Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels...
-
Upload
bailey-cannon -
Category
Documents
-
view
222 -
download
1
Transcript of Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels...
Handball:Simple Security Tools for
Handheld Devices
Niklas Frykholm, Markus Jakobsson, Ari Juels
LABORATORIES
Our aim:To rethink palm security from
scratch
Palm pros:– Cheap– Convenient– Someday
ubiquitous– Smartcard
alternative?
Palm cons:– Easily stolen– No tamper
resistance– Often used for
sensitive data– New (sometimes
clumsy) style of data entry
Despite this, we want:
To prevent unauthorized access Get good security from low entropy
keys Alert/disable in case of unauthorized
access Achieve functionality like backup in
hostile environments
Attackers may
Steal devices and copy them
surreptitiously
Emulate copied devices completely
See all old transcripts
Do fairly serious computing (250 or so…)
Mount some on-line attack
Problem with passwords on palm devices
Passwords geared toward keyboards– Palm devices use other data entry
Some studies suggest superiority of visual memory (e.g., Sheperd)
The visual approach...– Jermyn et al., Xerox PARC, Blonder, Perrig,
Passfaces– Only Jermyn et al. suitable for palm
devices
Visual Passwords Your PIN consists of a point on an image (or
multiple such)
Icons help stimulate the
user’s memory
Visual Passwords
Error-tolerance techniques allow user to come only close to point, but security remains maximal
Training routine helps fix PIN in user’s memory
Prototype available
Some more problems with passwords
Users and passwords don’t mix well:– Either too long to be easily memorized (high entropy)– Or too short to be used effectively in naïve manner
For example, AES encryption of credit cards
Credit-Card Vault
•Special “non-redundant” encryption protects card and bank account numbers with just a PIN -- •Protection even against a determined hacker•Prototype available
Encryption using low-entropy keys
To encrypt a list of PINS:– Select master PIN -- call it M– E[PIN1] = PIN1 M
– E[PIN2] = PIN2 M , etc.
But a credit card is not so simple:– Has redundancy: Check digit– Unprotected parts may give clues to
attacker
Accommodate credit-card structure
Idea: Isolate essential digits– Strip away check digit– Strip away bank numbers
Encrypt remaining digits under stream cipher mod 10– RC4(key) 10 (cc digits)
Note: Decryption with any key yields a valid-looking credit card number
Credit-card vault
Can we do Social Security Numbers? Names? Addresses?
Infrared Palm Lock
•Small key locks and unlocks PalmPilot•Strong key would be inexpensive ($2) to manufacture in quantity
Current prototype is “conceptual”– Static key– 20-bit entropy
Evolution:– Static key, 80-bit entropy encryption
key– Rolling key, rolling encryption– Bluetooth -- interactive variant
Infrared Palm Lock
Digital Signing on the Palm
•Online approaches may suffer from spotty connectivity
•Palm is convenient platform for signing•An offline digital signing key protected with a PIN is vulnerable to attack if palm device is stolen
I agree to buy 1000 shares ofEnron at $100/share from Ken.
Our aim
Distinguish attacker–generated signatures from “real” signatures
Alert authorities of any attacks But make alarm “silent”
– attacker should be unable to distinguish a good signature from a bad one
All with a low-entropy PIN!
Funkspiel schematic
hs1 s2 s3 s4h h
h’ h’ h’
r1 r2 r3
•si = h(si, i)
•ri = h’(si, PIN)
•Incorporate ri into message to be signed
•Verifier can check correctness of ri
Why does this yield “silent” alarm?
hs1 s2 s3 s4h h
h’ h’ h’
r1 r2 r3r2
s2?
?
•Attacker can’t learn s2 because of one-wayness of h
•Attacker can’t learn PIN because she can’t learn s2
•Attacker can’t tell whether she’s tripping alarm if she signs using s3
Inserting ri into standard scheme
We use RSA-PSS (Bellare-Rogaway)
RSA-PSS supplies random padding of messages to be signed using RSA – to avoid existential forgery
Padding has some random component, some redundancy
We let ri be the random portion
The Big Picture
Everybody can verify signatures using standard RSA-PSS
“Alarm center” can check PIN, too, for “silent alarm”!
“Alarm center” can, e.g., inform bank if theft suspected
LABORATORIES
•Prototypes available for visual passwords, credit-card vault, and IR key•Patents pending on visual passwords