Oracle model to validate shoulder-surfing resistance of virtual keyboards

摘要

In the era of digital world, online services like net banking, e-wallet, bill payment portals, e-mail and many other Cloud services became inevitable part of life. These service providers possess private and valuable data of their users. This makes online service portals a target to steal e-assets. Shoulder-surfing provides an easy way to loot e-assets by stealing user credentials. Plenty of counter mechanisms are available in the literature to overcome shoulder-surfing attack. Most of those proposals lack formal security proof. Hence it is difficult to compare them or validate their claim. Another setback is that some of the shoulder-surfing resistant keyboards are designed to resist human observer and validated by making a group of humans to observe the interaction between user and virtual keyboard and then guess the password correctly. Since human cognition varies, systems evaluated using a group of humans cannot be considered as a standard method to compare and evaluate the shoulder-surfing resistance of virtual keyboards. This paper proposes traditional oracle model based framework to evaluate shoulder-surfing resistant keyboards. Three shoulder-surfing resistant virtual keyboards from literature are chosen and their resistance to shoulder-surfing is computed in terms of minimum advantage of an adversary using the proposed oracle framework. This paper also presents basic password recovery algorithms to recover the password that are entered using the virtual keyboards selected for this study.