Archive for the 'Academic Papers' Category

Paper Discussion - Do Background Images Improve “Draw a Secret” Graphical Passwords?

Published
by
sevinc
on March 29, 2008
in Academic Papers
. Comments

Short Summary of the paper:

Draw a Secret- DAS is a graphical password scheme where users are suppose to draw a secret on a grid. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret. Each time a user lifts the en from the drawing grid surface, a “pen-up” event is encoded by distinguished coordinate pair. Here the important thing to note is even if the shape are not same as long as the encoding is identical it will yield to the same password. The basic problem with this scheme is it is vulnerable to graphical dictionary attacks. Also, users tend to choose passwords which are symmetrical and centralized. Therefore in this paper, authors proposed to use a background image to help users 1)remember the password more easily 2)set none symmetrical or none centralized passwords. The only difference here, users are not drawing their passwords onto an empty grid, but they are choosing a background image to draw on it as well. Experimental results show that this scheme is better than DAS since people chose more complicated and longer passwords. Also symmetry and centralization was lesser for this scheme, therefore authors concluded it is more secure than DAS. However the question arises here : introducing background images may give the attackers clue about the password. So can security reduction caused by this background images be compensated by reduced symmetry and centering? Unfortunately in the paper there is no study about this question. It is an open problem!

Questions arised in the meeting:

  • Do we really believe in graphical passwords? Are they really more memorable? Are the really more usable? Are they really more secure?
  • What would be the impact of background images in this scheme? Will they mess up the security?
  • Which graphical password scheme is more secure? DAS or PassPoints(where user click on the points of an image in a particular order)
  • How about using PassPhrases instead of Passwords? Will it be more secure to use initials of a secret Phrase as a password?
  • Can we design a new scheme combining both graphical and text?
    • How about writing your password with your own hand writing and make the scheme verify that it is you who is writing. (how about combining password with your biometric?) Will you feel uncomfortable about shoulder surfing in this case? (Note that even if the shoulder-surfers capture your movements, they can’t capture all about your handwriting, they can only capture about the letters that you use in your password.)

Single Site Browsers

Published
by
Dan Guido
on March 13, 2008
in Academic Papers, Psychology of Security and Web
. Comments

Single Site Browsers [to be uploaded later]

It’s an interesting idea and I can’t disagree with the concept (<3 <3 separation of privilege) but I think it’s missing a few things. Here are some observations I made about it.

  1. They acknowledge that SSB’s do nothing against malware.
  2. It solves the problem of webpages bringing in resources from all over pretty nicely. Since the organization pushing the SSB knows whats on their own website they can easily publish a whitelist of allowed domains/content or even change their own site to be simpler in that regard.
  3. I think this might come down to a social problem. If I’ve got one general purpose browser I use every day (IE, Firefox, Safari) and I have it open right now, what is going to convince me to close my browser and open a new app just to get to a website that I already have bookmarked? There needs to be some incentive besides security tied into the SSB to get people to perform the above action or companies need to disable functionality on their public websites.
  4. I think the SSB idea is really just a crutch because people can’t implement robust security policies in a browser. Think “IE Zones” on steroids or even GreenBorder (wow when did they get bought out???).

Still, it’s kind of cool.

Paper Discussion: Trojan Detection using IC Fingerprinting

Published
by
kurt
on February 29, 2008
in Academic Papers
. Comment

This paper by Agrawal et al proposes a mechanism for chip designers to detect when an untrusted chip fabrication service has inserted Trojan functionality into their chip design. They do this by profiling the power consumption of a good chip and then comparing the power consumption profiles of other chips from the untrusted fabrication service against the known-good profile. The idea is that if they are all faithful realizations of the same design, they should all have similar power profiles. The difficulty is that the Trojan circuitry is much smaller than the legitimate circuitry. Detecting an anomaly in the power consumption would seem to suffer from a bad signal-to-noise ratio. Furthermore, there are chip-to-chip variations that far exceed the variations caused by the introduction of Trojan circuitry. The authors cope with this by using principal components analysis to find a subspace that captures most of the variability that is seen in the non-hacked chips. The basis vectors that span that subspace are the directions of benign variability. Variations in the power profile of a chip that are not in the directions of benign variability are considered suspicious.

The best part of this paper is that it demonstrates a nice technique for pulling tiny signals (the differential power consumption of the Trojan circuitry) from much stronger noise (the power consumption of the legitimate circuitry).