题名

可抵擋登入記錄攻擊之圖形化通行碼的安全性與使用性分析

并列篇名

Security and Usability Analysis of Login-Recording Attacks Resistant Graphical Password Schemes

DOI

10.29767/ECS.201206.0003

作者

鄭博仁(Bo-Ren Cheng);陳維屏(Wei-Ping Chen);顧維祺(Wei-Chi Ku);葉育彰(Yu-Chang Yeh)

关键词

圖形化通行碼 ; 登入記錄攻擊 ; 間諜程式 ; 肩窺 ; 竊聽 ; graphical password ; login-recording attack ; spyware ; shoulder surfing ; wiretapping

期刊名称

Electronic Commerce Studies

卷期/出版年月

10卷2期(2012 / 06 / 30)

页次

169 - 197

内容语文

繁體中文
中文摘要

使用者在登入系統的過程中其通行碼可能會遭受登入記錄攻擊的威脅,包括:肩窺攻擊、間諜程式攻擊、攝影機攻擊與竊聽攻擊,故有許多針對登入記錄攻擊所設計之圖形化通行碼及其相關研究被提出,不同的設計有截然不同的人因假設、理念或技術而各有其優缺點。現有可抵擋登入記錄攻擊的圖形化通行碼可區分成兩類:第一類「可抵擋弱登入記錄攻擊的圖形化通行碼」乃以提供良好的使用性為優先考量之設計,雖然對於登入記錄攻擊的抵擋能力較弱,但使用者能夠方便、正確且快速的登入系統,適合使用於較安全的登入環境;第二類「可抵擋強登入記錄攻擊的圖形化通行碼」則以提供較強的登入記錄攻擊抵擋能力為優先考量之設計,雖然使用性較差且需耗費較長的時間登入系統,但適合使用於可能遭受多次登入記錄攻擊的登入環境中。在本論文中,我們分別評析了四套較具代表性的可抵擋弱登入記錄攻擊之圖形化通行碼以及四套較具代表性的可抵擋強登入記錄攻擊之圖形化通行碼的安全性與使用性,提供電子商務應用系統開發者在身份認證機制設計時之參考。
英文摘要

As conventional textual passwords and common graphical passwords cannot resist the login-recording attacks, many login-recording attacks resistant graphical password schemes based on various techniques have been proposed. Herein, we analyze the security and usability of four weak login-recording attacks resistant graphical password schemes, in which the user can easily and efficiently login the system, and four strong login-recording attacks resistant graphical password schemes, in which the user can login the system in an environment with the threat of serious login-recording attacks. This paper is intended to be used as a reference for e-commerce application developers in designing the authentication mechanism.
主题分类 基礎與應用科學 > 資訊科學
社會科學 > 經濟學
参考文献
  1. The Science Behind Passfaces, Real User Corporation. (2001). Retrieved November 30, 2011, from the World Wide Web: http://www.realuser.com/published/ScienceBehindPassfaces.pdf
  2. (1983).Imagery, memory and cognition.
  3. Visual key-Technology, sfr GmbH. (2000). Retrieved November 30, 2011. from the World Wide Web: http://www.viskey.com/tech.html
  4. Blonder, G.E. (1996). Graphical Passwords. United States Patent 5559961.
  5. Kirkpatrick, E.A. (1894). An Experimental Study of Memory. Psychological Review, 1(6), 602-609
  6. Pointsec for Pocket PC, Pointsec Mobile Technologies. (2002). Retrieved November 30, 2011, from the World Wide Web: http://www.pointsec.com
  7. Sobrado, L., & Birget, J.C. (2005). Shoulder-Surfing Resistant raphical Passwords ─ Draft. Retrieved April 14, 2005, from the World Wide Web: http://clam.rutgers.edu/~birget/grPssw/srgp.pdf
  8. Calkins, M.W. (1898). Short Studies in Memory and Association. Psychological Review, 5, 451-462
  9. Passlogix. Retrieved November 30, 2011, from the World Wide Web: http://www.passlogix.com
  10. GrIDsure. (2007). Comments on Gridsure Authentication. Retrieved November 30, 2011, from the World Wide Web: http://www.gridsure.com
  11. Alsulaiman, F.,Saddik, A.E.(2008).Three-Dimensional Password for More Secure Authentication.IEEE Transactions on Instrumentation and Measurement,57,1929-1938.
  12. Angeli, A.D.,Coutts, M.,Coventry, L.,Johnson, G.I.(2002).VIP: A Visual Approach to User Authentication.Proceeding of the Wording Conference on Advanced Visual Interfaces
  13. Angeli, A.D.,Coventry, L.,Johnson, G.I.,Coutts, M.(2003).Usability and User Authentication: Pictorial Passwords vs. PIN.Contemporary Ergonomics,London:
  14. Davis, D.,Monrose, F.,Reiter, M.K.(2004).On User Choice in Graphical Password Schemes.Proceedings of the 13th USENIX Security Symposium,San Diego:
  15. Dhamija, R.(2000).Hash Visualization in User Authentication.Proceedings of the 2000 International Conference on Human Factors in Computing Systems
  16. Dhamija, R.,Perrig, A.(2000).Déjà Vu: a User Study Using Images for Authentication.Proceedings of the 9th USENIX Security Symposium
  17. Duncan, M.V.,Akhtari, M.S.,Bradford, P.G.(2004).Visual Security for Wireless Handheld Devices.The Journal of Science & Health at the University of Alabama,2
  18. Farmand, S.,Zakaria, O.B.(2010).Improving Password Graphical Resistant to Shoulder-Surfing Using 4-Way Recognition-Based Sequence Reproduction.Proceedings of the 2nd IEEE International Conference
  19. Gao, H.,Liu, X.,Wang, S.,Dai, R.(2009).A New Graphical Password Scheme Against Spyware by Using CAPTCHA.Proceedings of the 2009 Symposium on Usable Privacy and Security 2009,Mountain View, CA, USA:
  20. Gao, H.,Liu, X.,Wang, S.,Liu, H.,Dai, R.(2009).Design and Analysis of a Graphical Password Scheme.Proceedings of the Fourth International Conference on Innovative Computing, Information and Control,Kaohsiung, Taiwan:
  21. Hartanto, B.,Santoso, B.,Welly, S.(2006).The Usage of Graphical Password as a Replacement to the Alphanumerical Password.Journal of Informatika,7(2),91-97.
  22. Hoanca, B.,Mock, K.(2005).Screen Oriented Technique for Reducing the Incidence of Shoulder Surfing.Proceedings of the 2005 International Conference on Security and Management
  23. Hoanca, B.,Mock, K.(2008).Password Entry Scheme Resistant to Eavesdropping.Proceedings of the 2008 International Conference on Security and Management,Las Vegas, NV:
  24. Jansen, W.,Gavrila, S.,Korolev, V.,Ayers, R.,Swanstrom, R.(2003).National Institute of Standards and Technology Interagency ReportNational Institute of Standards and Technology Interagency Report,未出版
  25. Jermyn, I.,Mayer, A.,Monrose, F.,Reiter, M.K.,Rubin, A.D.(1999).The Design and Analysis of Graphical Passwords.Proceedings of the 8th USENIX Security Symposium
  26. Komanduri, S.,Hutchings, D.(2008).Order and Entropy in Picture Passwords.Proceedings of the 2008 Graphics Interface Conference
  27. Lashkari, A.H.,Farmand, S.(2009).A Survey on Usability and Security Features in Graphical User Authentication Algorithms.International Journal of Computer Science and Network Security,9(9),195-204.
  28. Lashkari, A.H.,Zakaria, O.B.,Farmand, S.,Saleh, R.(2009).Shoulder Surfing Attack in Graphical Password Authentication.International Journal of Computer Science and Information Security,6(2),145-154.
  29. Li, Z.,QIBIN, S.,Lian, Y.,Giusto, D.D.(2005).An Association-Based Graphical Password Design Resistant to Shoulder-Surfing Attack.Proceedings of the 2005 IEEE International Conference on Multimedia and EXPO
  30. Liddle, J.,Renaud, K.,Angeli, A.D.(2003).Using a Combination of Sound and Images to Authenticate Web Users.Proceedings of the 17th Annual Human Computer Interaction Conference
  31. Madigan, S.,Lawrence, V.(1980).Factors Affecting Item Recovery and Hypermnesia in Free Recall.American Journal of Psychology,93(3),489-504.
  32. Man, S.,Hong, D.,Mathews, M.(2003).A Shoulder Surfing Resistant Graphical Password Scheme.Proceedings of the 2003 International Conference on Security and Management,Las Vegas:
  33. Shepard, R.N.(1967).Recognition Memory for Words, Sentences, and Pictures.Journal of Verbal Learning and Verbal Behavior,6(1),156-163.
  34. Sobrado, L.,Birget, J.C.(2002).Graphical Passwords.The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research
  35. Thorpe, J.,van Oorschot, P.C.(2004).Graphical Dictionaries and the Memorable Space of Graphical Passwords.Proceedings of the 13th USENIX Security Symposium
  36. Wang, L.,Cheng, X.,Ren, Z.,Gao, H.,Liu, X.,Aickelin, U.(2010).Against Spyware Using CAPTCHA in Graphical Password Scheme.Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications
  37. Wiedenbeck, S.,Waters, J.,Birget, J.C.,Brodskiy, A.,Memon, N.(2005).PassPoints: Design and Longitudinal Evaluation of a Graphical Password System.International Journal of Human Computer Studies
  38. Wiedenbeck, S.,Waters, J.,Sobrado, L.,Birget, J.C.(2006).Design and Evaluation of a Shoulder-Surfing Resistant Graphical Password Scheme.Proceedings of the 2006 Advanced Visual Interfaces,Venice, Italy:
  39. Yamamoto, T.,Kojima, Y.,Nishigaki, M.(2009).A Shoulder-Surfing-Resistant Image-Based Authentication System with Temporal Indirect Image Selection.Proceedings of the 2009 International Conference on Security and Management
  40. Zhao, H.,Li, X.(2007).S3PAS: A Scalable Shoulder-Surfing Resistant Textual-Graphical Password Authentication Scheme.Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops
  41. Zheng, Z.,Liu, X.,Yin, L.,Liu, Z.(2010).A Hybrid Password Authentication Scheme Based on Shape and Text.Journal of Computers,5(5),765-772.
  42. Zheng, Z.,Liu, X.,Yin, L.,Liu, Z.(2009).A Stroke-Based Textual Password Authentication Scheme.Proceedings of the First International Workshop on Education Technology and Computer Science
print cancel