Although research in security has made tremendous progress over the past years, most security
systems still suffer from the fact that they neglect human limitations in the real world. In this
paper, we analyze two human limitations: the difficulty people have with remembering secure
passwords and personal identification numbers (PIN)
, and second, with comparing meaningless
strings. These human factors negatively affect many security systems, including the
security of root key validation and user authentication. The problem in root key validation is that
people need to compare meaningless key fingerprints, which are strings of 32 hexadecimal digits. It
is a known fact in psychology that people are slow and unreliable at processing or memorizing
meaningless strings [11, 8]. Also, Anderson et al. show that strings can be
memorized better if people can associate meaning with them, or if they look familiar
[2]. Similarly, the problem in user authentication is that people have difficulties
with choosing and memorizing secure passwords. If a password is simple, or has a meaning, it is easy
to remember but vulnerable to a password cracker attack. If the password is complex and random, it
is difficult to remember and hence the user writes it down. In both cases, the system security is
low.
Problems due to human factors are considered a fundamental weakness of real-world security systems. In this paper we propose to use images to alleviate human limitations. In the case of root key validation we use hash visualization to generate an image from the key fingerprint, and the user simply compares the images instead of the fingerprints. This scheme is based on the fact that humans are very good at identifying geometrical shapes, patterns, and colors, and they can compare images efficiently [7, 15, 13]. In the case of user authentication, we replace the precise recall of a password or PIN with a recognition of a previously seen image. It has been shown that people are extremely efficient at the recognition of previously seen images [1, 6].
Anderson shows that human factors have a (frequently underestimated) impact on the security of a real-world system [3]. The contribution of this paper is to propose the new security primitive hash visualization along with the necessary requirements, and to propose Random Artas a prototypical solution, and finally, to show how to apply hash visualization to improve the security of root key validation and user authentication. Since Random Artis a prototype solution, we hope that this paper may direct the interest of researchers in image processing, security, and psychology, and cooperation between them to find better solutions.
The paper is organized as follows. First we examine the requirements of the ideal hash visualization scheme in Section 2. In Section 3 we propose a possible solution to satisfy the requirements of the hash visualization. Section 4 gives two example applications about how to apply the hash visualization scheme to improve the security of systems. We discuss shortcomings and limitations of this approach in Section 5. Our conclusion and future work are in Section 6.