Neuroscience joins cryptography

Jul 19, 2012 by Nancy Owano report
Screenshot of the e Serial Interception Sequence Learning task in progress. Credit: Hristo Bojinov, Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks, 21st USENIX Security Symposium.

(Phys.org) -- Security experts are turning to cognitive psychology for fresh ideas on authentication. Hristo Bojinov of Stanford University and others on his team have a new authentication design based on the concept of implicit learning. Implicit learning refers to learning patterns without any conscious knowledge of the learned pattern. An example of this is riding a bicycle. One knows how to ride a bicycle, but cannot explain how. The technique involves, through a crafted computer game, delivering a secret password in the user’s brain without the user consciously knowing what the password is.

This, as the authors point out, represents a turning point in how might treat authentication. Traditionally, it has been about either who you are (biometrics), what you know (passwords) or what you have (tokens).

The newly added twist, as the research takes on further development, will also work at authentication based on what you really know but do not know. The research team suggests its authentication category as “a subclass of behavioral biometric measurement.”

Bojinov sees the application in high-risk scenarios when the code-holder needs to be physically present, such as to gain access to a nuclear or military facility. “Now, suppose a clever attacker captures an authenticated user. The attacker can steal the user’s hardware token, fake the user’s biometrics, and coerce the victim into revealing his or her secret key. At this point the attacker can impersonate the victim and defeat the expensive system deployed at the facility,” the authors said.

The paper, which they intend to present next month at the 21st USENIX Security Symposium in Bellevue, Washington, is called “Designing Crypto Primitives Secure Against Rubber Hose Attacks.” The authors are Hristo Bojinov, Daniel Sanchez, Paul Reber, Dan Boneh, and Patrick Lincoln. The team further explained what they mean by rubber hose attacks: “Cryptographic systems often rely on the secrecy of cryptographic keys given to users. Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the concept of implicit learning from .”

Bojinov and colleagues designed a game lasting 30 to 45 minutes in which players intercept falling objects by pressing a key. The objects appear in one of six positions, each corresponding to a different key. Positions of objects were not always random. a hidden sequence of 30 successive positions was repeated over 100 times. Players made fewer errors when they encountered this sequence on successive rounds. This learning persisted when the players were tested two weeks later.

“We performed a number of user studies using Amazon’s Mechanical Turk to verify that participants can successfully re-authenticate over time and that they are unable to reconstruct or even recognize short fragments of the planted secret.”

If another person were to try to discover the sequence by forcing the password holder to play a similar game and watching to see when they make fewer errors, chances would be slim. The sequence consists of 30 key presses in six different positions. Testing 100 users nonstop for a year would result in less than a 1 in 60,000 chance of extracting the sequence.

So far, results of their research indicate the game could form the basis of a security system of this nature. Users would learn a sequence unique to them in an initial session and later prove that they know it by playing the same game. Nonetheless, the authors acknowledge that much work remains before the system can be deployed in a user-friendly state. The team hopes to further analyze the rate at which implicitly learned passwords are forgotten, and the required frequency of refresher sessions.

Explore further: Google DeepMind acquisition researchers working on a Neural Turing Machine

More information:
via Newscientist

Related Stories

Hotmail in hot water over password flaw, rushes fix

Apr 28, 2012

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords ...

Team Prosecco dismantles security tokens

Jun 27, 2012

(Phys.org) -- As password systems alone prove inadequate to protect information on computers against hackers, security customers have taken the advice of vendors to step up to tokens, those online security ...

Individual typing style gives key to user authentication

May 16, 2012

Your typing style is as individual as your fingerprints. Being able to use typing style to identify a change in users could be a vital security and forensic support for organisations such as banks, the military ...

Recommended for you

Saving lots of computing capacity with a new algorithm

Oct 29, 2014

The control of modern infrastructure such as intelligent power grids needs lots of computing capacity. Scientists of the Interdisciplinary Centre for Security, Reliability and Trust (SnT) at the University of Luxembourg have ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet Jul 20, 2012
Clever. As with any other crypotography system it requires that the key (in this case the game) remain secret or it could easily be analyzed for the salient sequence.
I imagine if one were to use a 'combined rubber hose attack' (using several people who learned the same sequence) the speedup in cracking the code could be vastly faster than a mere halving of the stated 60000 years.
Using sequences that are 'orthogonal' to one another for each victim one might be able to extract snippets of the correct sequence through multivariate analysis and reconstruct the entire sequence eventually.

The disadvantage for the victim is that he probably can't foil such an attack since - not knowing the sequence consciously - he can't intentionally press wrong buttons.

alfie_null
not rated yet Jul 20, 2012
So long as users aren't required to learn umteen different sequences to provide authentication to umteen disparate authenticators. Sounds like it will be harder to write these down
:-/
anonimen
not rated yet Jul 22, 2012
Ehh, nothing new for me. For years I use a password that contains random sequence of small and big letters and only my fingers know it. I can't reproduce it in my mind even if my life depends on it. If I lose a finger the password will be lost forever. I didn't know that this is so ingenious that deserves so much attention.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.