Neuroscience joins cryptography

Jul 19, 2012 by Nancy Owano report
Screenshot of the e Serial Interception Sequence Learning task in progress. Credit: Hristo Bojinov, Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks, 21st USENIX Security Symposium.

(Phys.org) -- Security experts are turning to cognitive psychology for fresh ideas on authentication. Hristo Bojinov of Stanford University and others on his team have a new authentication design based on the concept of implicit learning. Implicit learning refers to learning patterns without any conscious knowledge of the learned pattern. An example of this is riding a bicycle. One knows how to ride a bicycle, but cannot explain how. The technique involves, through a crafted computer game, delivering a secret password in the user’s brain without the user consciously knowing what the password is.

This, as the authors point out, represents a turning point in how might treat authentication. Traditionally, it has been about either who you are (biometrics), what you know (passwords) or what you have (tokens).

The newly added twist, as the research takes on further development, will also work at authentication based on what you really know but do not know. The research team suggests its authentication category as “a subclass of behavioral biometric measurement.”

Bojinov sees the application in high-risk scenarios when the code-holder needs to be physically present, such as to gain access to a nuclear or military facility. “Now, suppose a clever attacker captures an authenticated user. The attacker can steal the user’s hardware token, fake the user’s biometrics, and coerce the victim into revealing his or her secret key. At this point the attacker can impersonate the victim and defeat the expensive system deployed at the facility,” the authors said.

The paper, which they intend to present next month at the 21st USENIX Security Symposium in Bellevue, Washington, is called “Designing Crypto Primitives Secure Against Rubber Hose Attacks.” The authors are Hristo Bojinov, Daniel Sanchez, Paul Reber, Dan Boneh, and Patrick Lincoln. The team further explained what they mean by rubber hose attacks: “Cryptographic systems often rely on the secrecy of cryptographic keys given to users. Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the concept of implicit learning from .”

Bojinov and colleagues designed a game lasting 30 to 45 minutes in which players intercept falling objects by pressing a key. The objects appear in one of six positions, each corresponding to a different key. Positions of objects were not always random. a hidden sequence of 30 successive positions was repeated over 100 times. Players made fewer errors when they encountered this sequence on successive rounds. This learning persisted when the players were tested two weeks later.

“We performed a number of user studies using Amazon’s Mechanical Turk to verify that participants can successfully re-authenticate over time and that they are unable to reconstruct or even recognize short fragments of the planted secret.”

If another person were to try to discover the sequence by forcing the password holder to play a similar game and watching to see when they make fewer errors, chances would be slim. The sequence consists of 30 key presses in six different positions. Testing 100 users nonstop for a year would result in less than a 1 in 60,000 chance of extracting the sequence.

So far, results of their research indicate the game could form the basis of a security system of this nature. Users would learn a sequence unique to them in an initial session and later prove that they know it by playing the same game. Nonetheless, the authors acknowledge that much work remains before the system can be deployed in a user-friendly state. The team hopes to further analyze the rate at which implicitly learned passwords are forgotten, and the required frequency of refresher sessions.

Explore further: Oculus unveils new prototype VR headset

More information:
via Newscientist

Related Stories

Hotmail in hot water over password flaw, rushes fix

Apr 28, 2012

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords ...

Team Prosecco dismantles security tokens

Jun 27, 2012

(Phys.org) -- As password systems alone prove inadequate to protect information on computers against hackers, security customers have taken the advice of vendors to step up to tokens, those online security ...

Individual typing style gives key to user authentication

May 16, 2012

Your typing style is as individual as your fingerprints. Being able to use typing style to identify a change in users could be a vital security and forensic support for organisations such as banks, the military ...

Recommended for you

Oculus unveils new prototype VR headset

Sep 20, 2014

Oculus has unveiled a new prototype of its virtual reality headset. However, the VR company still isn't ready to release a consumer edition.

Who drives Alibaba's Taobao traffic—buyers or sellers?

Sep 18, 2014

As Chinese e-commerce firm Alibaba prepares for what could be the biggest IPO in history, University of Michigan professor Puneet Manchanda dug into its Taobao website data to help solve a lingering chicken-and-egg question.

Computerized emotion detector

Sep 16, 2014

Face recognition software measures various parameters in a mug shot, such as the distance between the person's eyes, the height from lip to top of their nose and various other metrics and then compares it with photos of people ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
not rated yet Jul 20, 2012
Clever. As with any other crypotography system it requires that the key (in this case the game) remain secret or it could easily be analyzed for the salient sequence.
I imagine if one were to use a 'combined rubber hose attack' (using several people who learned the same sequence) the speedup in cracking the code could be vastly faster than a mere halving of the stated 60000 years.
Using sequences that are 'orthogonal' to one another for each victim one might be able to extract snippets of the correct sequence through multivariate analysis and reconstruct the entire sequence eventually.

The disadvantage for the victim is that he probably can't foil such an attack since - not knowing the sequence consciously - he can't intentionally press wrong buttons.

alfie_null
not rated yet Jul 20, 2012
So long as users aren't required to learn umteen different sequences to provide authentication to umteen disparate authenticators. Sounds like it will be harder to write these down
:-/
anonimen
not rated yet Jul 22, 2012
Ehh, nothing new for me. For years I use a password that contains random sequence of small and big letters and only my fingers know it. I can't reproduce it in my mind even if my life depends on it. If I lose a finger the password will be lost forever. I didn't know that this is so ingenious that deserves so much attention.