Access Online SecHCI System

What does SecHCI Mean?

SecHCI means Secure Human-Computer Identification (or Interface) System against Peeping Attacks. Generally speaking, SecHCI is an alternative name of so-called "HumanAut" (or HUMANOIDs), which is an ongoing project funded by Aladdin Center of CMU.

Peeping attacks are such attacks, in which adversaries can observe all interactions between humans (provers) and computers (verifiers). Peeping attacks can be divided into two classes: 1) avtive peeping attacks - adversaries even can impersonate the verifiers to cheat humans; 2) passive peeping attacks - adversaries can only passively observe computers' challenges and humans' responses. In literatures, passive peeping attacks are also be called as "observer attacks" [2-4], and "shoulder-surfing attacks" [5]. A "popular" kind of device for peeping attack is hidden camera [6], and TEMPEST is another much more complex technique [7-9]. Computer virus (worms, Trojan horses) and malicious codes are increasing sources to carry out peeping attacks. Extremely speaking, you are under surveillance everywhere and whenever.

Theoretically speaking, SecHCI is about the following problem: how can humans prove their identities with untrustworthy devices to computers via insecure communication channels? All available devices are essentially untrustworthy, including monitors, keyboards, mouses, your disks, even your smart cards (which may be stolen or lost), programs, web services, etc. The communication channels are insecure since adversaries can eavesdrop them. Only what you think in your own brains are available to prove yourselves: human-intelligence-only!! Even your feelings and expressions (such as eye-focus on ROI - Ragion-of-Interest) are not secure!!

What is the Goal of the SecHCI Project?

The goal of the SecHCI project is to find practical and cryptographical secure solutions to SecHCI problem. Here, "practical" is really important since it is hard for users to accept a system with poor usability. It is much more difficult to design a practical and secure system than to degsign a secure system. There are some points about a practical SecHCI system: - almost humans can use without special technical training; - the login time should be small enough; - the passwords should be easily set, changed and recalled; - the idea of CAPTCHA can be easily incorporated to frustrate attacks from malicious robots; - the system can be easily configurated in ATM machines; etc.

When and How was the SecHCI Project Launched?

From April 2002, when I was a visiting student in Microsoft Research Asia (supervised by Dr. Harry Shum), the SecHCI project was launched as my research project. Initially, this project is our efforts to find a new direction lying between computer security and computer vision & computer graphics. After I left MSRA in Sep. 2002, the project is continued in Institute of Image Processing, Xi'an Jiaotong University. Now it is a free project without any financial support from neither MSRA nor IPC-xjtu.

Selected References on SecHCI/HumanAut

This site is maintained by Shujun Li, last updated on 13 August, 2011.