Neuroscience joins cryptography

July 19, 2012 by Nancy Owano, report

Screenshot of the e Serial Interception Sequence Learning task in progress. Credit: Hristo Bojinov, Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks, 21st USENIX Security Symposium.
( -- Security experts are turning to cognitive psychology for fresh ideas on authentication. Hristo Bojinov of Stanford University and others on his team have a new authentication design based on the concept of implicit learning. Implicit learning refers to learning patterns without any conscious knowledge of the learned pattern. An example of this is riding a bicycle. One knows how to ride a bicycle, but cannot explain how. The technique involves, through a crafted computer game, delivering a secret password in the user’s brain without the user consciously knowing what the password is.

This, as the authors point out, represents a turning point in how might treat authentication. Traditionally, it has been about either who you are (biometrics), what you know (passwords) or what you have (tokens).

The newly added twist, as the research takes on further development, will also work at authentication based on what you really know but do not know. The research team suggests its authentication category as “a subclass of behavioral biometric measurement.”

Bojinov sees the application in high-risk scenarios when the code-holder needs to be physically present, such as to gain access to a nuclear or military facility. “Now, suppose a clever attacker captures an authenticated user. The attacker can steal the user’s hardware token, fake the user’s biometrics, and coerce the victim into revealing his or her secret key. At this point the attacker can impersonate the victim and defeat the expensive system deployed at the facility,” the authors said.

The paper, which they intend to present next month at the 21st USENIX Security Symposium in Bellevue, Washington, is called “Designing Crypto Primitives Secure Against Rubber Hose Attacks.” The authors are Hristo Bojinov, Daniel Sanchez, Paul Reber, Dan Boneh, and Patrick Lincoln. The team further explained what they mean by rubber hose attacks: “Cryptographic systems often rely on the secrecy of cryptographic keys given to users. Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the concept of implicit learning from .”

Bojinov and colleagues designed a game lasting 30 to 45 minutes in which players intercept falling objects by pressing a key. The objects appear in one of six positions, each corresponding to a different key. Positions of objects were not always random. a hidden sequence of 30 successive positions was repeated over 100 times. Players made fewer errors when they encountered this sequence on successive rounds. This learning persisted when the players were tested two weeks later.

“We performed a number of user studies using Amazon’s Mechanical Turk to verify that participants can successfully re-authenticate over time and that they are unable to reconstruct or even recognize short fragments of the planted secret.”

If another person were to try to discover the sequence by forcing the password holder to play a similar game and watching to see when they make fewer errors, chances would be slim. The sequence consists of 30 key presses in six different positions. Testing 100 users nonstop for a year would result in less than a 1 in 60,000 chance of extracting the sequence.

So far, results of their research indicate the game could form the basis of a security system of this nature. Users would learn a sequence unique to them in an initial session and later prove that they know it by playing the same game. Nonetheless, the authors acknowledge that much work remains before the system can be deployed in a user-friendly state. The team hopes to further analyze the rate at which implicitly learned passwords are forgotten, and the required frequency of refresher sessions.

Explore further: Hotmail in hot water over password flaw, rushes fix

More information:
via Newscientist

Related Stories

Hotmail in hot water over password flaw, rushes fix

April 28, 2012

Hackers tried to get the best of Hotmail by figuring out how to reset Hotmail user passwords for e-mail accounts this month. Locking hotmail users out of their own accounts when trying to key in their passwords was something ...

Team Prosecco dismantles security tokens

June 27, 2012

( -- As password systems alone prove inadequate to protect information on computers against hackers, security customers have taken the advice of vendors to step up to tokens, those online security credentials that ...

Individual typing style gives key to user authentication

May 16, 2012

Your typing style is as individual as your fingerprints. Being able to use typing style to identify a change in users could be a vital security and forensic support for organisations such as banks, the military and universities, ...

Recommended for you

Permanent, wireless self-charging system using NIR band

October 8, 2018

As wearable devices are emerging, there are numerous studies on wireless charging systems. Here, a KAIST research team has developed a permanent, wireless self-charging platform for low-power wearable electronics by converting ...

Facebook launches AI video-calling device 'Portal'

October 8, 2018

Facebook on Monday launched a range of AI-powered video-calling devices, a strategic revolution for the social network giant which is aiming for a slice of the smart speaker market that is currently dominated by Amazon and ...

Artificial enzymes convert solar energy into hydrogen gas

October 4, 2018

In a new scientific article, researchers at Uppsala University describe how, using a completely new method, they have synthesised an artificial enzyme that functions in the metabolism of living cells. These enzymes can utilize ...


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jul 20, 2012
Clever. As with any other crypotography system it requires that the key (in this case the game) remain secret or it could easily be analyzed for the salient sequence.
I imagine if one were to use a 'combined rubber hose attack' (using several people who learned the same sequence) the speedup in cracking the code could be vastly faster than a mere halving of the stated 60000 years.
Using sequences that are 'orthogonal' to one another for each victim one might be able to extract snippets of the correct sequence through multivariate analysis and reconstruct the entire sequence eventually.

The disadvantage for the victim is that he probably can't foil such an attack since - not knowing the sequence consciously - he can't intentionally press wrong buttons.

not rated yet Jul 20, 2012
So long as users aren't required to learn umteen different sequences to provide authentication to umteen disparate authenticators. Sounds like it will be harder to write these down
not rated yet Jul 22, 2012
Ehh, nothing new for me. For years I use a password that contains random sequence of small and big letters and only my fingers know it. I can't reproduce it in my mind even if my life depends on it. If I lose a finger the password will be lost forever. I didn't know that this is so ingenious that deserves so much attention.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.