Lots of small stuff

1
Lots of small stuff

• How do passwords work?
• What if you forget your password?
• Hardware alternatives to passwords.
• One biometric password alternative.

2
How do passwords work?
3
Standard passwords

• Do not store the password on the server.
• Instead, store a one-way function of the
  password. (Attacker has to invert or perform a
  dictionary attack).
• Use salts i.e., store hash(password,salt), salt
  to avoid amortized dictionary attack.

4
There are distributed techniques

• Technique by Kaliski-Ford prevents against
  break-in of server store a portion of the
  salted password on one server, another portion on
  another.
• Other techniques by Jablon, MacKenzie-Shrimpton-Ja
  kobsson.

5
Error-TolerantPassword Recovery
Or What do you do if you forgot your
password? (without having your admin reset it)
Adapted from material by Niklas Frykholm and Ari
Juels
6
Users classifiable into two types
1. Those who dont forget or lose passwords,
e.g.,
2. Those who forget or lose passwords

7
Current method of password recoveryuse of
private information

• Social security number
• Not terribly private anymore (I know yours.)
• Amount of last deposited cheque
• All Americans deposited 300 or 600 from IRS
• Mothers maiden name
• For those of, e.g., Chinese origin, a handful of
  last names cover much of population

8

• Date of birth

• For all of these approaches, the private
  information must be stored on a server or
  available to customer service representatives

9
Aim 1Use truly private questions

• Examples

• Answers are never revealed in
  explicit form to server or customer service
  representative, etc.

10
Answers open vault for user,enabling recovery
on client
11
How this might work
...
12
How this might work
X
...
H(a2)
H(a3)
H(a15)
H(a1)
13
Aim 2 Tolerate user errors

• Question What was the name of the first
  girl/boy you kissed?

14
Now, during recovery...
Original key X
...
User tries X
Thus, we need to be able to open the vault if X?
X
15
Fuzzy commitment (JW 99)

• Produce ciphertext ? CXK of secret K under
  key X
• We can decrypt K using any X such that X ? X
• We learn only a little information about X
• Idea Use error-correcting code -- in unorthodox
  way
• Throw away the message space!

16
Error-correcting code
c1
c2
c3
c4
c5
c6
c7
c8
c9
c10
c11
c12
f(X) c6
17
Error-correcting code
c1
c2
c3
c4
c5
c6
c7
c8
c9
c10
c11
c12
f(X) ?????
18
Fuzzy commitment
c1
c2
c3
c4
c5
c6
c7
c8
c9
c10
c11
c12
19
Fuzzy commitment
c1
c2
c3
c4
c6
c7
c8
c9
c10
c11
c12
20
Why is this secure?
c1
c2
c3
c4
c5
c6
c7
c8
c9
c10
c11
c12
21
Why is this secure?
c1
c2
c3
c4
c5
c6
c7
c8
K
c9
c10
c11
c12
22
Why is this secure?
c1
c2
c3
c4
c5
c6
c7
c8
K
c9
c10
c11
c12
23
Why is this secure?
K
c1
c2
c3
c4
c5
c6
c7
c8
c9
c10
c11
c12
24
Fuzzy commitment

• Cryptographically-strong security if code is
  large enough, i.e, if there are enough codewords
• Very efficient encryption/decryption
• Tradeoff between leakage of X and error-tolerance

25
The password recovery scheme

• X H(a1) H(a2) H(a15)
• Select random codeword K
• Compute ? CXK X - K
• Store vault (? CXK) EKpasswords
• Given enough right answers, I.e., X ? X, we can
  compute K, decrypt and recover passwords
• Typical (secure) parameterization
• 15 questions
• Any 11 will open vault

26
Alice
Bob
Charlie

• User answers questions, creates vault ? CXK

• User generates public/private key pair (SK, PK)
  
• User encrypts passwords, etc.

27
Alice
Bob
Charlie

• Alice (or admin) can add to vault without opening
  it (just encrypt using PKA)

28
Alice
Bob
Charlie

• By answering, e.g., 11 out of 15 questions, Alice
  can, e.g., recover SKA, and thus passwords
  securely using any Web-enabled device

29
Alice
Bob
Charlie

• With external hardening server, can use fewer
  than 15 questions
• A related product (using distribution) is RSA
  Nightingale

30
How does SecurID work?
user
server
secret Suser
same secret Suser
31
but what if my token is stolen?
32
but what if my device clock is too fast/ too
slow?
33
Cryptographic Key Generation using features in a
speakers voice
Work by Fabian Monrose, Peter Li, Mike Reiter,
Susanne Wetzel
34
Goal
Key recovery should be difficult for adversary
even if the device is captured.
35
Why Voice?

• A natural user interface for many devices

• Known to differentiate between users
• rich literature in speaker verification
• Unlike static biometrics such as a
  fingerprint, changing the password changes
  vocalization of it, so a user can have many keys.

36
Illustration of the technique
37
Yeah, but isnt this similar to ?

• Voice encryption (e.g., STU-III, PGPFone, etc)
• encrypts voice signal, but generates key via
  other input
• Encryption with spoken password
• password entropy is low
• even lower for pronounceable passwords
• Speaker verification
• compares speech to speaker-dependent, plaintext
  model
• if captured, model leaks keying material

38
The basic idea dispersing the secret
39
The basic idea - reconstruction
40
The basic idea - how it works
Random value
41
The basic idea - how it works
42
Okay, so what is this good for?

• Conceptually, can be used in any context were
  traditional passwords are used.
• Encrypted email.
• Used to generate keying material for
  private/public key generation, e.g, VPN access.
• File encryption.

43

Frames 1 k
Analyze frames Windowing, endpoint detection,
silence removal. Frames are 30ms long,
overlapping by 10ms.
Extract features 12 dimensional vectors of
cepstral coefficients. Intuitively, these
features model the vocal tract.
Capture Signal 8000 samples/sec.
44
Tradeoffs
Reliability ?
Security?
How many attempts does a legitimate user need in
order to successfully regenerate his key?
Evaluated with pre-existing telephone dataset of
90 users and over 2000 utterances attained
false reject rates near 2 while not sacrificing
security.