Secure Human-Computer
Identification against Peeping
Attacks (SecHCI): A Survey
Shujun Li, Harry Shum
Visual Computing Group
Microsoft Research Asia
Sep. 2002
Outline
Introduction
A User Study
SecHCI: General Model
SecHCI: A Comprehensive Survey
SecHCI: Other Related Works
Our Opinions
1. Introduction
Outline
Human-Computer Identification
Problems of Widely-Used Fixed Passwords
Yet Another Danger: Peeping Attack

In the real world
 In the theoretical world
Known Solutions to Peeping Attack
1.1 Human-Computer Identification
Three Identifications
Knowledge-based: What do you know?




Fixed (textual/visual) password / PIN
Pass-phase / Pass-algorithm / word-association
Challenge-response identification protocol
Zero-knowledge identification protocol
Token-based: What do you have?


Magnetic-striped card / Smart card
Hand-held one-time password generator
Biometrics-based: Who are you?

Face / Fingerprint / Iris / …
1.1 Human-Computer Identification
Three Identifications: Comparison
Knowledge-based


Fixed Password: Easily understood and widely
accepted, but vulnerable to dictionary attack and replay
attack
Challenge-response protocol: Relatively complex but
secure against replay attack
Token-based


More secure than fixed password
You must physically have it / sensitive to loss
Biometrics-based


Always with you / minimal user efforts
Performance is not really satisfactory / privacy involved
1.2 Problems of Fixed Password
Dictionary attack: A troublesome paradox between
security and usability



Humans always select passwords from a dramatically
small subset of the password space
Too random or too long passwords are hard to
remember for humans
Compulsive password rules are useful to avoid
problems, but users always try to circumvent the rules
Partial solutions: Limitations still exist


Pass-phrases / Pass-algorithms / Word associations / …
Visual/graphical passwords
1.3 Peeping Attack
In the Real World
Your friends standing behind your shoulders can observe
your password
Your adversaries can install hidden cameras to steal your
password
Your adversaries can deploy malicious programs in your
computer to get your password
Powerful enemies can use TEMPEST (compromising
emanations) devices to monitor your computer
A lot of real stories on peeping attacks to banking cards
(on ATMs) were reported by R. J. Anderson in 1994.
1.3 Peeping Attack
In the Theoretical World
SecHCI means such a human-computer
identification by which one can successfully prove
its identity without any auxiliary devices and via
insecure communication channel.
Two kinds of peeping attacks

Passive peeping attack and Active peeping attack
 In passive peeping attack, adversaries can only passively
observe the identification procedure
 In active peeping attack, adversaries can impose the verifiers

Open peeping attack and Hidden peeping attack
One more requirement

Human sensitivity (consciousness) to faked verifiers
1.4 Solutions to Peeping Attack
Non-SecHCI
Displaying “******” on the screen instead of
plain-password
Shielding your input from malicious “eyes”.


Visual shielding / TEMPEST shielding
LVSVSS – a shielding based on visual cryptography
One-time passwords
Challenge-response protocols
Biometrics?
1.4 Solutions to Peeping Attack
SecHCI
Matsumoto-Imai protocol proposed at EuroCrypt’91

Not secure enough, cryptanalyzed by C.-H. Wang et al. at
EuroCrypt’95
Matsumoto protocols proposed at HCI International’95 and
ACM CCS’96

Security against peeping attack is not strong
Hopper-Blum protocols proposed at AsiaCrypt’2001

Security against peeping attack is acceptable, but the usability is
not good.
PhoneOIDs proposed by M. Blum (2001)

All proposed PhoneOIDs have been known insure
HumanAut Project supported by CMU (2002)

One implementation of a variant of Hopper-Blum protocol in
AsiaCrypt’2001 paper.
2. A User Study
Goals and Brief Description
Goals



Investigate the users’ opinions on security and usability
of human-computer identification system, especially
fixed passwords and SecHCI
Show the significance of peeping attack and SecHCI
Confirm some principles in the design and
implementation of human-computer identification
systems
Brief description



A web site is constructed
18 questions are involved
About 100 volunteers attended
2. A User Study
2.1 Investigation Results (1)
Fixed passwords I





Almost all users ever forgot their passwords
Most users ever told other of their passwords
Most users think security is more important than
convenience (usability) after careful consideration
Many users ever encountered hesitation when they set a
new password
Some users even have no really secret passwords
Summary: for most users, security > usability, but
they always forget this principle in the real world.
2. A User Study
2.1 Investigation Results (2)
Fixed passwords II





All users have two or more different passwords
Most users have <=6 different passwords
Most users use 6~10-length passwords
Most users also think 6~10 is the best password length
Most users think 15 (about) is the upper bound of the
password length for all security applications
Summary: for most users, 6~10-length passwords
are good, and >16 length is unendurable.
2. A User Study
2.2 Investigation Results (3)
Peeping attack

Most users think peeping attack is a real danger
in the security world, especially when their
money and privacy is endangered.
 Most users will follows at least partial warns
from security experts and technical news.
Summary: the significance of peeping
attack is confirmed, especially for electronic
financial applications.
2. A User Study
2.2 Investigation Results (4)
SecHCI


Most users wish the identification procedure can be
finished within 1 minute
Most users think security and usability should be
balanced in the design of secure human-computer
identification
Summary: a good SecHCI must balance security
and usability, and the consuming time for one
identification should be <= 1 minute.
3. SecHCI: General Model
3.1 Fundamentals
SecHCI should be a challenge-response protocol with
time-variant parameters like the following one.
Define SecHCI as a HCIP – human-computer interactive
protocol (H,C) with auxiliary input. The transcript between
H and C is T(H(x), C(y)), and the output of the protocol is
<H(x), C(y)>, which is in the set {accept, reject, }, where
 means H find C is a fake verifier.
3. SecHCI: General Model
3.2 What is SecHCI?
Completeness

A HCIP is complete if Pr[<H(z),C(z)>=accept]1-Pc.
Soundness

A HCIP is sound if Pr[<H(x),C(y)>=accept]Ps.
(, , )-Human-Only Executability (HOE)

A HCIP is (, , )-human-only executable if any
T(H(x),C(y)) can be carried by (1-) population with
the error probability , and can be finished within 
seconds.
A SecHCI is a HCIP satisfying completeness and
soundness, and (, , )-HOE with acceptable
parameters.
3. SecHCI: General Model
3.3 Definitions of Security
(p, k)-security against passive peeping attack

Pr[<A(Tk(H(z),C(z))), C(z)>=accept]p, where A
denotes adversaries observe k random sampled
identifications.
(p, k)-security against active peeping attack

Pr[<A(Tk(H(z),C(z))), C(z)>=accept]p, where A
denotes adversaries observe k chosen identifications.
(q, k)-human sensitivity (consciousness) to fake
verifiers

Pr[<H(z),C(z,A(Tk(H(z),C(z))))>=]1-q, where
C(z,A(Tk(H(z),C(z)))) denotes the fake verifier by A.
3. SecHCI: General Model
3.4 Security in the Real World
Basic Attacks



Random response attack (soundness)
Brute force (exhaustive) attack
Dictionary attack
Peeping Attacks


Store-and-replay attack
Intelligent off-line password attack
 Differential attack / Deduction-based attack / Intersecting attack

Multi-onlooker peeping attack
Advanced Attacks



Partially-known password attack
Malicious administrator attack
Denial-of-Logon attack
4. A Comprehensive Survey
4.1 Matsumoto-Imai Protocol
Matsumoto-Imai protocol [EuroCrypt’91]

An simple example to show the basic idea:
={1,2,…,9,0}, ={1,2,…,8}, the password is
={1,2,4,6}, ={1,2,3,4}, W=3124. Assume
=#()=8 and =#()=4, the challenge q is a bijection
from  to , and the response is a -length word
a=(a1,…,a) whose characters are all in . The accepted
responses should satisfy the following requirement:
extract all characters in q and also in , and record their
order in q to compose a list f=(f1,…,f), then i=1~,
af(i)=W(i).
4. A Comprehensive Survey
4.1 Matsumoto-Imai Protocol
Security problems
Only one observation is enough to know .
 This protocol cannot resist “replay challenge
attack” (an active peeping attack). Only several
observations is needed to decrypt  and then
find W. [C.-H. Wang et al. EuroCrypt’95]
 In passive peeping attack, the number of
observations is also rather small.
 C.-H. Wang et al. proposed a modified version,
but whose usability is too poor.

4. A Comprehensive Survey
4.2 Matsumoto Protocols
Matsumoto Protocol 0 [ACM CCS’96]




Fs is a finite field of order s.
The password is u vectors k1~ku, where ki is vdimensional vector in Fsv.
The challenge is a non-zero v-dimensional vector qi in
Fsv-{0}; the response ai is a element in Fs.
If i=1~u, ai=qiki, the user is accepted.
Matsumoto Protocol 1 and 2 [ACM CCS’96]

Non-essential variants of Protocol 0.
4. A Comprehensive Survey
4.2 Matsumoto Protocols
Usability Issues



Protocol 1 can make implementations easier.
Protocol 2 can provide a better trade-off between
security and usability.
Some graphical implementations of Protocol 1 and 2
are given in Matsumoto’s paper.
Security Issues

To break the password, only O(u) observations are
needed for both passive and active peeping attack.
4. A Comprehensive Survey
4.3 Hopper-Blum Protocols
Hopper-Blum Protocol 1 [AsiaCrypt’2001]
The password is a (0,1)-vector x{0,1}n whose
weight is k.
 The challenge is also a (0,1)-vector c{0,1}n.
The response r is 0 or 1.
 For total m challenge, if r=cx holds for at least
(1-)m challenges, the user is accepted.

4. A Comprehensive Survey
4.3 Hopper-Blum Protocols
Security Issues

Hopper-Blum Protocol 1 cannot resist replay
challenge attack (active peeping attack).
Some Errors and More Problems

The result of Theorem 1 is wrong.
 The masquerading probability of random
response attack is slightly overestimated.
 Paradox exists between security and usability,
especially on the value of k.
4. A Comprehensive Survey
4.3 Hopper-Blum Protocols
Hopper-Blum Protocol 2 [AsiaCrypt’2001]

Basically, Protocol 2 is similar to Protocol 1
with two chief modifications.
 Modification 1: the response is calculated with
sum of k mins.
 Modification 2: the linear error-correcting
mechanism is introduced to avoid malicious
change of legal challenges.
4. A Comprehensive Survey
4.3 Hopper-Blum Protocols
Merits

Protocol 2 can resist active peeping attack.
 Protocol 2 has 0.1-human sensitive to fake
verifiers.
Problems

Usability of Protocol 2 is even more poor than
Protocol 1.
 Some problems in Protocol 1 still exist in
Protocol 2.
4. A Comprehensive Survey
4.4 HumanOIDs@CMU
HumanAut@CMU



An image-based SecHCI, n images are involved and n/2
images compose the password.
A non-essential variant of Hopper-Blum Protocol 1.
The challenge is always a vector with fixed weight.
Usability is poor when n is too large.
Pass-Rules


You can freely change all n images.
Then you can use some meaningful features of the n/2
pass-images to remember so many pictures.
4. A Comprehensive Survey
4.4 HumanOIDs@CMU
PhoneOIDs@CMU
PhoneOIDs is “challenge-response protocols
for use over the phone”, which means SecHCI
protocols of two parties with limited
computation capabilities.
 Many PhoneOIDs have been proposed, but all
are insecure.

5. Other Related Works
5.1 Visual/Graphical Passwords
Selective pictures based passwords


PassfaceTM: In each round, select your pass-face from 9
candidate faces.
Déjà Vu: Select m portfolio images from n candidate
images.
Point-and-click passwords


PassPic: Click your pass-positions with your pass-order
Graphical Password Windows in Passlogix v-GOTM
SSO: Click several things to construct your password.
Drawing-based passwords

Draw-a-Secret (DAS): Draw your pass-strokes on a
mn grid.
5. Other Related Works
5.2 CAPTCHAs
CAPTCHA stands for “Completely Automated Public
Turing Test to Tell Computers and Humans Apart”, also
called Reverse Turing Test by some researchers.
The chief application of CAPTCHA is to foil malicious
online robots, and can also be used to relax the security
against random response attack in SecHCI protocols.
The first paper on CAPTCHA occurred in 1996 (by M.
Naor). The first implementation of CAPTCHA is designed
in 1997. The initial booming of interests on CAPTCHAs is
promoted by the occurrence of Gimpy, a CAPTCHA
designed by M. Blum et al. at CMU in 2000. Now a
CAPTCHA project is supported by Aladdin Center of
CMU.
5. Other Related Works
5.2 CAPTCHAs
Distorted texts based CAPTCHAs



Gimpy@CMU
Another Gimpy-like CAPTCHA@AltaVista
Pessimal print
Visual pattern based CAPTCHAs

Bongo@CMU
Image based CAPTCHAs



PIX@CMU
CAPTCHAs based on image search problem
More image processing techniques can be used to
distort involved images
5. Other Related Works
5.2 CAPTCHAs
Sound/Speech based CAPTCHAs

Sounds@CMU
 Byan@CityUHK
Text-only CAPTCHAs

Impossibility of text-only CAPTCHAs under
six assumptions
 “Find the Bogus Word”
Chinese CAPTCHAs?
5. Other Related Works
5.3 More Topics on HIPs
HIP means “Human Interactive Proof”,
which covers many topics, such as SecHCI
protocol, CAPTCHA, and visual/graphical
password.
There is a HIP project at Aladdin Center of
CMU to support research and product
transfer of theoretical results.
5. Other Related Works
5.3 More Topics on HIPs
Formal Studies on Security and Complexity
of HIPs
Computer Vision and HIPs
Biometrics
Visual Cryptography
Human-Error-Tolerant Passwords (or Fuzzy
Commitment)
Other Sides?
5. Other Related Works
5.4 ZK Identification Protocol
Many Zero-Knowledge based identification
protocols have been proposed. The basic idea used
in ZK protocols may be useful for the design of
SecHCI protocols.
The general model of ZK identification protocols:
1) P=>V: a public (random) witness; 2) V=>P: a
(random) challenge; 3) P=>V: a response
(dependent on the witness and the challenge).
6. Our Opinion on SecHCI
6.1 A Comparison
By security against passive peeping attack

Matsumoto-Imai Protocol < Matsumoto Protocols <
Hopper-Blum Protocol 2 < Hopper-Blum Protocol 1;
By security against active peeping attack

Matsumoto-Imai Protocol < Matsumoto Protocols <
Hopper-Blum Protocol 1 < Hopper-Blum Protocol 2;
By usability

Hopper-Blum Protocol 2 < Matsumoto-Imai Protocol <
(0,1)-version of Hopper-Blum Protocol 1  decimal
version of Hopper-Blum Protocol 1  Matsumoto
Protocols.
6. Our Opinion on SecHCI
6.2 Our Opinion
Three principles

Intentional errors
 Redundancies
 Balance
Two desired requirements

The password length <= 16
 The identification time <= 1 minute.
6. Our Opinion on SecHCI
6.3 A Prototype Protocol
Following our opinions on SecHCI, we can
give a prototype protocol as follows
The password is a (0,1)-vector x{0,1}n whose
weight is k.
 The challenge is 2m (0,1)-vectors c1,…,c2m
{0,1}n. The response is 2m bits r1,…r2m.
 If i=1~m, (r2i-1-c2i-1x)+(r2i-c2ix)=1 (mod 2),
then the user is accepted.
 Such a protocol may be OK as a new solution
of SecHCI.

Thanks for watching!