스마트 디바이스 상의 안전한 개인식별번호 입력 연구 동향

  • 이문규 (인하대학교 컴퓨터공학과)
  • Published : 2018.02.28

Abstract

개인식별번호(personal identification number: PIN)는 숫자로 이루어진 짧은 패스워드로서, 은행 ATM, 디지털 도어락, 스마트 디바이스 등에서 사용자 인증을 위해 널리 쓰이고 있다. PIN을 입력하기 위한 전통적인 키패드 방식의 인터페이스는 엿보기나 녹화 등의 공격에 취약하며, 이를 방지하기 위해 다양한 PIN 입력 방식들이 제안된 바 있다. 그러나, 잘못 설계된 PIN 입력 방식은 무작위 대입 공격 등 다른 공격에 대한 안전성이나 사용자 편의성을 떨어뜨릴 수 있다. 이 논문에서는 특히 스마트 디바이스 상에서 PIN을 안전하게 입력하기 위한 다양한 방식들을 조사하고 이들의 특성을 분석함으로써 안전하고 편리한 PIN 입력 방식의 설계를 위한 방향을 제시한다.

Keywords

References

  1. C. S. Weir, G. Douglas, T. Richardson, and M. Jack, "Usable security: User preferences for authenticationmethods in eBanking and the effects of experience," Interacting with Computers, vol. 22, no. 3, pp. 153-164, 2010. https://doi.org/10.1016/j.intcom.2009.10.001
  2. V. Roth, K. Richter, and R. Freidinger, "A PIN-entry method resilient against shoulder surfing," ACM CCS '04, pp. 236-245, 2004.
  3. D. S. Tan, P. Keyani, and M. Czerwinski, "Spy-resistant keyboard: more secure password entry on public touch screen displays," ACM OZCHI '05, 2005.
  4. A. De Luca, K. Hertzschuch, and H. Hussmann, "ColorPIN - securing PIN entry through indirect input," CHI '10, pp. 1103-1106, 2010.
  5. D. Wang, Q. Gu, X, Huang, P. Wang, "Understanding Human-Chosen PINs: Characteristics, Distribution and Security," ASIACCS '17, pp. 372-385, 2017
  6. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith, "Smudge attacks on smartphone touch screens," in Proceedings of the 4th USENIX Conference on Offensive Technologies (WOOT '10), 2010.
  7. E. von Zezschwitz, A. Koslow, A. De Luca, and H. Hussmann, "Making graphic-based authentication secure against smudge attacks," in Proceedings of the 18th International Conference on Intelligent User Interfaces (IUI '13), pp. 277-286, 2013.
  8. M.-K. Lee, "Security notions and advanced method for human shoulder-surfing resistant PIN-entry," IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp. 695-708, 2014. https://doi.org/10.1109/TIFS.2014.2307671
  9. T. Kwon, S. Shin, and S. Na, "Covert attentional shoulder surfing: Human adversaries are more powerful than expected," IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 44, no. 6, pp. 716-727, 2014. https://doi.org/10.1109/TSMC.2013.2270227
  10. R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-M. Frahm, "iSpy: Automatic reconstruction of typed input from compromising reflections," ACM CCS '11, pp. 527-536, 2011.
  11. F. Maggi, A. Volpatto, S. Gasparini, G. Boracchi, and S. Zanero, "A fast eavesdropping attack against touchscreens," Information Assurance and Security (IAS 2011), pp. 320-325, 2011.
  12. H. Sasamoto, N.Christin, and E.Hayashi, "Undercover: authentication usable in front of prying eyes," CHI '08, pp. 183-192, 2008.
  13. T. Perkovic, M. Cagalj, and N. Rakic, "SSSL: shoulder surfing safe login," in Proceedings of the International Conference on Software, Telecommunication and Computer Networks 2009, pp. 270-275, 2009.
  14. A. De Luca, E. Von Zezschwitz, and H. HuBmann, "Vibrapass - secure authentication based on shared lies," CHI '09, pp. 913-916, 2009.
  15. A. Bianchi, I. Oakley, J. K. Lee, and D.-S. Kwon, "The haptic wheel: design and evaluation of a tactile password system," CHI '10, pp. 3625-3630, 2010.
  16. A. Bianchi, I. Oakley, V. Kostakos, and D.-S. Kwon, "The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices," ACM TEI '11, pp. 197-200, 2011.
  17. A. Bianchi, I. Oakley, and D. S. Kwon, "Spinlock: A singlecue haptic and audio PIN input technique for authentication," in Haptic and Audio Interaction Design (HAID 2011), vol. 6851 of Lecture Notes in Computer Science, pp. 81-90, 2011.
  18. M.-K. Lee, H. Nam, and D. K. Kim, "Secure bimodal PIN-entry method using audio signals," Computers and Security, vol. 56, pp. 140-150, 2016. https://doi.org/10.1016/j.cose.2015.06.006
  19. A. Bianchi, I. Oakley, and D. S. Kwon, "Counting clicks and beeps: Exploring numerosity based haptic and audio PIN entry," Interacting with Computers, vol. 24, no. 5, pp. 409-422, 2012. https://doi.org/10.1016/j.intcom.2012.06.005
  20. M.-K. Lee, J. Yoo, H. Nam, "Analysis and Improvement on a Unimodal Haptic PIN-Entry Method," Mobile Information Systems, vol. 2017, Article ID 6047312, 17 pages, 2017.
  21. T. Perkovic, S. Li, A. Mumtaz, S. A. Khayam, Y. Javed, and M. Cagalj, "Breaking undercover: Exploiting design flaws and nonuniform human behavior," SOUPS '11, 2011.
  22. M. Cagalj, T. Perkovic, and M. Bugaric, "Timing attacks on cognitive authentication schemes," IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 584-596, 2015. https://doi.org/10.1109/TIFS.2014.2376177
  23. Q. Yan, J. Han, Y. Li, and R. H. Deng, "On limitations of designing leakage-resilient password systems: attacks, principles and usability," NDSS '12, 2012.
  24. H. J. Asghar, S. Li, R. Steinfeld, and J. Pieprzyk, "Does counting still count? revisiting the security of counting based user authentication protocols against statistical attacks," NDSS '13, 2013.
  25. H. J. Asghar, R. Steinfeld, S. Li, M. A. Kaafar, and J. Pieprzyk, "On the linearization of human identification protocols: attacks based on linear algebra, coding theory, and lattices," IEEE Transactions on Information Forensics and Security, vol. 10, no. 8, pp. 1643-1655, 2015. https://doi.org/10.1109/TIFS.2015.2421875
  26. T. Kwon and J. Hong, "Analysis and improvement of a PINEntry method resilient to shoulder-surfing and recording attacks," IEEE Transactions on Information Forensics and Security, vol. 10, no. 2, article no. A6, pp. 278-292, 2015. https://doi.org/10.1109/TIFS.2014.2374352
  27. E. Hayashi, S. Das, S. Amini, J. Hong, and I. Oakley, "CASA: context-aware scalable authentication," SOUPS '13, pp. 3:1-3:10, 2013.
  28. J. Thorpe, P. C. van Oorschot, and A. Somayaji, "Pass-thoughts: authenticating with our minds," in Proceedings of the 2005 workshop on New security paradigms (NSPW '05), pp. 45-56, 2005.
  29. M. Kumar, T. Garfinkel, D. Boneh, and T.Winograd, "Reducing shoulder-surfing by using gaze-based password entry," SOUPS '07, pp. 13-19, 2007.
  30. M.-K. Lee and H. Nam, "Secure and fast PIN-entry method for 3D display," SECURWARE 2013, pp. 26-29, 2013.
  31. M.-K. Lee, J. B. Kim, and M. K. Franklin, "Enhancing the security of personal identification numbers with three-dimensional displays," Mobile Information Systems, vol. 2016, Article ID 8019830, 9 pages, 2016.
  32. D. K. Yadav, B. Ionascu, S. V. Krishna Ongole, A. Roy, and N. Memon, "Design and analysis of shoulder surfing resistant PIN based authentication mechanisms on Google Glass," in 1st Workshop on Wearable Security and Privacy (In Association with Financial Crypto 2015), 2015, paper 8.
  33. P. Lantz, B. Johansson, M. Hell, and B. Smeets, "Visual cryptography and obfuscation: a use-case for decrypting and deobfuscating information using augmented reality ," Financial cryptography and data security, vol. 8976 of Lecture Notes in Computer Science, pp. 261-273, 2015.
  34. D. Kim, P. Dunphy, P. Briggs et al., "Multi-touch authentication on tabletops," CHI 2010, pp. 1093-1102, 2010.
  35. Q. Yan, J. Han, Y. Li, J. Zhou, and R. H. Deng, "Designing leakage-resilient password entry on touchscreen mobile devices," ASIACCS '13, pp. 37-48, 2013.