Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI

Shujun Li and Heung-Yeung Shum

Abstract

This paper focuses on human-computer identification systems against peeping attacks, in which adversaries can observe (and even control) interactions between humans (provers) and computers (verifiers). Real cases on peeping attacks were reported by Ross J. Anderson ten years before. Fixed passwords are insecure to peeping attacks since adversaries can simply replay the observed passwords. Some identification techniques can be used to defeat peeping attacks, but auxiliary devices must be used and such devices are also insecure against peeping attacks if they are lost or stolen. Although more and more people get to know risks from peeping attacks, a practical solution has not been found. This paper first gives a comprehensive review on peeping attacks and related issues, and then points out some basic design principles. Two general structures of secure human-computer identification systems are proposed against peeping attacks. A concrete SecHCI protocol and its various implementations are given, and a real Web service is developed for demonstration. The security and usability of the proposed protocol are investigated in detail. Although the usability of the proposed protocol is not yet sufficiently good, we believe that some design skills of the proposed protocol are useful for future work on SecHCI.

Available format(s)
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
hooklee @ mail com
History
Short URL
https://ia.cr/2005/268

CC BY

BibTeX

@misc{cryptoeprint:2005/268,
author = {Shujun Li and Heung-Yeung Shum},
title = {Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI},
howpublished = {Cryptology ePrint Archive, Paper 2005/268},
year = {2005},
note = {\url{https://eprint.iacr.org/2005/268}},
url = {https://eprint.iacr.org/2005/268}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.