Skip to main content
SpringerLink
Log in

BehavioCog: An Observation Resistant Authentication Scheme

  • Conference paper
Financial Cryptography and Data Security (FC 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10322))

Included in the following conference series:

Abstract

We propose that by integrating behavioural biometric gestures—such as drawing figures on a touch screen—with challenge-response based cognitive authentication schemes, we can benefit from the properties of both. On the one hand, we can improve the usability of existing cognitive schemes by significantly reducing the number of challenge-response rounds by (partially) relying on the hardness of mimicking carefully designed behavioural biometric gestures. On the other hand, the observation resistant property of cognitive schemes provides an extra layer of protection for behavioural biometrics; an attacker is unsure if a failed impersonation is due to a biometric failure or a wrong response to the challenge. We design and develop a prototype of such a “hybrid” scheme, named BehavioCog. To provide security close to a 4-digit PIN—one in 10,000 chance to impersonate—we only need two challenge-response rounds, which can be completed in less than 38 s on average (as estimated in our user study), with the advantage that unlike PINs or passwords, the scheme is secure under observation.

The full (more detailed) version is available as the conference version of this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We borrow the term frequency analysis from [4].

References

  1. Asghar, H.J., Steinfeld, R., Li, S., Kaafar, M.A., Pieprzyk, J.: On the linearization of human identification protocols: attacks based on linear algebra, coding theory, and lattices. IEEE TIFS 10(8), 1643–1655 (2015)

    Google Scholar 

  2. Asghar, H.J., Kaafar, M.A.: When are identification protocols with sparse challenges safe? the case of the Coskun and Herley attack. IACR’s Cryptology ePrint Archive: Report 2015/1231 (2015)

    Google Scholar 

  3. Asghar, H.J., Li, S., Pieprzyk, J., Wang, H.: Cryptanalysis of the convex hull click human identification protocol. Int. J. Inf. Secur. 12(2), 83–96 (2013)

    Article  MATH  Google Scholar 

  4. Asghar, H.J., Li, S., Steinfeld, R., Pieprzyk, J.: Does counting still count? revisiting the security of counting based user authentication protocols against statistical attacks. In: NDSS (2013)

    Google Scholar 

  5. Asghar, H.J., Pieprzyk, J., Wang, H.: A new human identification protocol and coppersmith’s baby-step giant-step algorithm. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 349–366. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_21

    Chapter  MATH  Google Scholar 

  6. Bai, X., Gu, W., Chellappan, S., Wang, X., Xuan, D., Ma, B.: PAS: Predicate-based authentication services against powerful passive adversaries. In: ACSAC 2008, pp. 433–442 (2008)

    Google Scholar 

  7. Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_31

    Chapter  Google Scholar 

  8. Ballard, L., Lopresti, D., Monrose, F.: Forgery quality and its implications for behavioral biometric security. IEEE Trans. Syst. Man Cybern. 37(5), 1107–1118 (2007)

    Article  Google Scholar 

  9. Blocki, J., Blum, M., Datta, A., Vempala, S.: Towards human computable passwords. In: ITCS (2017)

    Google Scholar 

  10. Blum, M., Vempala, S.S.: Publishable humanly usable secure password creation schemas. In: Third AAAI Conference on Human Computation and Crowdsourcing (2015)

    Google Scholar 

  11. Bo, C., Zhang, L., Li, X.Y., Huang, Q., Wang, Y.: SilentSense: silent user identification via touch and movement behavioral biometrics. In: MobiCom, pp. 187–190 (2013)

    Google Scholar 

  12. Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16

    Chapter  Google Scholar 

  13. Chauhan, J., Asghar, H.J., Mahanti, A., Kaafar, M.A.: Gesture-based continuous authentication for wearable devices: the smart glasses use case. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 648–665. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_35

    Chapter  Google Scholar 

  14. Coskun, B., Herley, C.: Can “something you know” be saved? In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 421–440. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85886-7_29

    Chapter  Google Scholar 

  15. Devijver, P.A., Kittler, J.: Pattern Recognition: A Statistical Approach. Prentice-Hall, Englewood Cliffs (1982)

    MATH  Google Scholar 

  16. Dhamija, R., Perrig, A.: DéJà Vu: a user study using images for authentication. In: USENIX Security, pp. 45–58 (2000)

    Google Scholar 

  17. Ding, H., Trajcevski, G., Scheuermann, P., Wang, X., Keogh, E.: Querying and mining of time series data: experimental comparison of representations and distance measures. Proc. VLDB Endow. 1(2), 1542–1552 (2008)

    Article  Google Scholar 

  18. Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE TIFS 8(1), 136–148 (2013)

    Google Scholar 

  19. Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme (extended abstract). In: SP, pp. 66–70 (2007)

    Google Scholar 

  20. Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_4

    Chapter  Google Scholar 

  21. Juels, A., Sudan, M.: A fuzzy vault scheme. Des. Codes Crypt. 38(2), 237–257 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  22. Kao, H.S., Shek, D.T., Lee, E.S.: Control modes and task complexity in tracing and handwriting performance. Acta Psychol. 54(1), 69–77 (1983)

    Article  Google Scholar 

  23. Khan, H., Hengartner, U., Vogel, D.: Targeted mimicry attacks on touch input based implicit authentication schemes. In: MobiSys 2016, pp. 387–398 (2016)

    Google Scholar 

  24. Li, L., Zhao, X., Xue, G.: Unobservable re-authentication for Smartphones. In: NDSS (2013)

    Google Scholar 

  25. Li, S., Asghar, H.J., Pieprzyk, J., Sadeghi, A.R., Schmitz, R., Wang, H.: On the security of PAS (Predicate-Based Authentication Service). In: ACSAC, pp. 209–218 (2009)

    Google Scholar 

  26. Li, S., Shum, H.Y.: Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI. Cryptology ePrint Archive, Report 2005/268

    Google Scholar 

  27. Li, S., Ashok, A., Zhang, Y., Xu, C., Lindqvist, J., Gruteser, M.: Whose move is it anyway? authenticating smart wearable devices using unique head movement patterns. In: PerCom, pp. 1–9 (2016)

    Google Scholar 

  28. Li, X.Y., Teng, S.H.: Practical human-machine identification over insecure channels. J. Comb. Optim. 3(4), 347–361 (1999)

    Article  MathSciNet  MATH  Google Scholar 

  29. Mandler, J.M., Johnson, N.S.: Some of the thousand words a picture is worth. J. Exp. Psychol. Hum. Learn. Mem. 2(5), 529–540 (1976)

    Article  Google Scholar 

  30. Matsumoto, T., Imai, H.: Human identification through insecure channel. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 409–421. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_35

    Chapter  Google Scholar 

  31. Nguyen, T.V., Sae-Bae, N., Memon, N.: Finger-drawn PIN authentication on touch devices. In: ICIP, pp. 5002–5006 (2014)

    Google Scholar 

  32. Sakoe, H., Chiba, S.: A dynamic programming approach to continuous speech recognition. In: Seventh International Congress on Acoustics, vol. 3, pp. 65–69 (1971)

    Google Scholar 

  33. Sherman, M., Clark, G., Yang, Y., Sugrim, S., Modig, A., Lindqvist, J., Oulasvirta, A., Roos, T.: User-generated free-form gestures for authentication: security and memorability. In: MobiSys, pp. 176–189 (2014)

    Google Scholar 

  34. Shokoohi-Yekta, M., Hu, B., Jin, H., Wang, J., Keogh, E.: Generalizing DTW to the multi-dimensional case requires an adaptive approach. Data Min. Knowl. Discov. 31, 1–31 (2016)

    Article  MathSciNet  Google Scholar 

  35. Tian, J., Qu, C., Xu, W., Wang, S.: KinWrite: handwriting-based authentication using kinect. In: NDSS (2013)

    Google Scholar 

  36. Tversky, B., Sherman, T.: Picture memory improves with longer on time and off time. J. Exp. Psychol. Hum. Learn. Mem. 1(2), 114–118 (1975)

    Article  Google Scholar 

  37. Twitter, I., et al.: https://github.com/twitter/twemoji

  38. Čagalj, M., Perković, T.: Timing attacks on cognitive authentication schemes. IEEE TIFS 10(3), 584–596 (2014)

    Google Scholar 

  39. Weinshall, D.: Cognitive authentication schemes safe against spyware (Short Paper). In: SP, pp. 295–300 (2006)

    Google Scholar 

  40. Xu, H., Zhou, Y., Lyu, M.R.: Towards continuous and passive authentication via touch biometrics: an experimental study on Smartphones. In: SOUPS, pp. 187–198 (2014)

    Google Scholar 

  41. Yan, Q., Han, J., Li, Y., Deng, R.H.: On limitations of designing leakage-resilient password systems: attacks, principles and usability. In: NDSS (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. UNSW, Sydney, Australia

    Jagmohan Chauhan & Benjamin Zi Hao Zhao

  2. Data61, CSIRO, Sydney, Australia

    Jagmohan Chauhan, Hassan Jameel Asghar, Jonathan Chan & Mohamed Ali Kaafar

Authors
  1. Jagmohan Chauhan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Benjamin Zi Hao Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hassan Jameel Asghar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jonathan Chan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mohamed Ali Kaafar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jagmohan Chauhan .

Editor information

Editors and Affiliations

  1. University of Edinburgh, Edinburgh, UK

    Aggelos Kiayias

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Chauhan, J., Zhao, B.Z.H., Asghar, H.J., Chan, J., Kaafar, M.A. (2017). BehavioCog: An Observation Resistant Authentication Scheme. In: Kiayias, A. (eds) Financial Cryptography and Data Security. FC 2017. Lecture Notes in Computer Science(), vol 10322. Springer, Cham. https://doi.org/10.1007/978-3-319-70972-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70972-7_3

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70971-0

  • Online ISBN: 978-3-319-70972-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation