New Authentication Scheme Proposed

jerel brings us a story about a prototype authentication system which approaches security from an atypical angle. It focuses on hiding identity challenges from attackers in addition to the responses. The system, Undercover [PDF], "uses a combination of visual and tactile signals in the authentication process." "The system displays a set of images to the user and asks if any belongs to the image portfolio that the user had previously selected. At the same time, the trackball sends the user a signal that maps each button on the case to a certain answer. The user's hand must cover the trackball for it to operate, so a sneaky observer wouldn't be able to see his or her selections, or answers. So a would-be attacker can't 'see' the tactile challenge presented by the trackball and therefore doesn't get the user's authentication data, even though he or she could see the image challenge on the display."

And within a month

[dreamchaser]

And within a month, someone will figure out a way to crack it. It's inevitable.

Re:

[morgan_greywolf]

And within a month, someone will figure out a way to crack it. It's inevitable.

Obvious. It's vulnerable to some of the same techniques that passwords are vulnerable -- sniffing (assuming no encryption was also used), man-in-the-middle, keyboard (mouse) sniffer, malicious code, etc.

Re:

[poopdeville]

On the other hand, it has it's uses. There's not much reason why I should have to press my PIN into a publicly visible terminal when I use an ATM.

Re:

[morgan_greywolf]

On the other hand, it has it's uses. There's not much reason why I should have to press my PIN into a publicly visible terminal when I use an ATM.

Thieves could just setup a digital camera at a commonly-used ATM, and then capture all the pictures. Eventually they'd figure out which ones belonged to which users.

Re:

[mrxak]

They still need to steal your card though, and unless you're pretty careless you'll notice when they do, and then you can call your bank and have your card deactivated. This strikes me as a little less secure than an ATM.

Re:

[tkinnun0]

If you have one, you can use your wallet to cover your hand and the keypad.

Re:

[Sancho]

I do this. My right hand types in my PIN, while my left hand provides cover. I get funny looks from people who are nearby, but that just justifies me.

Then again, I'm pretty paranoid about ATM use. Typically, I only go to the one at my bank, and I check it for signs of tampering before I use it. I'm familiar with the machine, so I'm hoping that if an outer casing was placed on top of it, I'd notice.

Re:

[Yetihehe]

Maybe using directional microphone to listen for characteristic noise of vibrating trackball? See, you didn't have to wait whole month.

Re:

[Yetihehe]

Yes. You need to see characters on screen. Then you are making input so that the character which you are seeing the most is your input character. If I can see your screen, I can see what you selected. Only secure method to implement this: user sees screen through some peephole. But then he can simply choose letter from randomized position, like in current "secure virtual keypads".

Re:

[sempernoctis]

Hasn't this problem been solved already with two-factor authentication? You have a token that has a short numeric code that changes every minute or so, and your password is a combination of a secret PIN and the number on the device. Or, for the poor-man's-version, you have a series of one-time PINs written down (or printed out) so that the credentials you use to authenticate yourself can only be used once. I have been using a system like this on one of my servers for a couple years now. One major limita

Re:

[Xiph]

For some obscure reason, i accidentally posted this in the wrong thread... please mod parent down (off topic) thank you :/

ps. Also, i left out the "profit" step

Re:

[dreamchaser]

That's ok, you didn't get first post anyways.

(I did the same thing once btw, don't feel bad :-) )

Perfect solution.

[v(*_*)vvvv]

For all those hackers lined up behind me, looking into my monitor!

Not only is it obvius how to crack it ...

[tomhudson]

... but I HATE trackballs!

For increased portability...

[sakdoctor]

...I suggest a booth with a dance dance revolution mat inside.
When the user is asked to enter their password they enter the booth, shut the door and strut their funky password.

Re:

[Tolkien]

Employer: Is your password really that long? Come on! Hurry up and finish already.
Me(from within the booth after 5 minutes of dancing): Ssssh, I'm trying to concentrate - this is the best part!

mod parent up ...

[jimbojw]

up down down right right-left up-down!

3 factor authentication and one time pad

[Depili]

Why oh why develop new fancy ways to authenticate that still rely on a one factor (the image portfolio) when 3 factor authentication (eg. username + password + one time pad with challenge and response codes) just works, as snooping the username and pw doesn't give you the one time pad with challenges and responses, and stealing the pad doesn't give you the username and pw.

That is the principal method of authentication used by web banks atleast in Finland and other sensible countries :)

Re:

[Anonymous Coward]

Wouldn't that only be two factor authentication? Username and password only count as one factor (something you know) and the pad is the second factor (something you have.) In order to be three factor you would also need something you are.

Re:

[mollymoo]

This is for ATMs, so the "thing you have" is the card rather than a one-time-pad, but otherwise and it works pretty much as you describe. The need for a different "password" entry system is that it's trivial to shoulder-surf a PIN and then obtain the card by distracting the person and taking their card as it is ejected from the machine, picking their pocket, stealing their bag, beating the crap out of them...

Re:

[Sancho]

This is why a security fob would be useful.

Enter your PIN on the fob, get a code. Swipe your card, enter your card's PIN, enter the PIN from your fob, and you're in. To make it easier on the user, allow them to enter the PINs in any order.

Most users will use the same PIN for both devices--that's their fault. Some users will enter their fob PIN in full view of the security camera--again, their fault. At least people who care about their information will be capable of doing it securely, unlike the current

Keypad

[mpickut]

I've seen keypads with digital readout on the keys used in jails (my job takes me in and out of jails frequently). The keypad scrambles the digits each time and there is a prism-type covering over the keys so that unless you are looking directly at it you cannot see the numbers on each key. In order to see the numbers you need to stand in such a way that no one else can see them (your head blocks their view from the only angle the numbers are readable from).

I tried to get the code by watching as the guards let me in and out, just to see how effective it was, and can say that I never succeeded in even getting close. What was even better is that from talking to the offenders I learned that they thought they knew the codes by watching the patterns the keys were pressed by the guards -- I didn't have the heart to tell them that using the pattern they had watched would actually punch in a different code than the one the guards used. I did make sure one of the guards knew about it though.

Re:Keypad

[anothy]

my job takes me in and out of jails frequently

yeah, that and the early burnout are the two big problems with a career in the narcotics trade.

on the upside, you get to set your own hours.

Re:

[rickb928]

Hey, he (?) may not be a drug dealer. He might be a lawy...

Never mind, you were pretty much on the right track...

Re:Keypad

[mpickut]

Don't you dare call me a lawyer! We heroin addicts have enough of a image problem without being linked to those soulless drains upon society. At least if you made heroin legal we would stop stealing and stay to ourselves.

GrIDsure Re:Keypad

[rapoZa]

Someone I know has developed a similar system that uses a standard, fixed position keypad: The screen (ATM, mobile phone, point-of-sale etc) displays a grid and superimposes jumbled up and repeated numbers over the spaces. Using your secret _pattern_ that is known to the authentication service, you type in the corresponding numbers. Even if someone sees the numbers you type, it is difficult to determine your secret pattern because of duplicate positions for the same number. It's called GrIDsure.

Re:

[MrMonty]

I bet some of those guards say the numbers to themselves as they type them in and wouldn't be too tough to read their lips. That idea came to me in a matter of seconds. Now imagine you're in jail and have practically all day to think of other, more creative methods of getting the code.
Telling you they thought they knew the code was stupid... unless it was misdirection to cause the guards to change their behavior because they knew you'd tell the guards.

Re:

[mpickut]

No, they were just stupid.

By and large I've found that the reason we say crime doesn't pay is that we only catch the dumb ones.

As I like to say, "crime doesn't pay, but only because when it does we call it politics."

Re:

[Eternauta3k]

(my job takes me in and out of jails frequently)

Burglar?

Re:

[RationalRoot]

They brought them in to my college (more than a few years ago)

They lasted less than a month. We had quite a few blind students who really didn't like the system.

Of course if you had dynamic brail buttons...
D

Re:

[jafac]

Yes; I know of a keypad like that, used at a former employer, as well. Very secure.

Except that they gave everybody and their brother the code.

And over the two years I was there, it was never changed.

Small sample size

[ssjx]

They seem to have big plans for this yet have only tested it with 38 users?

!security

[shadoelord]

What stops someone from installing a 'keylogger' (albeit for a track ball)? Its a cute idea, but slight of hand only goes so far.

This would NEVER work out

[brunes69]

It is a cool idea, that is for sure, but it would never leave the lab. Why? Because these guys are obviously not usability engineers. The idea that the function of a button changes based on some random event, and the system will tell you which button means what before you click it, is not usable.

I would like to see a formal usability study done on this thing I don't think it would get very far. I see they had some informal study going on where they had participation and error rates, but no data on what kind of users.

work around

[White Yeti]

My soon-to-be-patented device will banish your arguments one by one: the USB ouija board [wikipedia.org]!

Okay, so I mostly just add "on a network of electronic devices" to existing work. ("USB ouija" return 12 hits on Google [google.com]!)

Rotating keypad

[mindflow]

How about having a rotating keypad on the computer screen? So when typing your pin, you must map the number on your numberpad to the one on the screen? So the actual input is different from your pin all the way.

Re:

[apathy maybe]

Screen recorder.

If your attacker can install software on the machine (e.g. keylogger), then they can just install a screen recorder and set it to run whenever certain software is run (such as your rotating keypad program). (That would be to limit the amount of crap that has to be saved).

Oh well.

Re:

[somersault]

If you have managed to install a program on an ATM then I don't think you need to bother with any program other than one to operate the bit where the money comes out..? I have been saddened and amused before upon seeing ATMs with BSODs, and one with a Windows desktop on it. I thought that they'd use custom systems..

Overly complicated

[ddrichardson]

The problem with this type of system is that in order to protect the data you are asking the user to go through much more of a rigmarole than entering a password. Here in lies the problem, users will hate this, I mean good security practice is a balance of securing against likely threats and practicality.

I can't see what this does that a fingerprint scanner doesn't. I could be wrong but I can't think of a way to use a keylogger to capture it and it certainly stops someone looking over your shoulder.

Re:

[mollymoo]

I can't see what this does that a fingerprint scanner doesn't.

For one thing, I don't think you could could fool this with a gummy bear.

This isn't that new...

[Dr. Smoove]

My bank has been doing this for about a half a year now. It's just a slight spin off from CAPTCHA or whatever the hell the acronym is.

Re:

[Dr. Smoove]

I mean, Minus the trackball hiding part. I guess that's what makes this new?

Lego Mindstorm?

[sjaguar]

Okay, I guess that is slightly more useful than what I've used my Mindstorm kit for.

Yeah, but the real question is...

[Prototerm]

Would I be able to still fit my password on that yellow sticky note I keep on the monitor?

The problem with authentication is authentication

[naasking]

Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

Re:The problem with authentication is authenticati

[Psiren]

Authentication is a broken concept. Anybody who knows anything about security knows this. Focusing on authorization, not authentication, is the only way to secure anything.

How can your authorize something, unless you know who you're authorizing? The two go hand in hand, I can't see how you can have one without the other.

Re:The problem with authentication is authenticati

[naasking]

How can your authorize something, unless you know who you're authorizing?

You've asked the right question. You can find an intro here [wikipedia.org]. That article links to arguably the best authorization scheme: capability-based security [wikipedia.org], where authorization is combined with designation. This results in many useful security properties that aren't achievable via authentication schemes.

Re:

[Psiren]

Interesting, but I still don't see how that makes authentication unnecessary, at best it just seems another name for it. And I don't really see how it's applicable to everyday tasks such as, for example, access control on buildings or online banking.

Re:

[naasking]

Let me ask you this: what use is authentication without identity? Identity is generally irrelevant when making authorization decisions, particularly when using capabilities. Identity-based access control is the single cause of our vulnerable computing infrastructure. Identity-based security can be locked down somewhat, with Polaris [hp.com] being the epitome of what's achievable on Windows, but it has fundamental limits associated with the amount of information available to make appropriate authorization decisions [wikipedia.org].

C

Re:

[Psiren]

I'm sorry, I still don't get it. If person A needs access to some files, and person B must not have access, whatever mechanism is used must be able to differentiate between the two when those files are requested. How do we stop person B imitating person A? Maybe the examples on wikipedia are poorly written, but it still looks like it needs authentication to me.

Re:

[naasking]

Being used to identity-based access control, it's difficult to imagine another way. I just posted this elaborate response [slashdot.org] to another question, but perhaps it's a little too abstract. I'll assume you're a programmer. I'll further assume that you're familiar with Java.

Assume that we're in a Java-like language with no static fields or methods. All we have are object instances, and instance methods. Now, let's assume a simple filesystem API for our OS:

package Filesystem;

public abstract class Entry {

Re:

[SilverJets]

I think you've gone past the point the other poster was trying to get at. You're talking about a program running on a system. The other poster (and myself now as well) is questioning how does capability authorization allow a user onto a system, in the first place, without authentication. There still has to be some way of identifying the bag of meat that is sitting at the terminal or shelling in remotely.

Re:

[naasking]

Hmm, from my reading, the poster asked an access control question, not an authentication question. To answer your questions, you connect that bag of meat to his session the same way you connect any other piece of software to another remote piece of software: carry an authorization token. I explained one way to make this easy here [slashdot.org].

Re:

[bzipitidoo]

Something I've been considering is the traditional login dialog, where a person is asked 2 questions: username and password, and always in that order. It's so ubiquitous it seems people don't think twice about it, and for some time now have been confusing the purposes of the two. I looked into the history of the login dialog, and learned this practice of asking for both username and password goes all the way back to the very first multiuser operating system, CTSS, in the early 1960s. You'll see solemn as

Re:

[naasking]

You don't identify yourself to a car, you simply use a key (password), the car doesn't care who you are, nor does it need to. You can give out copies of the keys or loan the keys to someone else so they can drive your car. Same goes for the combination to a combination padlock for a bicycle-- the lock doesn't care who anyone is. Have I understood what you're getting at, naasking? Capability based security is much like password only access? Like keys to a car?

You pretty much have it. The "capabilities as key

Re:

[mattpalmer1086]

I know the work of Mark Miller, Jonathon Shapiro, the E language, Waterken, etc. very well. It's really good stuff, and it has the potential to make more secure systems. However, I'm sorry to say, you've become a "true believer" and this is leading you into making vastly overreaching statements.

Authentication is not a broken concept. Authentication refers to the act of *proving* a claimed identity. Regardless of the authorization model that follows, you have to authenticate at the beginning. Doesn't

Re:

[naasking]

Identity is meaningless in a capability system, so it all depends how far down your capabilities go.

Re:

[mea37]

This is interesting material, and I'm hoping to find time to research the concepts further.

I have to say, though, that this article doesn't answer such questions as "when I approach a machine, how do I establish the capabilities I need for my tasks to be performed?"

In other words, I can see how this would reduce the roll of authentication during a session of activity, but I do not see in most common use cases how you could start a session without an authentication step. If you can persist your system's cap

Re:

[naasking]

1) It would still seem that the decision to initially hand the capability to the user has to be made with knowledge of who the user is, and

You pose some good questions which I intend to address, but first there are a number of assumptions in this one statement which has lead people astray in the past, so I want to address those first.

The User: just about every single access control discussion, particularly informal ones like this thread, start by talking about "users". Talking about "users" quite naturally

Re:

[mea37]

Thanks for the reply; quite informative.

My next round of questions and comments would revolve around the proposition that "the user is generally not a threat". I'd divide the world into two types of system:

The Easy Cases: For some systems, I'd say it's clearly and demonstrably true that programs, not users, are the threat. For example, the WinXP desktop sitting in my office at home isn't under threat from any malicious users (and indeed I don't have it set up to take a password), while systems like it ar

Re:

[naasking]

I'm guessing that multi-user networked systems probably present the most interesting (and complicated) discussion.

If by "multi-user networked systems" you mean systems which host multiple competing interests which are mutually suspicious, then I agree. The vast majority of systems are computer programs communicating with other computer programs, some at the behest of a single user or multiple users, some based on a schedule, etc. If you can solve the problem of safe collaboration among mutually suspicious p

Re:

[mattpalmer1086]

Even in capability-based security, you need strong authentication. Or someone could just log-in as you (the authentication bit) and use your capabilities.

It is true that capabilities bind a permission to an object, so knowledge of the subject by the system is not required to use a capability. This has certain benefits - it's performant, it allows easy delegation or permissions to other subjects, and it avoids the Confused Deputy problem. There are also some downsides to this form of access control - it's

Re:

[naasking]

Let me pose a hypothetical: consider a capability OS a suspended shell session. Your OS stored a cryptographic token which directly designates that session on a USB key, or a secure crypto card of some sort. Plugging your key into the computer automatically reconnects you to your session. Do you consider this an authentication or an authorization?

Re:

[mattpalmer1086]

That is a more interesting thought experiment. I would say the user authenticates to the system using the token - something the user has. The purpose is only to (indirectly) identify the user (as opposed to any other user), to allow them to keep using their session.

Having said that, you are using a capability authorization mechanism to perform authentication. Which demonstrates how flexible and useful this mechanism is - but I still say the process looks like authentication, and behaves like authenticati

Re:

[naasking]

I would say the user authenticates to the system using the token - something the user has.

But if this token were a YURL, ala Waterken web-calculus, then it's actually considered a capability. I think the correct way to look at it, is an authorization with an authentication step. Whatever system you plug it into must validate the token to ensure it names a resource on the current system (a sort of authentication), then invoke that resource to resume the session. YURLs go through this same process, as all ser

Re:

[mattpalmer1086]

Well, we're clearly coming from different perspectives on this one. I don't deny that it *is* a capability - but I would assert that it is being used as part of an authorization process, which is how the security it provides would be judged.

In terms of a security risk analysis of this system, I would want to know the strength of protection that this system allows for its users and the content being protected. The system gives two "authorization" paths to access the resources of a user: (1) log in with a p

Re:

[mattpalmer1086]

Freudian slips! "but I would assert that it is being used as part of an authorization process, which is how the security it provides would be judged." and "The system gives two "authorization" paths"

I meant to say "an authentication process" and "authentication paths"!

Re:The problem with authentication is authenticati

[gandhi_2]

"Anyone who knows security knows this"

...should be read as "anyone who agrees with me knows this".

Re:

[naasking]

"Anyone who knows security knows this" ...should be read as "anyone who agrees with me knows this". ...should be read as "I'm too ignorant on the subject to comment constructively, so I'll just be flippant".

Anybody who knows anything about security....

[mattpalmer1086]

You think authentication is a "broken concept"?

Authentication - providing proof of a claimed identity
Authorization - managing permissions bound to an identity

See why you need both? You clearly have no idea what you're talking about, whoever you are.

Re:

[naasking]

Then perhaps you should get a better dictionary [reference.com]. There is more in heaven and earth Horatio, than is dreamt of in your philosophy...

Re:

[mattpalmer1086]

Well, as I've said above, I know capability based access control very well. I nearly did my MSc degree dissertation on it, specifically the work of Mark Miller on the E language and distributed capabilities. But your original statement about authentication is still wrong. You still need good authentication in a capability based system. Authentication and authorization are not alternatives to one another!

Re:

[naasking]

I never said they were alternatives, I said you didn't need authentication, and that authorization was sufficient. I'm not a shmuck who's been drinking too much of the capability kool-aid; I know authentication can be quite useful in some situations, and is an integral part of many existing systems. However, I believe authentication draws far too much attention when it's really a trivial problem. We know 10,001 ways to authenticate anything, but it doesn't help because authentication is not the problem.

Even

Re:

[mattpalmer1086]

I will concede that "managing permissions bound to an identity" isn't a great definition. The permissions themselves don't need to be bound to an identity, as capability systems demonstrate very well. A better definition might be "managing the association of permissions with an identity". Taking a very granular view, in an object based capability model, each object has an identity. Regardless of how they are bound, would you agree that authorization is about moving permissions around things that have id

Re:

[Follis]

I think what you may be overlooking is this fundamental question. What's the difference, to a computer, between me, and a program which acts _exactly_ like me? The answer is: none. Therefore the dichotomy between users and processes is, from the above perspective, false. It has already been well established that you can "clone" processes. The combination of the two makes "identity" a relatively useless concept. Alternately you can view "authorization" as an easily forged (read useless) capability. Concatena

Re:

[mattpalmer1086]

Well, you are always just a process to the computer! One that represents you. The point of authentication is to prove your (the process that represents you) right to use a user-account to the computer in a way that only you could. This could be a secret (something you know), a token (something you have), or a biometric (something you are). Identity is definitely a slippery concept when you get down to it, but it's not a useless one. Of course, your slashdot password and username doesn't really identify

Re:

[Follis]

Sorry, I should have been a bit more clear. Authorization is easily forged compared to say a really large random number space. As far as authentication being a weak capability, the address of the machine represents the object, under authorization the action(s) you can perform are the challenges + your responses.

This idea is stupid.

[rickb928]

A trackball? Multiple keys? Sure, they got a great idea for selling lots of mouse replacements. And really just for authentication.

How about a biometric scanner? Oh, wait, that's beatable. Iris scanner? Too expensive. And strong passwords really don't work - just have someone steal the database.

It's just stupid.

Just use Crypto

[Strilanc]

It's about time we start applying better crypto techniques. There is no need to reveal your entire PIN when you use an ATM. For example your PIN could increase by [1 to 32] every time you use it. Now someone needs to observe you twice in a row to get the PIN.

The obvious limitation is the human capacity for math.

Perhaps an overstated case...

[mea37]

This seems to provide two thigns:

1) It provides a limited degree of authentication of the machine to the user. This is lacking in, say, ATM transactions today (in the U.S. at least), which is one of the concerns the article talks about. However, while this system has the "side effect" of providing the user with some chance of noticing a fake machine (depending on details of how the system were implemented and deployed), it would be better to approach a design with the specific goal of validating the machi

This is an interesting idea...

[ChoppedBroccoli]

that has been explored in previous research covering similar ideas (they used a stylus input and pressure to hide input): http://www.discover.uottawa.ca/publications/EH2006.pdf [uottawa.ca]

I think the principle of this CMU system is sound. Obfuscating the output and the input for an authentication system is a good approach to limit vulnerabilities to observation. The key is to be able to do it without annoying the user. This scheme seems to be able to make some headway in this regard. However, one aspect I don't like

Re:

[thomasdz]

Aww crap... sorry... I thought TFA was about Encryption, not Authentication... so instead of a potential +5 Funny, I get a -1 Irrelevant.
That's what I get for posting at 5:30am before I've had my caffeine.

Re:

[thePowerOfGrayskull]

Nonetheless, a smooth recovery...

Re:

[sam_paris]

I was the person who tagged this "slashdottagsareamystery" and it showed up as a tag. I assume I was the only person who tagged it as this.. I guess i'm just special.. :)

Re:

[rickb928]

You ARE special.

Just like everybodyu else.