안전한 사용자 식별 번호 입력을 위한 사용자 인터페이스

  • 이문규 (인하대학교 컴퓨터정보공학과)
  • Published : 2014.06.30

Abstract

사용자 식별 번호(personal identification number: PIN)는 은행 계좌, 신용카드, 스마트폰, 도어락 등 다양한 응용에서 널리 활용되는 사용자 인증 수단이나, 전통적으로 사용되어 온 PIN 입력 방식은 PIN을 입력하는 과정을 어깨 너머로 지켜본 공격자가 이를 기억하여 그대로 입력에 사용하는 엿보기 공격 등 안전성에 많은 문제점을 가지고 있다. 본 고에서는 이러한 문제점을 해결하기 위한 그동안의 연구 결과들을 살펴보고, 향후 안전한 PIN 입력 방식의 연구에서 고려되어야 할 요소들을 도출한다.

Keywords

References

  1. J. Bonneau, S. Preibusch, and R. Anderson, "A birthday present every eleven wallets? The security of customer-chosen banking PINs," in Financial Cryptography (LNCS),New York, NY, USA: Springer-Verlag, 2012, pp. 25-40.
  2. M. G. Kuhn. (1997). Probability Theory for Pickpockets, ee-PIN Guessing [Online]. Available: http://www.cl.cam.ac.uk/-mgk25/
  3. D. Davis, F. Monrose, and M. K. Reiter, "On user choice in graphical password schemes," in Proc. 13th Conf. USENIX Security Symp., 2004, pp. 151-164.
  4. M-K. Lee, "Security notions and advanced method for human shoulder-surfing resistant PIN-entry," IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp.695-708, April 2014. https://doi.org/10.1109/TIFS.2014.2307671
  5. L. Cai, H. Chen, "TouchLogger: Inferring Keystrokes On Touch Screen From Smartphone Motion," HotSec 2011, 6th USENIX Workshop on Hot Topics in Security, 2011.
  6. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, "Smudge attacks on smartphone touch screens," in Proc. 4th USENIX Conf. Offensive Technol. WOOT, 2010, article 1-7, pp.1-10.
  7. E. von Zezschwitz, A. Koslow, A. D. Luca, and H. Hussmann, "Making graphic-based authentication secure against smudge attacks," in Proc. IUI, 2013, pp. 277-286
  8. T. Kwon, S. Na, "TinyLock: Affordable Defense Against Smudge Attacks on Smartphone Pattern Lock Systems," Computers & Security, 42, pp. 137-150, May 2014. https://doi.org/10.1016/j.cose.2013.12.001
  9. 삼성 SDS 스마트 도어락, http://www.samsungkey.co.kr/
  10. V. Roth, K. Richter, and R. Freidinger, "A PIN-entry method resilient against shoulder surfing," in Proc. CCS, 2004, pp. 236-245.
  11. T. Kwon, S. Shin, and S. Na, "Covert attentional shoulder surfing: Human adversaries are more powerful than expected," IEEE Trans. Syst., Man, Cybern., Syst., 44(6), pp. 716-727, June 2014. https://doi.org/10.1109/TSMC.2013.2270227
  12. D. S. Tan, P. Keyani, and M. Czerwinski, "Spy-resistant keyboard: More secure password entry on public touch screen displays," in Proc. 17th Austral. Conf. Comput. Human Interaction OZCHI, 2005, pp. 1-10.
  13. 박승배, 관찰자에게 입력정보가 노출되는 것을 방지할 수 있는 정보입력방법, 대한민국 특허 제 10-0743854호, 2007.
  14. A. D. Luca, K. Hertzschuch, and H. Hussmann, "ColorPIN: Securing PIN entry through indirect input," in Proc. CHI, 2010, pp. 1103-1106.
  15. Q. Yan, J. Han, Y. Li, and R. H. Deng, "On limitations of designing leakage-resilient password systems: Attacks, principles and usability," in Proc. NDSS, 2012, pp. 50-58.
  16. M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, "Reducing shoulder- surfing by using gaze-based password entry," in Proc. SOUPS, 2007, pp. 13-19.
  17. J. Thorpe, P. van Oorschot, and A. Somayaji, "Pass-thoughts: Authentication with our minds," in Proc. NSPW, 2005, pp.45-56.
  18. H. Sasamoto, N. Christin, and E. Hyashi, "Undercover: Authentication usable in front of prying eyes," in Proc. CHI, 2008, pp. 183-192.
  19. A. D. Luca, E. von Zezschwitz, and H. HuBmann, "Vibrapass: Secure authentication based on shared lies," in Proc. CHI, 2009, pp.913-916.
  20. T. Perkovic, M. Cagalj, and N. Rakić, "SSSL: Shoulder surfing safe login," in Proc Int. Conf. Softw., Telecommun. Comput. Netw., 2009, pp. 270-275.
  21. A. Bianchi, I. Oakley, J. K. Lee, and D.-S. Kwon, "The haptic wheel: Design & evaluation of a tactile password system," in Proc. CHI, 2010, pp.3625-3630.
  22. A. Bianchi, I. Oakley, and D.-S.Kwon, "The secure haptic keypad: A tactile password system," in Proc. CHI, 2010, pp. 1089-1092.
  23. A. Bianchi, I. Oakley, and D.-S. Kwon, "Spinlock: A single-cue haptic and audio PIN input technique for authentication, " in HAID (LNCS). New York, NY, USA: Springer-Verlag, 2011, pp. 81-90.
  24. A. Bianchi, I. Oakley, V. Kostakos, and D.-S. Kwon, "The phone lock: Audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices," in Proc. TEI, 2011, pp. 197-200.
  25. A. Bianchi, I. Oakley, and D.-S. Kwon, "Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry, Interact. Comput., vol. 24, no. 5, pp. 409-422, 2012. https://doi.org/10.1016/j.intcom.2012.06.005
  26. A. De Luca, E. von Zezschwitz, N. D. H. Nguyen, M.-E. Maurer, E. Rubegni, M. P. Scipioni, et al., "Back-of-device authentication on smartphones," in Proc. CHI, 2013, pp. 2389-2398.
  27. Q. Yan, J. Han, Y. Li, J. Zhou, and R. H. Deng, "Designing leakage resilient password entry on touchscreen mobile devices," in Proc. ASIACCS, 2013, pp. 37-48.
  28. A. D. Luca, E. von Zezschwitz, L. Pichler, and H. Hussmann, "Using fake cursors to secure on-screen passwordentry," in Proc. CHI, 2013, pp.2399-2402.