Challenge-response (CR) is an effective way to authenticate users even if the communication channel is insecure. Traditionally CR authentication relies on one-way hashes and shared secrets to verify the identities of users. Such a method cannot cope with an insider attack, where a user can obtained the secret (i.e., the response) from a legitimate user. To cope with it, we design a biometric-based CR authentication scheme (hereafter MoCRA), which is derived from the motions as a user operates emerging depth-sensor- based input devices, such as a Leap Motion controller. We envision that to authenticate a user, MoCRA randomly chooses a string (e.g., a few words), and the user has to write the string in the air. Using Leap Motion, MoCRA captures the user's writing movements and then extracts his / her handwriting style. After verifying that what the user writes matches what is asked for, MoCRA leverages a Support Vecter Machine (SVM) with co-occurrence matrices to model the handwriting styles and can reliably authenticate users, even if what they write is completely different every time. Evaluated on data from 24 subjects over 7 months, MoCRA managed to verify a user with an average of $1.18\%$1.18% (Equal Error Rate) EER and to reject impostors with $2.45\%$2.45% EER.

中文翻译：

---

使用空中手写样式验证的质询-响应身份验证

即使通信通道不安全，质询响应 (CR) 也是验证用户的有效方式。传统上，CR 身份验证依赖于单向哈希和共享机密来验证用户的身份。这种方法无法应对内部攻击，用户可以从合法用户那里获得秘密（即响应）。为了解决这个问题，我们设计了一个基于生物特征的 CR 认证方案（以下简称民政部)，这是从用户操作新兴的基于深度传感器的输入设备（例如 Leap Motion 控制器）时的动作中得出的。我们设想要对用户进行身份验证，民政部随机选择一个字符串（例如，几个单词），用户必须将字符串写在空中。使用 Leap Motion，民政部捕捉用户的书写动作，然后提取他/她的笔迹风格。在验证用户写入的内容与要求的内容匹配后，民政部利用具有共现矩阵的支持向量机 (SVM) 对手写样式进行建模，并且可以可靠地验证用户身份，即使他们每次书写的内容都完全不同。对 7 个月内 24 名受试者的数据进行评估，民政部 设法验证用户平均 $1.18\%$1.18% （同等错误率）EER 并拒绝冒名顶替者 $2.45\%$2.45% 能效比。