCTION ‡ Observation: temporal order & position ‡ Textual password input via keyboard: simplepass 123456789 ‡ Graphical password 5 .1.

TEXT WITH GRAPHICAL ASSISTANCE GRAPHICAL PASSWORD TEXTUAL PASSWORD WITH GRAPHICAL ASSISTANCE DRAW-A-SECRET SCHEME 6 .2.

7 .2.TEXT WITH GRAPHICAL ASSISTANCE ‡ Use textual passwords augmented by some graphical capabilities. ‡ Aim: to decouple temporal order & position of input.

‡ Usual way of input: Conventional 8 .TEXT WITH GRAPHICAL ASSISTANCE ‡ Example: password is ´tomatoµ.2.

TEXT WITH GRAPHICAL ASSISTANCE 9 With graphical assistance .2.

«.«.k} A x {1.k} A f· = {1.2.m} 10 .«.TEXT WITH GRAPHICAL ASSISTANCE ‡ Formally: ‡ k : number of characters in password ‡ A : set of allowed characters ‡ m : number of positions (m>=k) ‡ Textual : ‡ Graphical : f = {1.

2.TEXT WITH GRAPHICAL ASSISTANCE ‡ One k-character conventional password yields: m!/(m-k)! graphical passwords Ex: Password is ´ILoveNusµ ‡ k=8 (characters) ‡ Choose m=10 (positions) approximately 1.8 x 106 graphical passwords 11 .

3.DRAW-A-SECRET (DAS) SCHEME GRAPHICAL PASSWORD TEXTUAL PASSWORD WITH GRAPHICAL ASSISTANCE DRAW-A-SECRET SCHEME 12 .

‡ What is good about picture-based password? 13 .‡ Password is picture drawn on a grid.1 Introduction ‡ Users freed from having to remember alphanumeric string. 3.DRAW-A-SECRET (DAS) SCHEME 3.

3.3) (2.DRAW-A-SECRET (DAS) SCHEME 3.2 Password input (2.2) (3.2) (3.3) (2.2) (2.1) (5.5) (5.5) is pen-up indicator 14 .

DRAW-A-SECRET (DAS) SCHEME 3.3.3 Encryption Tool for PDA ‡Use Triple-DES to encrypt/decrypt data stored on PDA Sequence of coordinates of password P Hashed using SHA-1 Key k Derived to make keys Triple-DES Process of making keys for Triple-DES 15 .

DRAW-A-SECRET (DAS) SCHEME 3.3.3 Encryption Tool for PDA Sequence of coordinates P Hashed using SHA-1 Key k Sequence of coordinates P¶ Hashed using SHA-1 Key k¶ Ek(P) restult=Dk¶(Ek(P)) Store Ek(P) ressult = P ?? Process of setting password Process of verifying password 16 .

3. ² Attackers have significant knowledge about the ‡ distribution of user passwords (users often choose passwords based their own name«) ‡ information about gross properties (words in English dictionary are likely to be chosen) 17 .4 Security of the DAS Scheme ‡ Textual passwords are susceptible to attacks because: ² Users do not choose passwords uniformly.DRAW-A-SECRET (DAS) SCHEME 3.

18 .3.DRAW-A-SECRET (DAS) SCHEME 3.4 Security of the DAS Scheme ‡ Knowledge about the distribution of user password is essential to adversary. ‡ Harder to collect data on PDAs than networked computers. ‡ DAS scheme gives no clues about user choice of passwords.

G) l=L N: number of strokes = ™ P(L-l.y) : ending cell N(l.G]x[1..4 Security of the DAS Scheme P : password Grid size GxG L : length of password Lmax : maximum length of password P(L.G)N(lG) l : length of stoke l=1 = ™ n(x.DRAW-A-SECRET (DAS) SCHEME 3.l.G) (x.y.y) [1.‡ Size of Password space: Lmax š(Lmax.G) = ™ P(L.G) L=1 3..G] n : number of strokes of length l (x.G) 19 .

3.4 Security of the DAS Scheme ‡ New password scheme cannot be proven better than old scheme because of human factor ! ‡ However. 20 . above table shows raw size of graphical password space surpasses that of textual passwords.DRAW-A-SECRET (DAS) SCHEME 3.

Another graphical password scheme ‡To login. user is required to click within the circled red regions (chosen when created the password) in this picture.4. The choice for the four regions is arbitrary ‡Known since the mid 1990s.Blonder in his 21 paper ´Graphical Passwordsµ . starting with G.

SUMMARY ‡ Textual passwords with graphical assistance: conventional passwords equipped with graphical capabilities.5. ‡ Improvements over textual passwords: ² Decouple positions of input from temporal order ² Larger password space 22 .

5. SUMMARY ‡ Draw-A-Secret (DAS) Scheme: ² Pictures are easier to remember ² Attackers have no knowledge of the distribution of passwords ² Larger password space ² Decouple position of inputs from temporal order 23 .

P.com 24 . van Oorschot ‡ ´Human Memory and the Graphical Passwordµ by David Bensinger.D.Rubin ‡ ´Graphical passwordsµ by Leonardo Sobrado. Ph. Alain Mayer. Aviel D.6. ‡ ´Passwords: the weakest link?µ CNET News. Michael K. Rutgers University ‡ ´Graphical Dictionaries and the Memorable Space of Graphical Passwordsµ by Julie Thorpe. JeanCamille Birget. Department of Computer Science.Reiter.C. REFERENCES ‡ ´The Design and Analysis of Graphical Passwordsµ by Ian Jermyn. Fabian Monrose.

THANK YOU . 25 .

Sign up to vote on this title
UsefulNot useful