Research On Shoulder-surfing Resistant Password Entry Method For Mobile Devices

Password is one of the most widely used authentication methods.However,the input process of password is vulnerable to shoulder-surfing attacks.In a shoulder-surfing attack,the attacker peeps or records with a device over someone's shoulder to obtain privacy information.The user often needs to input passwords in unsafe environments such as public places,but the traditional password entry method is not leakage resistant.It makes the shoulder-surfing attack become one of the most serious information security problems in daily life.Aiming at this security problem,this thesis deeply studied the password entry method resistant to shoulder-surfing attacks on mobile devices,and put forward two efficient schemes.The main work of this thesis is summarized as follows:(1)We investigated the existing shoulder-surfing resistant PIN-entry schemes,and proposed a new PIN-entry scheme for constructing auxiliary channel.This scheme adopts the idea of cognitive trapdoor game and transmits secret information through the vibration channel of the mobile device to hide the real information input by the user.Compared with the existing schemes,this scheme can achieve the security against multiple recording attacks while maintaining the original password space size of the PIN.We analyzed the security of the scheme in theory,and further analyzed the security and availability of the scheme through experiments.(2)We proposed an auxiliary channel-based textual password entry method for mobile devices,which supports the input of textual passwords containing upper and lower case letters and numbers.The method adopts the mode of mapping input.The method uses pattern as temporary session key to map the character grid position and uses the character position to map the character.In order to resist multiple recording attacks,the method transmits the secret through the vibration channel of the mobile device to protect the real answer.Besides,we introduced a new security notion of attack alert,which is embodied in our method to improve the security.This function enables the system to detect failed shoulder-surfing attacks and alert the legitimate user to prevent further attacks by the attacker.We analyzed the security of the scheme in theory,and further analyzed the security and availability of the scheme through experiments.