Surrey Centre for Cyber Security blog

From shoulder surfers and keyloggers to MitM and malware: Can we make passwords safe against malicious observers?

On 16th March the Surrey Centre for Cyber Security (SCCS) and the Department of Computer Science of the University of Surrey jointly organised a half-day workshop on Human Factors in Cyber Security. Three speakers talked about their work on three different topics related to human factors and cyber security. I was the second speaker talking about something called observer-resistant password systems (ORPSs).

What are observers and what are ORPSs?

As its name implies, an observer is a person or a computer device which can observe the process of password entry. This covers a broad range of attacks to the current password-based systems including shoulder-surfers, hidden cameras, keyloggers, screenscrapers, side channel attacks based on electromagnetic/optical/acoustic emanations, phishers, rogue WiFi access points, malware, men-in-the middle/men-in-the browser, untrusted public terminals (e.g. card skimmers), etc. All those attacks can be modelled as malicious observers in the context of interactive user authentication: when a human user is interacting with a (local or remote) computer to prove he/she is the owner of a claimed identify, the whole authentication process is observable to a malicious third party (which we call an observer). An observers can be not only passive, but also active, meaning that it can also manipulate the authentication process e.g. creating a fake response from the remote server in order to get more out of the human user.

Shoulder-surfers KeyloggersPhishing Card skimmers MitM Passwords and many observers

The current simple password system cannot resist observers since the user discloses his/her password in full in an observable way. There are more advanced solutions offering different levels of protection against observers, but all with non-negligible costs (e.g. hardware based solutions reduce portability and increase costs, biometrics based solutions increase costs and lead to privacy concerns). Therefore, ideally we would like to have an observer-resistant password system (ORPS) that 1) is secure even if infinite number of authentication sessions are observed; 2) is usable so that an average human user can authenticate only using his/her cognitive capabilities (i.e. his/her brain).

Since the 1990s, cryptographers and cyber security researchers have been looking for such an ideal solution, but until now they are still struggling with a big barrier: the fine balance between security and usability. There have been many ORPSs proposed but none of them can fulfil both security and usability at an acceptable level, where acceptable usability means a user can finish the whole authentication process within ideally half a minute. The task is made even harder due to the symmetry between users and attackers: the former has limited computational resources (their brains and possibly plus some untrusted hardware device) but the latter can have access to a much bigger pool of computational resources such as botnet. In addition, attackers have a large number of strategies to launch an attack, so it is already hard to make an ORPS secure against all known attacks. My recent work (with my collaborators from Australia) at NDSS 2013 actually gives clues about the theoretical impossibility of an absolutely secure ORPS, so our hope now lies on a practically secure ORPS where “practical” means users don’t have to renew their passwords very frequently.

Despite the “failures” researchers have suffered from, there are however established guidelines and principles on how we may achieve the aim of a practical ORPS. We are actually not very far from the target: one system called Foxtail (developed by me back in 2002-2005 and further refined since 2013) can resist up to hundreds of observed authentication sessions before password renewal and the login process is actually easy although time-consuming (2-3 minutes). Currently there are thougts around looking at building ORPSs based on known hard mathematical problems (for computer scientists: NPC problems) and leveraging untrusted hardware devices.

We are still on the way. Do you want to join us? Maybe you will be our hero who will discover the first practical ORPS!

If you are interested in reading more, please look at my slides of the presentation hosted at SlideShare. More questions please drop me a line via email!

Cyber Security: Is it now a new major subject like Computer Science?

A recent report in Chinese media caught my eye: Cyber Security (网络空间安全 in Chinese, which literally means “Network Space Security” but I believe is how the English word “Cyber Security” is translated into Chinese) is now a major subject at the same level as Computer Science according to a recent change made to the regulations governing PhD programmes in China. The change was proposed in June 2015 by China’s Office of the State Council Academic Degrees Committee (国务院学位委员会), and the first 29 universities got their Cyber Security PhD programmes officially approved in late February 2016. The news quickly spread in Chinese media and some researchers claimed this a major milestone for Cyber Security research in China (e.g. see Prof Yixian Yang‘s blog article).

This news is interesting to me because it matches how I feel Cyber Security as a research subject is (and should be) heading for. Traditionally (and still so in most universities), research on cyber security is conducted under the name Computer Security, Information Security or Data Security (although the last is relatively less used). Even at Surrey, we are running an MSc programme under the name Information Security rather than Cyber Security. As a term Cyber Security (or Cybersecurity as more often used in other EU states and America) appeared much later, probably not earlier than 1994 according to Merriam-Webster. This term becomes more popular in recent years and its use has been promoted by governments of many major nations in the world including the UK, the US and the European Commission. The “beauty” of replacing the word “computer”, “information” or “data” by “cyber” is that we can look at security in a far more diverse and dynamic context e.g. we can look at systems involving both humans and computers and also social aspects rather than just technical ones. In other words, Cyber Security as a term has a more interdisciplinary flavour than other traditional terms, thus being able to reflect the increasing complexity of security problems we are facing in today’s highly digitised and well connected world.

The interdisciplinary nature of Cyber Security research can be seen from memberships of many UK government recognised Academic Centres of Excellence in Cyber Security Research (ACEs-CSR). Taking SCCS (ACE-CSR at Surrey) as an example, while all Core Members are from Computer Science and Electrical and Electronic Engineering Departments, our Associate Members are from many different departments including Sociology, Law, Psychology, Business, and Economics. A similar pattern can be observed in some other ACEs-CSR such as Cyber Security Oxford, Security Lancaster, and CyberSecurity Southampton.

The newly created Cyber Security subject in China also has a clear interdisciplinary feature. For a university to be eligible for having a Cyber Security PhD programme, it has to have ALL the following PhD programmes established: Computer Science and Technologies, Information and Communication Engineering, Mathematics (the last one can be replaced by a secondary level subject Cryptography). It is clear the new PhD programme has a strong technical flavour, which may be explained by the fact that the new subject is classified under Engineering category — which means students graduated from a Cyber Security PhD programme will be awarded a PhD in Engineering (工学博士) degree. It is interesting to see how social aspects of Cyber Security will be considered in future development of China’s PhD programmes — will we one day see a PhD degree across more than one category?

If you are not familiar with Chinese PhD programmes: all PhD programmes offered by Chinese universities are under quality control by the Office of the State Council Academic Degrees Committee, and a university is not allowed to start a PhD programme before getting an official approval by the committee. All PhD programmes are categorised using a subject list with three levels (higher to lower): category (门类), Level-1 subject (一级学科), Level-2 subject (二级学科).

While most established publication venues in Cyber Security are still considered part of Computer Science (e.g. IEEE S&P, ACM CCS, USENIX Security, ISOC NDSS, ACSAC, ESORICS, etc.), more interdisciplinary venues have started emerging in recently years. One example is Journal of Cybersecurity published by Oxford University Press, whose website says “The journal is premised on the belief that computer science-based approaches, while necessary, are not sufficient to tackle cybersecurity challenges. Instead, scholarly contributions from a range of disciplines are needed to understand the human aspects of cybersecurity.” — This is something I personally share and appreciate.

Update (2 April 2016): On 25 March 2016, 257 individuals and organisations with interest in cyber security co-founded the Cyber Security Association of China (CSAC, 中国网络空间安全协会 in Chinese). See news from China’s Xinhua News Agency (English edition reported by the People’s Daily is here). CSAC is not a scientific association, but more an industry-facing body, so I expect a new association for cyber security researchers will be soon formed or CSAC will have a special chapter focusing on cyber security research. Since there has been a Chinese Association for Cryptographic Research (CACR, 中国密码学会 in Chinese) established in 2007, it will be interesting to see how CACR and CSAC/the new cyber security research association will interact with each other — it may not be an impossible thing to see the two organisations merge into a single one since cryptography can be considered a sub-area of cyber security.

New information hiding technology to be commercialised by Crossword Cybersecurity

A new information hiding technology, developed by SCCS members Dr Shujun Li, Prof Anthony TS Ho, Dr Haitham CruickshankProf Zhili Sun and Prof Alan Woodward in their joint Innovate UK SBRI project “Mobile Magic Mirror (M3): Steganography and Cryptography on the move“, will be commercialised through Crossword Cybersecurity plc (Crossword), an ISDX listed technology transfer company.

Both Crossword and the University of Surrey released a news item for this collaboration after an MOU was signed off by both parties recently. See here for the news release from Crossword and here for the one from the University.

The new information hiding technology is different from traditional ones in how information is hidden. Traditionally, information is hidden in the content of a cover object (document, audio, image, video, etc.) or a channel, but the new technology hides information as (online) activities rather than in the contents of such activities. There are some known work which could be loosely classified into or linked to this new technology, such as information hiding based on time (e.g. US Patent 20130322629) or packet size (e.g. US Patent 20140317406 and Pantic and Husain’s ACSAC 2015 paper) or how some random elements in a game are generated (e.g. Ou and Chen’s paper at Information Science in 2014), but they are all too narrowly defined and normally do not cover activities.

For the information hiding technology the team has filed a world patent application and a research paper is planned for later this year in which more details of the technology will be reported. An Android app was developed during the M3 project as a demonstrator to show how information can be hidden in twitter activities. The team will work closely with Crossword to further develop the demonstrator and identify the best route for commercialisation.