From shoulder surfers and keyloggers to MitM and malware: Can we make passwords safe against malicious observers?

On 16th March the Surrey Centre for Cyber Security (SCCS) and the Department of Computer Science of the University of Surrey jointly organised a half-day workshop on Human Factors in Cyber Security. Three speakers talked about their work on three different topics related to human factors and cyber security. I was the second speaker talking about something called observer-resistant password systems (ORPSs).

What are observers and what are ORPSs?

As its name implies, an observer is a person or a computer device which can observe the process of password entry. This covers a broad range of attacks to the current password-based systems including shoulder-surfers, hidden cameras, keyloggers, screenscrapers, side channel attacks based on electromagnetic/optical/acoustic emanations, phishers, rogue WiFi access points, malware, men-in-the middle/men-in-the browser, untrusted public terminals (e.g. card skimmers), etc. All those attacks can be modelled as malicious observers in the context of interactive user authentication: when a human user is interacting with a (local or remote) computer to prove he/she is the owner of a claimed identify, the whole authentication process is observable to a malicious third party (which we call an observer). An observers can be not only passive, but also active, meaning that it can also manipulate the authentication process e.g. creating a fake response from the remote server in order to get more out of the human user.

Shoulder-surfers KeyloggersPhishing Card skimmers MitM Passwords and many observers

The current simple password system cannot resist observers since the user discloses his/her password in full in an observable way. There are more advanced solutions offering different levels of protection against observers, but all with non-negligible costs (e.g. hardware based solutions reduce portability and increase costs, biometrics based solutions increase costs and lead to privacy concerns). Therefore, ideally we would like to have an observer-resistant password system (ORPS) that 1) is secure even if infinite number of authentication sessions are observed; 2) is usable so that an average human user can authenticate only using his/her cognitive capabilities (i.e. his/her brain).

Since the 1990s, cryptographers and cyber security researchers have been looking for such an ideal solution, but until now they are still struggling with a big barrier: the fine balance between security and usability. There have been many ORPSs proposed but none of them can fulfil both security and usability at an acceptable level, where acceptable usability means a user can finish the whole authentication process within ideally half a minute. The task is made even harder due to the symmetry between users and attackers: the former has limited computational resources (their brains and possibly plus some untrusted hardware device) but the latter can have access to a much bigger pool of computational resources such as botnet. In addition, attackers have a large number of strategies to launch an attack, so it is already hard to make an ORPS secure against all known attacks. My recent work (with my collaborators from Australia) at NDSS 2013 actually gives clues about the theoretical impossibility of an absolutely secure ORPS, so our hope now lies on a practically secure ORPS where “practical” means users don’t have to renew their passwords very frequently.

Despite the “failures” researchers have suffered from, there are however established guidelines and principles on how we may achieve the aim of a practical ORPS. We are actually not very far from the target: one system called Foxtail (developed by me back in 2002-2005 and further refined since 2013) can resist up to hundreds of observed authentication sessions before password renewal and the login process is actually easy although time-consuming (2-3 minutes). Currently there are thougts around looking at building ORPSs based on known hard mathematical problems (for computer scientists: NPC problems) and leveraging untrusted hardware devices.

We are still on the way. Do you want to join us? Maybe you will be our hero who will discover the first practical ORPS!

If you are interested in reading more, please look at my slides of the presentation hosted at SlideShare. More questions please drop me a line via email!