程序代写代做代考 scheme DNA algorithm MondayAuth2

MondayAuth2

Humans – The Weakest Link?

• Identification by ID document/passport
• Authentication by signature

In the beginning

•Identification
•Authentication
•Authorisation

What’s the difference?

Identification

On the Internet, nobody knows you’re a dog

Enrol Authenticate Close Account

Replace

Identifier

Authenticator Stages

Process

I am John

Claim Identity

Authenticator

Prove Identity

Authorised
Access

•What you know
•What you hold
•What you are

Types….

•Memorability
•Guessability
•Observability
•Recordability

Judging an Authentication
Mechanism (Security)

Data

Knowledge

Information

Wisdom

Add Meaning

Understanding of
Application

Knowledge
in Action

E
X

P
E

R
IE

N
C

E

What you Know (DIKW)

Data

Information

Knowledge
& Skills

PA
S

S
W

O
R

D
G

U
ID

A
N

C
E

NONSENSE “STRONG” PASSWORD

MEANINGFUL “WEAK”
PASSWORD USER

DRIVE
TO

AVOID
FORGETTING

Problems with “What You
Know”

• Human Aspects
– Hard to remember
– Hard to create
– Take time to type in

• Security:
– Guessability
– Observability
– Recordability

More Problems

• No agreement as to “strong password”
requirements

• They don’t tell users much, and they
display instructions in the wrong place

Memorability

• How do they cope?
– Write them down
– Ask others to share
– Use other passwords that have been written
down

– Use the same password for multiple systems
– Use a variation of their own name or the system
name

– Use “common” passwords
– Use weak passwords

FACT: People can’t remember all
their passwords

• Was also holding the password to an
encrypted file written on a piece of paper,
the government has disclosed.

• “Much of the material is encrypted.
However, among the unencrypted
documents … was a piece of paper that
included the password for decrypting one of
the encrypted files on the external hard drive
recovered from the claimant.”

David Miranda

Guessability

Who are you protecting yourself against
when you choose a password?
– Hacker?
– Ex-partner?
– Family member?

Observability

Prince William & Passwords….

• The stronger the password, the easier it is to
see what the password is if you watch
someone

• Keyloggers are easy to install
• The sounds of your typing leak your
password

Actually….

SpiPhone: How someone
could use an iPhone to find
out what you are typing on
your computer

• it can decipher vibrations to record what is
being typed on a nearby computer
keyboard

• Working with dictionaries comprising about
58,000 words, the system reached word-
recovery rates as high as 80 percent.

Technical
Hacker

Camera Equipped
Observer

Mobile
Environment Worker

INFORMATION
LEAKAGE RISK

DATA
LOSS
RISK

Working on the Move

Recordability

OUCH!

Beijing 2008 London 2012

© Copyright Showeet.com

So what passwords are
people choosing?

Common Passwords

• How many are there?
– 10 000

• People can define their own. Which ones do
they use?

PINS

Statistically, one third of all codes
can be guessed by trying just 61
distinct combinations!

Passwords – Epic Fail
• Guessability

–Poor!
• Observability

–Poor!
• Recordability

–Poor!
• Memorability

–????

Even if we obey all the rules…..

• Passwords have to be stored somewhere
• Some developers don’t do this properly
• Sony: Hacker breaks into Sony Playstation
and steals passwords and user details. (April
2011) – 100 Million People’s accounts
compromised

58

Challenge Questions

Cueblots (McBryan & Renaud)

What you hold
• On it’s own not an
authenticator!

• Biometric/PIN
• Probs:

– Cost
– Reader Requirement & Cost
– Cannot be used remotely

Biometrics

• Instead of what I know, what I am
–Physiological

•Or the way I behave (because
humans are unique)
–Behavioural

Performance

• FAR
• FRR
• EER
• FTE
• FTC
• Template Capacity

Physiological

Behavioural

As old as civilization
• Hand-prints that accompanied cave
paintings from over 30,000 years ago are
thought to have been signatures.

• The early Egyptians used body
measurements to ensure people were
who they said they were.

• Fingerprints date back to the late
1800s.

Bertillon (1882)

Fingerprints

• Divides print into loops, whorls and arch
• Calculates minutiae points (ridge
endings)

• Finger Placement
• Dirt, grime, wounds, age, missing fingers
• Spoof!

Ear Biometrics

• Ears are remarkably consistent
• Passive
• No cosmetics, emotions, colour changes
(graying hair)

• Smaller than the face (faster processing)
• No problem with glasses
• Hair & Earrings

• In 1998 an ear print left on a window led
to the conviction of Mark Dallagher for
murdering a 94-year-old woman.

• Overturned in January 2004
– Flawed evidence
– subjective opinion of an ear expert.

Hand Biometric

Hand Geometry
•Geometry of users hands
•More reliable than fingerprinting
• Balance in performance and
usability

•Very large scanners
•Arthritis
• Jewellery
•Growing children

Iris Recognition

• Scans unique pattern of iris
• Iris is colored and visible from far
• No touch required
• Overcomes retinal scanner issues
• Contact lenses an issue?
• Intrusive
• Expense

Face Recognition

• User faces camera
• Neutral expression required
• Appropriate lighting and position
• Algorithms for processing

Boston
Bombing

• Systems are only as good as the data they’re
given to work with

• Despite having an array of photos of the suspects,
the system couldn’t come up with a match

• facial recognition isn’t an instantaneous, magical
process

• Facial recognition and other biometric and image
processing technologies (gait recognition) helped
by retailers’ own computerized surveillance
systems.

Face Recognition

• User faces camera
• Neutral expression required
• Appropriate lighting and position
• Algorithms for processing
• Expression
• Spoof
• Tougher Usability

http://www.sciencedaily.com/releases/2
008/09/080904102751.htm

DNA

• Unique – cheaper to sequence than ever
before

• Twins?

“With identical twins, even if you sequenced
their whole genome you wouldn’t find
difference,” forensic scientist Bob Gaensslen
told ABC News at the time. More recent
research shows that this isn’t the case, but
teasing out the difference can be expensive —
in the Marseilles case, police were told that
such a test would cost £850,000.

Behavioural Biometrics
• Authorship – did the person write this or
draw this?

• Computer usage:
– Interaction with mice, keyboards which are
distinct and different from others
•Mouse movements
• Keystroke dynamics

– Strategies, knowledge or skill used during
interaction with software
• Email behaviour

Voice Recognition

•Speech input
–Frequency
–Duration
–Cadence

•Neutral tone
•User friendly

Disadvantages
• Local acoustics
• Background noise
•Device quality
• Illness , emotional behavior
• Time consuming enrollment
• Large processing template
• Spoof

What Traits make something
suitable as a biometric?

• Universality
• Uniqueness
• Permanence
•Measurability
• Performance
• Acceptability
• Circumvention

Alternative
Authentication

HUMAN-CENTRED SECURITY

Two Factor Authentication

• Not 2 passwords!
• 2 different types

Alternative
Authentication
Mechanisms

How Memory is Assessed

•Recall Based
•Cued-Recall Based
•Recognition Based

Blonder (1997)

PassClick -mininova labs

PassClick (157090 people)

Jermyn (2000): Draw a Secret

Drawmetric
User needs to redraw an image in the same
stroke order

Sketch Based Recall

• Shortcomes?
– Dictionary attack
– Symmetric drawings
– Three strokes only

• Restrictions?

https://docs.google.com/viewer?url=http://w
ww.usenix.org/events/woot10/tech/full_paper
s/Aviv.pdf

Recognition-Based Graphical
Authentication

Passfaces
• 5 Passfaces are Associated with 40 associated
decoys

• Passfaces are presented in five 3 by 3 matrices
each having 1 Passface and 8 distractors

Snags

• People are good
with FAMILIAR
faces

A B C

D E F

G H J

A B C

D E F

G H J

A B C

D E F

G H J

A B C

D E F

G H J

Facelock

Handwing
Visuo-biometric

User recognises his or her own handwritten
PIN, postal code and doodle

Handwing – stage 2

Handwing – stage 2

DynaHand (Olsen & Renaud)

What about Chipping Humans?

Necessary & Sufficient
Authentication

•We don’t always need a
password
•We don’t always need a “strong”
password
• Match the risk level to the
stringency requirement

Assur
ance

Description Verification Type Protection
Requirements

1 Little confidence No
verification

Identity only None

2 Self service apps Little
verification

Single factor 3 times lockout

3 High confidence
– access
restricted data

Stringent
verification

Multifactor Cryptographic
techniques

4 Very high
confidence –
highly restricted
data

In-person
registration

Multifactor
& hardware

Cryptographic
techniques

• Ease of Use
• Convenience
– To Enrol
– To Authenticate
– To Replace

Judging an Authentication Mechanism
(User Experience)

Concerns?
• Privacy
• Moving the vulnerability to the human
• How cancelled?
• How well is the data protected?
• Who will gain access?
• What it will be linked to?

Multimodal Biometrics
• Independent evidence
• Deals with missing biometrics
• Harder to spoof
• Challenge-Response possible
• Good performance

Problem Solving
• An ATM manufacturer has approached
you to ask you to determine whether
they could incorporate an alternative
authentication mechanism into their
ATM machine to be used in an old age
home
• Acceptability & Usability NB!
• I’ll randomly choose group(s) to:
–sell your solution to me

• Come up with a personalised password
scheme for your grandmother which ensures
that
– Passwords are memorable
– Yet strong (unpredictable)
– Is easy enough for your grandmother to use

Discussion Topics