Interpretación de la Entrevista Aplicada al Docente de la Unidad

4. ANÁLISIS E INTERPRETACIÓN DE RESULTADOS

4.2 Interpretación de la Entrevista Aplicada al Docente de la Unidad

Reading related work, it seems that software based authentication mechanisms are either only secure against shoulder surfing and slow or also resistant to more advanced attacks and very slow. The goal of ColorPIN [32] was to create an authentication mechanism that does not require an active user to protect the input (as learned from VibraPass). Additionally, the added overhead should be kept low and it should not require major hardware changes at the ATM. Further re- quirements of the system were strong resistance to shoulder surfing, camera attacks as well as other hardware manipulations. A very promising approach to achieve this seemed to be using indirect input. This means that the authentication tokens are not directly input, but instead some kind of “detour” is used6.

Concept

When brainstorming about ColorPIN, one of the main goals was not to add overhead by requiring several inputs to enter one part of the authentication token. Therefore, to achieve higher security but remain a one-to-one relationship between the length of the authentication token and the required number of key presses, the authentication token PIN was slightly manipulated. A PIN in the ColorPIN system contains of a combination of digits, of which each digit is combined with one of three colors (black, red or white). That is, a user has to remember four colored digits and thus a four-digit PIN in the ColorPIN system could look like the following:

1 (black) - 2 (red) - 3 (white) - 4 (black)

The user interface consists of a keypad representation showing the digits 1 - 9. Digit “0” was removed due to reasons of simplicity as shown in figure 3.20. On the bottom of each number, three differently colored letters can be found. Those letters are randomly assigned at the beginning of the interaction. Additionally, due to security reasons, the letters are newly assigned each time the

Figure 3.20: Exemplary PIN entry with ColorPIN. To input the PIN 1(black) 2(red) 3(white) 4(black) the user inputs the letters “DLAR”. After each key press, letter assignment changes randomly as can be seen in the different steps.

user presses a key. Each letter that is assigned to the keypad occurs in all the three colors. For instance, in figure 3.20 (left), the letter “D” can be found at the bottom of digit “1” in black, at the bottom of digit “7” in white and at the bottom of digit “9” in red. These design choices were made due to security reasons which will be explained later.

To enter a digit of the PIN, the user has to input the letter that is displayed at the digit’s bottom in the respective color. Input is done on a standard keyboard with one key per letter and not on the screen directly. Figure 3.20 exemplarily outlines a possible interaction to input the previously mentioned colored PIN. To enter the digit 1 (black), the user inputs the letter “D”. After each step the letters are randomly reassigned. To input the second digit 2 (red), the user inputs “L”. Finally, the user inputs “A” for 3 (white) and “R” for 4 (black). Therefore, the actual indirect input – which is the only thing that an attacker can observe – consists of the character sequence “DLAR” with which the user is successfully authenticated to the ATM. This way, a one-to-one relationship between the required button presses and the length of the PIN is preserved. Due to the random letter assignment, the character sequence is very likely to be completely different the next time a user authenticates with the system.

Prototype

As one of the advantages of software based authentication mechanisms, the implementation of the prototype only required writing a simple software. Since ColorPIN is a very graphical approach that does not require any complex network communication or the like, the software was written in Adobe Flash. The prototype allowed the users to define their own colored PINs as well as use randomized predefined PINs that were stored in an XML file.

Based on a preliminary paper prototype and several brainstorming sessions, the final user interface looked as depicted in figure 3.20. It had a light blue neutral background which was used instead of a white background since white was needed as a background for the colored letters and the digits which had to be clearly identifiable. The letters are located directly underneath

the digits. In an early stage, a digits-only version was considered which would have made the software compatible to any terminal that has a keypad. This version was however rejected due to high confusion that it created by replacing digits with digits. As for standard PIN-entry, the only feedback that was given were asterisks in an input field. For input, the prototype used a standard commercial keyboard. Using a standard ATM setup, after three tries, the entry was stopped and the authentication session was considered as failed. In preparation for the user study, all interaction with the system was logged and stored together with an ID that had to be input before each trial.

Theoretical Security Analysis

Since for ColorPIN, not only the digits themselves but also their colors have to be remembered, its theoretical password space is 531,441 (27x27x27x27) for a four-digit PIN. This is based on the requirement that a user does not only have to input the right PIN but also use the correctly colored letters for it. For instance, in the example in figure 3.20, entering “BEGF” would represent the same PIN but would be rejected by the system since the letters have the wrong colors. This makes it much more resistant than standard PIN to a number of simple attacks. For instance, educated guessing attacks are hardly successful. Even if a user chooses to take her birth date as the four-digit PIN and an attacker knows about this, there is still the secret information about the color, which is way harder to guess.

Besides this basic security enhancement, the concepts discussed in the previous section make the system resistant to more elaborated (and more dangerous) attacks as discussed in the threat model:

Indirect Input through Letters Indirect input consisting of letters is an effective counter measure against shoulder surfing as well as camera recordings of the keyboard or the installation of fake keyboard hardware. Even if an attacker can see or record the whole input, the real colored PIN remains hidden. Additionally, it makes the system resistant to attacks based on Trojans and other spy software. Therefore, it would theoretically be appropriate for securing online banking and the like as well.

Using indirect input, the security of the system is (almost) completely independent of the user. While the user can still become a security problem by telling the PIN to someone or writing it down, the PIN cannot be disclosed by “insecure behavior” during the input at the ATM. This is a lesson learned from the VibraPass user study.

Reoccurrence of Letters As mentioned before, each letter used in the interface occurs in

each color and therefore as a representation for three different digits. That is, even if an attacker can record the whole input as well as the screen (in its four appearances) the actual colored PIN is still hidden in a set of 81 (3x3x3x3) possible PINs.

Reassignment of Letters after Key Press After each input, the letters at the bottom of each digit are randomly generated and reassigned. Without this measure, an attacker could simply start the authentication with a terminal over and over again without actually trying to authenticate until the exact same screen layout as during the attack is depicted. Randomly reassigning the letters for each digit of the PIN renders this attack useless.

Main Weakness The main weakness of the system is an intersection attack. If the entry

can be completely recorded several times in a row, the PIN can be stolen based on intersections between the observations. In most cases, two perfect observations lead to breaking the PIN. With each observation, the attacker collects 81 possible combinations out of the 531,441 possible PINs. In the two collected data sets, at least one PIN – the correct one – intersects. The possibility of having additional intersections in the rest of the data set is of interest for the security of the system. The more intersections, the higher the security of the system. As shown in equation (3.1), the chance of having one intersection in addition to the real PIN is already close to 0% and thus the chance of breaking the system in two attacks is nearly 100%. It is an interesting observation that the huge password space of ColorPIN is the main reason for this weakness of the system. The smaller the space, the lower the chance for intersection attacks. In a real world setting however, we consider it very unlikely to perform two perfect attacks on the same user. Additionally, the huge password space has more advantages than disadvantages and thus remains desirable. Furthermore, the fact remains that it is almost impossible to steal the PIN in a one time attack.

1 531440 80 × 80 1 × 531440−80 80−1 ≈0 (3.1)

Usability and Security Evaluation

The evaluation of the system was conducted with the Flash prototype. The study set up consisted of a standard desktop PC with a standard commercial keyboard attached to it. That means, a keyboard with one key per letter. Additionally, a keypad as known from ATMs was connected to the PC to be used for standard PIN-entry. The whole interaction and every single key press was logged for later analysis. A camera was installed, filming the keyboard and the keypad as well as the screen. The filmed material was used to analyze user behavior as well as to simulate an attack on the system.

User Study Design ColorPIN was evaluated using arepeated measures within participants

factorial design. The independent variables werepassword type (random ColorPIN or PIN and user generated ColorPIN or PIN) and authentication mechanism (standard PIN and ColorPIN). Standard PIN-entry represented the control condition to compare the performance to. The task was to authenticate to the terminal using every combination of the independent variables (authentication systemxpassword type= 4 authentication sessions). The order of the independent variables was counterbalanced to minimize learning effects.

Procedure and Participants The lab study started with an introduction to the participants. The whole procedure, their rights as well as the prototype were explained in detail to each of them. Each participant got a random identification number which at the same time was used to assign the counterbalanced order of tasks to them. The study then started with a questionnaire collecting basic demographic data as well as information about the participant’s PIN usage behavior.

Subsequent to this, the practical part followed. Before each authentication mechanism, the participants were asked to define their own ColorPIN and PIN. At the same time, one randomly generated PIN and one ColorPIN were assigned to them. Before using the system, they were explained in detail to the participants followed by a short training phase with one successful authentication. For each authentication session, there was a maximum of three tries to authenticate correctly. Switching to the next authentication session took place after successful authentication or if the attempts failed three times (which did not occur in the study). Following each authentication mechanism, the participants were asked to fill out a questionnaire containing questions about the respective system. In the end, a final questionnaire was handed out to them collecting comparison data about the systems. Ratings were given using Likert scales from 1 (disagree) to 5 (highly agree). Every key press, correction, error etc. were logged by the prototype.

24 volunteers participated in the study. The average age was 28 years, the youngest participant was 15 and the oldest 57 years old. 18 of them were male, six were female. Choosing 24 participants allowed for perfectly counterbalancing the independent variables to minimize learning effects. Having 24 participants, the results of the study are based on 96 authentication sessions.

Hypotheses The following main hypotheses were stated for the user study. ColorPIN is:

(H1) more secure to observation attacks than standard PIN-entry. (H2) more error-prone than standard PIN-entry.

(H3) slower than standard PIN-entry.

Results

Authentication Speed Authentication speed was measured for each authentication session

from the first key press (entering the first digit of the PIN respectively the first letter) to releasing the last key. This decision has been made to compare the actual interaction times since pressing an ok button takes the same time no matter which method is used and would be an unfair advantage for ColorPIN in comparison to standard PIN which is supposedly faster.

Only successful authentication attempts were taken into account for the analysis. The average authentication speed for the authentication mechanisms is shown in figure 3.21. Stan- dard PIN-entry using a user generated PIN was the fastest (M=1.32s, SD=0.86s), followed by random standard PIN (M=1.56s, SD=0.37s). ColorPIN with a user generated PIN was the

0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 authentication speed in ms Mean 1318 1559 13877 13325 SD 857 744 5970 3484 standard PIN

(own) standard PIN (random) ColorPIN (own) ColorPIN (random)

Figure 3.21: Average authentication speed of the ColorPIN user study. The results show that with around 13 - 14 seconds, ColorPIN is slower than standard PIN-entry.

slowest method (M=13.88s, SD=5.97s) and slightly slower than ColorPIN with a random PIN (M=13.33s, SD=1.74s). A 2 x 2 (authentication mechanism x password type) within participants analysis of variance showed a highly significant main effect for authentication mechanism (F₂_,₄₆=64.50,p<.001). No significant interaction effects and no significant main effect for password type were found. Considering these results, hypothesis (H3) can be accepted.

Error Rate Following the standard approach as used for the other authentication mechanisms presented in this thesis, basic and critical errors were distinguished within the error analysis. Thus, during the study, we measured whether a participant could correctly authenticate to the system within three tries and how many corrections (deleting the input) were required to do that. For standard PIN-entry, each participant could successfully authenticate to the system at the first attempt, no matter if a random PIN or a user generated PIN was used. Only two users (random PIN) respectively one user (own PIN) applied corrections to the input. Regarding ColorPIN, two users for each password type needed two or three attempts to authenticate. However, no authentication session resulted in a critical error. Six users (four random PIN and two user defined PIN) needed to use at least one correction to authenticate. The data revealed no significant differ- ences neither between the different authentication mechanisms nor the different password types. Therefore, (H2) cannot be accepted.

User Satisfaction Even though the error rate of ColorPIN was as low as for standard PIN-

entry, it was almost ten times slower. In the questionnaire, participants were asked to rate the speed and many other aspects of the two systems on Likert scales from 1 (disagree) to 5 (highly agree). As to whether the systems were fast, standard PIN (M=4.7) was rated faster than Color- PIN (M=3.4). However, the rating for ColorPIN still has a positive tendency, which is surprising. A similar result can be found when comparing the ratings for whether the systems were easy to use. Again, standard PIN (M=4.8) was considered easier than ColorPIN (M=3.2) but the tendency remained positive. Surprisingly, asked whether they would like to use the systems in

77% 4% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

standard PIN ColorPIN

su cce ssf u l a tt a cks i n %

Figure 3.22: Left: Two participants pointed at the screen during input which enabled the attacker to steal their ColorPINs. Right: Number of successful attacks on both systems based on the video material.

real world scenarios, standard PIN (M=3.5) and ColorPIN (M=3.6) were rated nearly equally. The positive qualitative results for ColorPIN – contradicting the quantitative measures – are very likely influenced by effects of the laboratory setting as well as novelty of the interaction but still encouraging.

The questionnaire revealed some design flaws that might have negatively influenced performance of ColorPIN. For instance, some users mentioned problems with the choice of colors. One user stated that “the colors, especially of the different backgrounds are confusing‘. A unified background color might help finding the letters faster.”. That user was refering to the fact that the background of white characters was black and white for black characters. This seemed to con- fuse several of the users and negatively influenced the speed of the visual search task. In a future version, this problem should be fixed.

Security Besides the theoretical security analysis, the camera material collected during the study was used to perform a practical security evaluation and to find out whether ColorPIN was more resistant to a camera attack than standard PIN-entry. The attacker was familiar with the ColorPIN system and had the full video material available as recorded during the study. The sound layer was removed to avoid disclosure of authentication tokens due to conversations during the study. As opposed to VibraPass, sound effects on security were ruled out. The attacker had three tries to authenticate correctly. If the correct authentication token was entered within these three attempts, an attack was counted as successful.

Out of the 48 authentication sessions using standard PIN-entry, 37 (77%) could be successfully identified (see figure 3.22, right). The remaining ones were mostly cases in which the participants were hiding the PIN entry with the non-active hand. As opposed to the VibraPass study, the approach was not a worst-case scenario with several cameras but an attack that is more common on

Figure 3.23: Some users applied a simple memory and performance trick when using Col- orPIN. Instead of remembering the color-coded PIN, they remembered the locations where the characters appear, together with a respective path.

public terminals, using one camera. However, as a lesson learned it can be highlighted that evalu- ating the worst-case always seems to be the better choice. Out of the 48 ColorPIN authentication sessions, only two of the different authentication tokens could be identified (for two different users). In both cases, the users were pointing (at the screen) at the characters they wanted to input to assure they were choosing the right letter as shown in figure 3.22, left. This kind of behavior cannot be referred to as the system requiring the user to behave “clever” as we observed it for the VibraPass systems but should be considered as insecure behavior that can break the security of a system [2]. With respect to this data, hypothesis (H1) can be accepted. Additionally, this assumption is supported by the questionnaire in which the participants considered ColorPIN (M=4.6) more secure than standard PIN (M=2.6).

Discussion

The evaluation showed that using its special way of indirect input, ColorPIN is notably more

In document LA POESÍA LÍRICA EN EL DESARROLLO DEL PENSAMIENTO CREATIVO EN LOS ESTUDIANTES DE OCTAVO AÑO DE LA UNIDAD EDUCATIVA “CHIMBORAZO” DEL CANTÓN GUAMOTE, PROVINCIA DE CHIMBORAZO AÑO 2014 2015 (página 74-84)