Hash Visualization-a New Technique to improve RealWorld Security
Current security systems suffer from the fact that they fail to account for human factors. This paper considers two human limitations: First, people are slow and unreliable when comparing meaningless strings; and second, people have diculties in remembering strong passwords or PINs. We identify two applications where these human factors negatively a ect security: Validation of root keys in public-key infrastructures, and user authentication. Our approach to improve the security of these systems is to use hash visualization, a technique which replaces meaningless strings with structured images. We examine the requirements of such a system and propose the prototypical solution Random Art . We also show how to apply hash visualization to improve the real-world security of ro ot key validation and user authentication.
Although research in security has made tremendous progress over the past years, most security systems still su er from the fact that they neglect human limitations in the real world. In this paper, we analyze two human limitations: diculties people have with remembering strong passwords and personal identi cation numbers (PIN) , and second, with comparing meaningless strings . These human factors negatively a ect many 1By strong passwords or strong PINs we mean strings which have no immediate meaning or relationship with the person. Therefore an attacker will have diculties in guessing it. 2We use meaningless from the point of view of the user. The hash value, or ngerprint of a public-key certi cate has a purpose for the program, but no understandable meaning for the user. security systems, including the security of ro ot key validation and user authentication. The problem in root key validation is that people need to compare meaningless key ngerprints, which are strings of 32 hexadecimal digits. It is a known fact in psychology that people are slow and unreliable at processing or memorizing meaningless strings [11, 8]. Also, in  Anderson et al. show that strings can be memorized better if people can associate meaning with them, or if they look familiar. Similarly, the problem in user authentication is that people have diculties with choosing and memorizing strong passwords. If the passwords are too simple and have meanings, they are easy to remember but vulnerable to attacks which use password cracker programs. If the passwords are more complex and random, they are dicult to rememb er and hence users have to write them down. In either case, the security of the systems is degraded. These problems have long been considered as some of the fundamental weaknesses of security systems in the real world, we propose to use images to alleviate them. In the case of root key validation we use hash visualization to generate images from the strings, and the user can simply compare the images instead of the strings. This scheme is based on the fact that humans are very good at identifying geometrical shapes, patterns, and colors, and they can compare two images eciently, as shown in . In the case of user authentication, we replace the precise recall of a password or PIN with a recognition of a previously seen image. Again, it has been shown that people are extremely ecient at recognizing previously seen images