ebook img

Improving the Security of Mobile Devices Through Multi-Dimensional and Analog Authentication ... PDF

178 Pages·2017·4.91 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Improving the Security of Mobile Devices Through Multi-Dimensional and Analog Authentication ...

IMPROVING THE SECURITY OF MOBILE DEVICES THROUGH MULTI-DIMENSIONAL AND ANALOG AUTHENTICATION JONATHANGURARY BachelorofComputerEngineering ClevelandStateUniversity 2012 MasterofElectricalEngineering ClevelandStateUniversity 2013 submitted inpartialfulfillment oftherequirementsforthedegree DOCTOR OF ENGINEERING atthe CLEVELAND STATE UNIVERSITY May2018 Weherebyapprovethedissertation of JonathanGurary CandidatefortheDoctorofEngineeringdegree. SIGNATUREPAGEONFILEWITHCLEVELANDSTATEUNIVERSITY ThisdissertationhasbeenapprovedfortheDepartmentof ELECTRICALANDCOMPUTERENGINEERING andCLEVELANDSTATEUNIVERSITY CollegeofGraduateStudiesby ThesisCommitteeChairperson,Dr. WenbingZhao Department/Date Formywife,myfamily,mycountry,fortheEmperor. Iftheroadiseasy,thedestinationis worthless. ACKNOWLEDGMENTS Of course, a great thank you to my adviser, Dr. Zhao, for his tremendous help and support. A thank you to my entire committee: Dr. Dong, Dr. Simon, Dr. Wang, and Dr. Wu, for their time and dedication in reviewing this work. And thank you to the EECE department here at Cleveland State, for their financial support and for an overall excellent experience in time I spent working towards this degree. Thank you to Dr. Zhu for getting mestartedonthisjourney. ThankyoutomycollaboratingauthorsfromOaklandUniversity fortheirhelp. Iwishyoualltheverybest. This work is dedicated to everyone who supported me. I’d like to thank my wife, forbeingomnipresentinsupportandbearingwithmewhileIfinishedthislengthyproject. My parents, for all their love and patience as well, even if they have no idea what I’m doing “over there at school”. My friends, for distracting me from finishing this sooner, but keepingmeentertainedinthemeantime. iv IMPROVING THE SECURITY OF MOBILE DEVICES THROUGH MULTI-DIMENSIONAL AND ANALOG AUTHENTICATION JONATHANGURARY ABSTRACT Mobile devices are ubiquitous in today’s society, and the usage of these devices for secure tasks like corporate email, banking, and stock trading grows by the day. The first, and often only, defense against attackers who get physical access to the device is the lock screen: the authentication task required to gain access to the device. To date mobile devices have languished under insecure authentication scheme offerings like PINs, PatternUnlock,andbiometrics–orslowofferingslikealphanumericpasswords. Thiswork addressesthedesignandcreationoffiveproof-of-conceptauthenticationschemesthatseek to increase the security of mobile authentication without compromising memorability or usability. These proof-of-concept schemes demonstrate the concept of Multi-Dimensional Authentication, a method of using data from unrelated dimensions of information, and the concept of Analog Authentication, a method utilizing continuous rather than discrete information. Security analysis will show that these schemes can be designed to exceed the security strength of alphanumeric passwords, resist shoulder-surfing in all but the worst- case scenarios, and offer significantly fewer hotspots than existing approaches. Usability analysis, including data collected from user studies in each of the five schemes, will show promisingresultsforentrytimes,insomecaseson-parwithexistingPINorPatternUnlock v approaches, and comparable qualitative ratings with existing approaches. Memorability results will demonstrate that the psychological advantages utilized by these schemes can lead to real-world improvements in recall, in some instances leading to near-perfect recall after two weeks, significantly exceeding the recall rates of similarly secure alphanumeric passwords. vi TABLE OF CONTENTS Page ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v LISTOFTABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii LISTOFFIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii CHAPTER I. OVERVIEWANDMOTIVATION . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Mobile: AnOpportunity forChange . . . . . . . . . . . . . . . . . . 1 1.2 Shortcomings oftheCurrentParadigm . . . . . . . . . . . . . . . . . 4 1.3 StatisticalTesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4 Contributions andOutline . . . . . . . . . . . . . . . . . . . . . . . . 7 II. MULTI-DIMENSIONALAUTHENTICATION . . . . . . . . . . . . . . . . . 10 2.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Introduction toMulti-Dimensional Authentication . . . . . . . . . . . 11 2.2.1 AnExampleofMAPS . . . . . . . . . . . . . . . . . . . . . 12 2.2.2 MAPSvsTraditionalAuthentication . . . . . . . . . . . . . . 13 2.3 RelatedWork: GraphicalPasswords . . . . . . . . . . . . . . . . . . 15 2.4 ChessBasedMAPS(CMAPS) . . . . . . . . . . . . . . . . . . . . . 21 2.4.1 GraphicalHints . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.5 SecurityStrengthofMAPS . . . . . . . . . . . . . . . . . . . . . . . 24 2.5.1 SecurityStrengthofMAPS . . . . . . . . . . . . . . . . . . . 24 2.5.2 SecurityStrengthofCMAPS . . . . . . . . . . . . . . . . . . 26 2.6 Usability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.7 UserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 vii 2.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.7.2 Apparatus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.7.3 Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.7.4 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.7.5 Memorability . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.7.6 Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 2.7.7 Hotspots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.7.8 UserChoiceinCMAPSPasswords . . . . . . . . . . . . . . . 43 2.7.9 GraphicalHintsGeneratedbyParticipants . . . . . . . . . . . 45 2.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 III. SHOULDER-SURFINGRESISTANCE . . . . . . . . . . . . . . . . . . . . . 48 3.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.2 ExpandingMAPStoReduceShoulder-Surfing . . . . . . . . . . . . . 49 3.2.1 CMAPSvsShoulder-Surfing andSmudgeAttacks . . . . . . . 49 3.2.2 PassGame: AddingShoulder-Surfing ResistancetoMAPS . . 50 3.3 RelatedWork: Shoulder-Surfing Resistance . . . . . . . . . . . . . . 51 3.3.1 TestingShoulder-Surfing . . . . . . . . . . . . . . . . . . . . 52 3.3.2 Hardware-basedShoulder-Surfing Resistance . . . . . . . . . 53 3.3.3 Challenge-Response . . . . . . . . . . . . . . . . . . . . . . . 54 3.4 TheDesignofPassGame . . . . . . . . . . . . . . . . . . . . . . . . 55 3.4.1 RandomBoardGeneration . . . . . . . . . . . . . . . . . . . 56 3.4.2 AvailableRules . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.4.3 Additional rules . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.5 SecurityofPassGame . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.6 PassGameUserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.6.1 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.6.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 viii 3.6.3 Memorability Results . . . . . . . . . . . . . . . . . . . . . . 64 3.6.4 UsabilityResults . . . . . . . . . . . . . . . . . . . . . . . . 65 3.6.5 UserChoiceinPassGame . . . . . . . . . . . . . . . . . . . . 68 3.6.6 Shoulder-Surfing Study . . . . . . . . . . . . . . . . . . . . . 69 3.7 PassGameDiscussion . . . . . . . . . . . . . . . . . . . . . . . . . . 71 IV. AUTHENTICATIONINVR . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.2 ExpandingMAPStoVirtualReality . . . . . . . . . . . . . . . . . . 75 4.3 VRIntroduction andRelatedWork . . . . . . . . . . . . . . . . . . . 76 4.4 Advantagesofa3DAuthentication Scheme . . . . . . . . . . . . . . 77 4.4.1 PsychologicalPhenomena . . . . . . . . . . . . . . . . . . . 77 4.4.2 PhysicalPhenomena . . . . . . . . . . . . . . . . . . . . . . 79 4.5 Implementation of3DPass . . . . . . . . . . . . . . . . . . . . . . . . 81 4.5.1 InputDevice . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4.5.2 DesignConsiderations . . . . . . . . . . . . . . . . . . . . . 85 4.6 SecurityStrengthof3DAuthentication . . . . . . . . . . . . . . . . . 86 4.6.1 PasswordSpaceof3DPass . . . . . . . . . . . . . . . . . . . 87 4.7 3DPassUserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 4.7.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.7.2 Memorability Results . . . . . . . . . . . . . . . . . . . . . . 94 4.7.3 UsabilityResults . . . . . . . . . . . . . . . . . . . . . . . . 95 4.7.4 Hotspots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 4.7.5 UserChoicein3DPasswords . . . . . . . . . . . . . . . . . . 99 4.8 Discussionof3DAuthentication . . . . . . . . . . . . . . . . . . . . 100 V. BEHAVIORALPASSIVEAUTHENTICATION . . . . . . . . . . . . . . . . . 102 5.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 5.2 Introduction toImplicit Authentication . . . . . . . . . . . . . . . . . 102 ix 5.3 RelatedWork: Implicit Authentication . . . . . . . . . . . . . . . . . 103 5.4 Implicit Biometric AuthenticationScheme . . . . . . . . . . . . . . . 105 5.4.1 FutureImplementation . . . . . . . . . . . . . . . . . . . . . 107 5.5 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.5.1 DevicesUsed . . . . . . . . . . . . . . . . . . . . . . . . . . 108 5.5.2 ExperimentSetup . . . . . . . . . . . . . . . . . . . . . . . . 109 5.5.3 TypographicalCorrection . . . . . . . . . . . . . . . . . . . . 109 5.5.4 ClassificationandAnalysis . . . . . . . . . . . . . . . . . . . 110 5.5.5 CharacterIndependent Classification . . . . . . . . . . . . . . 111 5.5.6 CharacterDependentClassification . . . . . . . . . . . . . . . 112 5.5.7 OrderDependent . . . . . . . . . . . . . . . . . . . . . . . . 114 5.5.8 FutureApproaches . . . . . . . . . . . . . . . . . . . . . . . 116 5.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 VI. ANALOGAUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . 119 6.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 6.2 Introduction toAnalogAuthentication . . . . . . . . . . . . . . . . . 120 6.3 Authentication UsingContinuousInformation . . . . . . . . . . . . . 121 6.4 RelatedWork: AnalogAuthentication . . . . . . . . . . . . . . . . . 123 6.5 TheDesignofPassHue . . . . . . . . . . . . . . . . . . . . . . . . . 124 6.5.1 Comparison ofColorValues . . . . . . . . . . . . . . . . . . 128 6.6 SecurityStrengthofPassHue . . . . . . . . . . . . . . . . . . . . . . 130 6.7 PassHueUserStudy . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 6.7.1 DataCollection . . . . . . . . . . . . . . . . . . . . . . . . . 132 6.7.2 Participants . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 6.7.3 Memorability ofPassHue . . . . . . . . . . . . . . . . . . . . 135 6.7.4 UsabilityofPassHue . . . . . . . . . . . . . . . . . . . . . . 135 6.7.5 ColorSelectionandHotspots . . . . . . . . . . . . . . . . . . 140 x

Description:
2012. Master of Electrical Engineering. Cleveland State University. 2013 submitted in For my wife, my family, my country, for the Emperor. If the road is .. 21 Screenshot of the Android Keyboard Implementation ods that allow the user to avoid entering a password for every application they use, but
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.