Shujun Li,Heung-Yeung Shum

2003-01-01

Abstract:It is an interesting problem how a human can prove its identity to a trustworthy (local or remote) computer with untrustworthy input devices and via an insecure channel controlled by adversaries. Any input devices and auxiliary devices are untrustworthy under the following assumptions: the adversaries can record humans' operations on the devices, and can access the devices to replay the recorded operations. Strictly, only the common brain intelligence is available for the human. In this paper, such an identification system is called SecHCI as the abbreviation -- Secure Human-Computer Identification (or Interface). In the real world, SecHCI means the peeping attacks to widely-used fixed passwords: an adversary can observe your password via his own eyes or some hidden device (such as min-camera) when your input them on your keyboard or with your mouse. Compared with human-computer identifications with the aid of trustworthy hardware devices, only a few contributions have devoted to the design and analysis of SecHCI. The most systematic works are made by N. J. Hopper & M. Blum recently: some formal definitions are given and the feasibility is shown by several SecHCI protocols with acceptable security (but usability is not very good because of their inherent limitations). In this paper, we give comprehensive investigations on SecHCI, from both theoretical and practical viewpoint, and with both system-oriented and user-centered methods. A user study is made to show problems of fixed passwords, the significance of peeping attack and some design principles of human-computer identifications. All currently known SecHCI protocols and some related works (such as visual/graphical passwords and CAPTCHAs) are surveyed in detail. In addition, we also give our opinions on future research and suggest a new prototype protocol as a possible solution to this problem.