Biometric Key Generation Using Pseudo-Signatures

0 downloads 0 Views 1MB Size Report
Keywords: biometrics, cryptographic key generation, online handwriting, hand-drawn sketches. 1. Introduction. Handwritten signatures have received ...
Biometric Key Generation Using Pseudo-Signatures Lucas Ballard

Jin Chen

Daniel Lopresti

Fabian Monrose

Department of Computer Science, Johns Hopkins University [email protected]

Department of Computer Science & Engineering, Lehigh University [email protected]

Department of Computer Science & Engineering, Lehigh University [email protected]

Department of Computer Science, Johns Hopkins University [email protected]

Abstract Recent work has shown that biometric key generation using handwriting as input are susceptible to attacks based on generative models and population statistics. In this paper, we propose an approach for overcoming these vulnerabilities through the use of idiosyncratic “pseudosignatures.” We summarize the past work that led us to this notion, and describe a novel graphical user interface we have developed to test our theory by making it easier for users to create good graphical passwords. A discussion of preliminary results from ongoing experiments concludes the paper.

Keywords: biometrics, cryptographic key generation, online handwriting, hand-drawn sketches

1.

Introduction

Handwritten signatures have received widespread acceptance for legal purposes and are a familiar mechanism for establishing one’s identity. This, combined with the growing proliferation of pen input devices (e.g., tablet computers and personal digital assistants), along with well-publicized incidents involving the theft of sensitive data, has resulted in a significant degree of interest in handwriting as a biometric [4]. It is useful to note that there are two fundamentally different ways of using handwriting for security purposes. Authentication, sometimes referred as verification, is the problem of using a biometric sample as proof of claimed identity. Generally, this is accomplished by storing a representation of the user’s biometric, along with the user’s ID, in a protected database. When a user wishes to authenticate, she provides her ID and a biometric sample to a trusted, tamper-proof interface (a reference monitor) that controls access to the system. The reference monitor searches the database and retrieves the sample that should correspond to the identifier. If this sample matches the

one provided by the user sufficiently closely, then the reference monitor authenticates the user. The other approach to using handwriting is as a basis for cryptographic key generation. Here the user provides a sample of her biometric to a system that by itself is not assumed to be secure. Rather, feature extraction and mapping to the key space are constructed in a way to preserve as much entropy as possible in the input without revealing anything useful about the biometric to an attacker who may capture and reverse-engineer the host system. There are some important differences between the two uses of handwriting in a biometric setting. An authentication system can protect itself from a sustained attack by limiting each user a small number of attempts to login successfully before shutting her out for a period of time. Schemes that use handwriting for biometric key generation do not have this option since it is assumed that a potential adversary can obtain complete control over the system and recover the key at her leisure, without any time constraints. From a security perspective, this means that to be rigorous an evaluation must test not only the ability of talented human forgers to defeat the system, it must also consider whether algorithmic techniques place it at risk. Our earlier research on handwriting biometrics addresses precisely this question, showing that attacks based on generative models for handwriting or that exploit general population statistics can be a serious threat [1, 2, 3]. In this paper, we propose an approach for overcoming the vulnerabilities we previously identified through the use of idiosyncratic “pseudo-signatures.” We summarize the past work that led us to this notion as a possible solution, and describe a novel graphical user interface we have developed to test this theory; our tool is designed to help make it easier for users to create good graphical hand-drawn passwords. We conclude with preliminary results from experiments now in progress and a discussion of ongoing research.

2.

Handwriting and Key Generation

Techniques for cryptographic key generation have been proposed for numerous biometric modalities, including iris codes, keystroke latencies, speech, and, of course, handwritten signatures [6, 8, 15, 16]. Kuan, et al., for example, describe a method for generating cryptographic keys from online signatures [8]. They evaluated their approach on the SVC dataset [17] and achieved an Equal Error Rate (ERR) of between 6% and 14% given access to a stolen token. Generating keys from signatures has several obvious benefits. First, compared with other biometric modalities, the capture of signatures is minimally intrusive. Second, the daily use of signatures results in a biometric modality that is highly repeatable. Third, users often embellish their signatures with decorative flourishes, which increases variation across the population. We note, however, that signatures have one property that makes them unappealing for key generation: each user only has one true signature. Since cryptographic keys can become compromised for any number of reasons, we seek a biometric modality that allows a user to create completely new keys whenever they are needed. Another approach, which shares many of the benefits of signatures, is based on generating cryptographic keys from handwritten passphrases. Handwriting addresses the one-signature/one-key limitation: if a user wishes to generate a new key, she can write a new passphrase. There have been studies that show that handwriting varies across the population [12], and researchers have proposed generating keys from this modality [15, 16]. Veilhauer, et al. present a biometric hash based on 24 features extracted from an online handwriting signal [16]. They report achieving a False Accept Rate (FAR) of 0% at a False Reject Rate (FRR) of 7%, but only included 10 subjects in their studies. In a later paper they discuss feature correlation and stability for a larger set of features; however, the same number of test subjects was employed [15]. Z¨obisch and Veilhauer developed a tool for training forgers to explore the limits of their abilities [14]. In a test involving four users, they found that the FAR increases when the forger is shown a static image of the target signature, and doubles for a dynamic replay. Our own extensive studies demonstrate the dramatic impact that human and algorithmic forgers can have on handwriting biometrics. A significant concern is that since people use handwriting in their daily activities, they may inadvertently leave behind samples of writing that could be exploited by an attacker in guessing their keys. Indeed, we have demonstrated a number of generative approaches for using captured online [2, 9] and even offline [1] samples to forge written passphrases. This raises serious issues with the use of such passphrase-based techniques.

3.

Pseudo-Signatures

In this work, we propose a novel approach to generate keys from handwriting. We wish to combine the benefits of signatures (i.e., ease of collection, repeatability, and distinguishability) with the variety afforded by passphrases. Naturally, we require a kind of input that a user does not write in the normal course of daily life to help ward-off generative attacks. We base our approach on pseudo-signatures, which are a sequence of simple sketches that a user writes only for security purposes and hence help thwart generative attacks. Additionally, we build pseudo-signatures as the composition of common shapes (e.g., circles, squares, and triangles), so that they will be familiar and repeatable for users. Our idea of pseudo-signatures is outwardly similar to the “Draw-a-Secret” (DAS) graphical passwords proposed by Jermyn, et al. [7]. In that work, the authors present users with a 5 × 5 grid of blocks, and ask the users to draw a password. The authors derive a password from the squares that the user’s stylus visits, as well as the order in which the squares are visited. The authors argue that the theoretical password space for DAS is much larger than the password space for standard text-based passwords. However, van Oorschot and Thorpe later showed that while the theoretical password space is large, users tended to create highly symmetric passwords, and so the size of the password space in practice might be smaller than first thought [13]. In an experiment involving 16 test subjects [10], Nali and Thorpe found that approximately 45% of the users chose symmetric passwords, two-thirds of which were mirror-symmetric. Moreover, approximately 80% of the users chose passwords composed of 1-3 strokes, 10% used 4-6 strokes, and 10% employed six or more strokes. Finally, 56% of the passwords were centered, and an additional 30% were nearly centered. Clearly, when left to their own devices, users do not choose particularly good graphical passwords. Our approach to pseudo-signatures attempts to rectify the shortcomings of DAS in order to find an input that simultaneously has higher entropy and is less likely to succumb to generative attacks. We make two extensions to the original DAS scheme to accomplish our goals: 1. We add online features, such as the velocity of the pen tip and the length of dwells, in addition to the coarse offline features that were employed in the original construction. We hope that this extra information will increase the entropy of the pseudosignature space. 2. We provide users with randomly generated visual cues to help them draw passwords that cover more of the theoretical DAS space.

This second point deserves more explanation. In order to encourage users to draw (potentially) non-symmetric graphical passwords, we propose to show each user a different set of visual cues generated using a random process. The user can use these templates as hints for creating more distinctive passwords. The entropy from the keying material will not be computed from the templates, but rather how the user chooses to combine the templates and then draw her password based on these cues. These templates include, but are not limited to, different shapes to trace, colors to indicate pen velocity, arrows to indicate directions of strokes, and locations and lengths of suggested pen-tip dwells. For example, a user might be presented with the prompt in Figure 1. She might then draw the four edges of a square in the indicated order, with the red stroke (1) drawn slowly, the yellow stroke (2) somewhat faster and dashed, and the green strokes (3, 4) drawn quickly. She would also dwell the pen tip for a short time period in the lower left corner of the square, and for a longer time in the upper left corner. After finishing this, she could draw a circle at moderate speed, pausing to dwell for a short period just after the three o’clock position on the circle.

Figure 1. An example of a pseudo-signature prompt.

Of course, the user is free to ignore the hints provided by the system, draw different symbols, or overlap the visual cues. We also leave it to the user’s interpretation as to what constitutes “medium” velocity, or a “long” dwell. We hope that by vaguely specifying the meanings of the visual cues, we will allow the personal interpretations of each user to naturally enhance the entropy of the biometric. At the same time, the minimal directions that we provide should reduce the tendency to create symmetric passwords. Moreover, another important goal for the visual cues is to increase repeatability by providing the user a way to remember what she had previously written. These are important open questions that we seek to begin answering in a series of experiments now underway. We present some preliminary observations in a later section of the paper.

4.

Creating Visual Prompts

For our approach to be viable, the user must be able to recreate her key reliably at a later time. Thus, we seek a technique to show randomly generated visual prompts to the user when her pseudo-signature is first enrolled, and also to display the same set of prompts to the user when she later returns to recreate her key. At the same time, to guarantee that the user can create different keys if she so chooses, we must allow her to specify when she would like to be presented with a new set of visual prompts. We accomplish this by having the user select a traditional password for each key that she wishes to derive, and use this password to build a different set of randomly generated visual cues. We do not assume that the passwords have high entropy (otherwise, we would not need to generate keys from biometrics), but the entropy that they do provide will supplement the entropy of the biometric in the key derivation process. Each visual cue is composed of a basic shape with a set of modifying characteristics, such as pen-tip dwell locations, stroke direction indicators, and speed indicators. The key generator stores each of these descriptors in tables; there is a different table for shapes, and one for each type of modifier. During enrollment, a user supplies her ID u and password πtxt to the system, which computes a cryptographic hash function, H, (e.g., SHA1 [11]) over the two strings to create an index i = H(u||πtxt ). The bits of i serve as indexes into each of the visual cue tables. The system processes i by repeatedly indexing into each table using the appropriate bits, and outputing the correct shapes and modifiers. Since H is a cryptographic hash function, each of the bits in i are independent of one another, and so each table is indexed independently. Note that the only source of entropy from an attacker’s point of view is from πtxt . Since u is public, including it in the computation of i offers no theoretical security, although in a practical setting, it acts as a “salt” [5]. That is, an attacker who attempts to guess the graphical password for a specific user must rebuild a dictionary of graphical passwords based on that user’s identifier. For an example of a randomized palette from which the user is free to pick any number of templates to serve as cues, see the upper half of the display in Figure 2. After being presented with a palette, the user then selects and arranges the templates needed to form a graphical password, as shown in the lower half of the display in Figure 2. Note that the user will be presented with this same palette each time she attempts to generate her key, so she must be able to recall the proper set of cues from the palette and their locations. This task is likely to be easier than trying to draw a complex graphical password without any cues, working only from memory. The system can be designed to enforce choosing a specific minimum num-

ber of templates to guarantee against trivial passwords that would be easy to attack. The password shown in the figure was created by overlaying four templates chosen from the palette: a quick glance makes it clear which ones were used. To increase memorability, the system could be designed to show fewer visual prompts to the user. The proper number to employ is a parameter that we are evaluating in our experiments.

the digital signals β that compose the handwriting signal. Let φ1 , . . . , φm be m error-corrected features (e.g., these could be the indexes of bins over the range of each feature that contain the user’s samples). The final key is computed as K = H0 (u||πtxt ||φ1 (β)|| . . . ||φm (β)). Here, H0 is also cryptographic hash function that outputs λ bits, but is independent of H. Note that it is not necessarily the case that the entropy of the key is λ (in all likelihood, it will be much less). The security afforded by the key must be argued empirically based on the variability of the biometric reading. We believe that since each user will be shown a different set of graphical cues, and that since these cues can be combined into arbitrary asymmetric shapes, the maximum theoretical entropy available from pseudo-signatures is likely to be much greater than what was offered in the original DAS scheme, or other passphrase-based handwriting key generators. Additionally, we aim to further increase this entropy by incorporating online features in addition to the static features used in DAS, such as the length of pen-tip dwells, velocity, and acceleration.

6.

Figure 2. Cues selected by a user in preparation for creating a graphical password.

Once the templates are placed, the user can then draw her password. While one strategy here is to trace over the cues, it is important to note that the user is not limited to tracing – she can create a completely new drawing that bears little resemblance to the cues, making use of the space between the templates in creative ways. We can also anticipate that over time, the user may be able to memorize her pseudo-signatures, just as we do with our one true signature, and hence no longer need the cues.

5.

Computing Cryptographic Keys

After the system shows πgr to the user, it is up to her to create a pseudo-signature. She could try to replicate πgr precisely, use it for inspiration, augment it, or ignore it completely. No matter what her choice is, the user inputs her writing using a stylus, and the system extracts

Experimental Evaluation

We have developed a graphical tool written in the Tcl/Tk scripting language to support our work on pseudosignatures. The tool is platform-independent and runs under both Linux and MS Windows. Screen snapshots earlier in the paper show the tool in action. Our data collection activities are taking place using NEC Versa LitePad tablet computers; this is the same system we used in our previous studies on handwriting biometrics. Ultimately, we expect to gather data from 30-40 test subjects, students recruited from our respective institutions through various reward policies that encourage serious attempts at using and stressing the system. One of our first goals will be to evaluate the traditional FRR / FAR tradeoff, making use of so-called “blind” (or na¨ıve) forgeries. We will also analyze this data for measures of password complexity (e.g., symmetry, the number of templates the user has chosen and how they are arrayed on the page, etc.) so that we can begin to characterize user preferences. We will conduct additional data collections at later dates to determine how performance degrades over time, and in particular whether the graphical passwords users create are indeed memorable and reproducible. We also plan to examine several types of forgery attempts, of course, using the same paradigms we developed for our earlier studies ([1, 2, 3]). For example, prospective forgers will be allowed access to the same palette of cues as the targeted user to see whether that raises their success rates. In addition, we will also study simulated “shoulder surfing” attacks to see whether these are a risk to pseudosignature systems. Finally, we plan to attempt algorithmic

attacks based on our generative handwriting models. A key set of questions to be answered concerns the composition of visual cues and its impact on both the usability of our approach, and on the entropy of the pseudosignatures. For instance, the templates that we have presented in this paper are comprised of a small set of shapes. Each shape has indicators specifying location of pen-tip dwells, dwell lengths, direction of strokes, and speed. It is unclear whether applying each of the indicators to each shape will improve usability by providing users with precise directions, or whether the many different indicators will simply confuse users. Our experiments will address this question. Additionally, we might further increase the entropy of our approach by not specifying the length of pen-tip dwells (which is currently suggested by the diameter of the dwell-tip circles). By simply specifying the location of the dwells instead of the length, we might extract additional entropy by drawing on each user’s natural interpretation of what constitutes a dwell. It is also important to explore whether simple symmetric shapes such as circles and squares are useful, or whether more abstract shapes might improve entropy.

to write his pseudo-signature. Note that after an initial acclimation phase, the user appears to settle down to more consistent timings. Another important measure of security is the inherent symmetry present in the pseudo-signatures that users design. As noted earlier in the discussion of Draw-a-Secret, symmetric drawings provide less entropy. On the other hand, it may be natural for users to select more symmetric arrangements to help them remember where to place their cues. A relatively simple measure of symmetry is first to determine the bounding box for the handwriting comprising the pseudo-signature and then to subdivide the box into four quadrants. By plotting the number of pen tip samples that fall within a given quadrant, we can create quick displays indicative of whether a pseudo-signature is asymmetric (Figure 4) or symmetric (Figure 5).

Figure 4. Sampled point distribution for asymmetric pseudo-signature created by Subject #2.

Figure 3. Time to place cues (lower curve) and to write pseudo-signature (upper curve) for Subject #3.

For now, we report preliminary observations based on five test subjects, each of whom created a pseudosignature and drew it a total of 100 times over a period of five sessions. In this “beta-test” of the system, users were presented with visual cues in a 2 × 3 grid. We begin by noting that three of the five users chose to generate their palette of visual cues using only a single digit password, further emphasizing the need both for good strategies for selecting cues and for extracting significant entropy from the user’s writing. Four of the five test subjects chose three cues to create their pseudo-signatures, while the fifth subject chose seven cues. One question concerns how quickly users will adapt to the system. As a way of measuring this, we plot in Figure 3 how much time a particular individual – Subject #3 in our experiments – took to place the visual cues and then

Figure 5. Sampled point distribution for symmetric pseudo-signature created by Subject #4.

In addition to studying the ease with which users can reliability recreate their pseudo-signatures, we are also now collecting data to support analysis of FRR / FAR under various forgery models.

7.

Conclusions

In this paper we have introduced the notion of pseudosignatures as a way of overcoming the serious limitations with using an individual’s one true signature or her normal handwriting for biometric key generation. This concept builds on past work on graphical passwords, in particular Draw-a-Secret, posing a number of interesting questions. Preliminary observations suggest that the scheme is feasible, although we have not yet collected sufficient data to understand its vulnerabilities, which hinge on a user’s ability to design and then draw a strong pseudo-signature.

8.

Acknowledgments

This work is supported by the National Science Foundation under grants CNS-0430338 (Johns Hopkins) and CNS-0430178 (Lehigh).

References [1] L. Ballard, D. Lopresti, and F. Monrose. Evaluating the security of handwriting biometrics. In Proceedings of the 10th International Workshop on the Foundations of Handwriting Recognition, pages 461–466, La Baule, France, October 2006. [2] L. Ballard, D. Lopresti, and F. Monrose. Forgery quality and its implications for biometric security. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Special Issue), 37(5):1107–1118, October 2007. [3] L. Ballard, F. Monrose, and D. Lopresti. Biometric authentication revisited: Understanding the impact of wolves in sheep’s clothing. In Proceedings of the 15th Annual USENIX Security Symposium, pages 29–41, Vancouver, BC, Canada, August 2006. [4] M. C. Fairhurst. Signature verification revisited: promoting practical exploitation of biometric technology. Electronics & Communication Engineering Journal, pages 273–280, December 1997. [5] D. Feldmeier and P. Karn. UNIX password security – ten years later. In Advances in Cryptology – CRYPTO ’89 Proceedings, volume 435 of Lecture Notes in Computer Science, pages 44–63, Berlin, Germany, 1990. Springer-Verlag. [6] F. Hao and C. Wah. Private key generation from online handwritten signatures. Information Management and Computer Security, 10(4):159–164, 2002. [7] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The design and analysis of graphical passwords. In Proceedings of the Eighth USENIX Security Symposium, August 1999.

[8] Y. Wai Kuan, A. Goh, D. Ngo, and A. Teoh. Cryptographic keys from dynamic hand-signatures with biometric security preservation and replaceability. In Proceedings of the Fourth IEEE Workshop on Automatic Identification Advanced Technologies, pages 27–32, Los Alamitos, CA, 2005. IEEE Computer Society. [9] D. P. Lopresti and J. D. Raim. The effectiveness of generative attacks on an online handwriting biometric. In Proceedings of the International Conference on Audio- and Video-based Biometric Person Authentication, pages 1090–1099, Hilton Rye Town, NY, USA, 2005. [10] D. Nali and J. Thorpe. Analyzing user choice in graphical passwords. Technical report, School of Information Technology and Engineering, University of Ottawa, May 27 2004. [11] NIST. Secure Hash Standard. FIPS PUB 180-1, May 1993. [12] S. N. Srihari, S-H. Cha, H. Arora, and S. Lee. Individuality of handwriting: A validation study. In ICDAR ’01: Proceedings of the Sixth International Conference on Document Analysis and Recognition, page 106, Washington, DC, USA, 2001. IEEE Computer Society. [13] P. C. van Oorschot and J. Thorpe. On predictive models and user-drawn graphical passwords. ACM Transactions on Information and System Security, June 2007. [14] C. Veilhauer and F. Z¨obisch. A test tool to support brute-force online and offline signature forgery tests on mobile devices. In Proceedings of the International Conference on Multimedia and Expo, volume 3, pages 225–228, 2003. [15] C. Vielhauer and R. Steinmetz. Handwriting: Feature correlation analysis for biometric hashes. EURASIP Journal on Applied Signal Processing, 4:542–558, 2004. [16] C. Vielhauer, R. Steinmetz, and A. Mayerhofer. Biometric hash based on statistical features of online signatures. In Proceedings of the Sixteenth International Conference on Pattern Recognition, volume 1, pages 123–126, 2002. [17] D. Y. Yeung, H. Chang, Y. Xiong, S. George, R. Kashi, T. Matsumoto, and G. Rigoll. SVC2004: First International Signature Verification Competition. In Proceedings of the International Conference on Biometric Authentication, Hong Kong, July 2004.