Error tolerant password recovery
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Error-Tolerant Password Recovery PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Error-Tolerant Password Recovery. To err is human, to forgive divine. Niklas Frykholm and Ari Juels RSA Laboratories. Password recovery: The problem. Elephant. Ron Rivest. Users classifiable into two types. 1. Those who don’t forget or lose passwords, e.g.,.

Download Presentation

Error-Tolerant Password Recovery

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Error tolerant password recovery

Error-TolerantPassword Recovery

To err is human, to forgive divine...

Niklas Frykholm and Ari Juels

RSA Laboratories


Password recovery the problem

Password recovery: The problem


Users classifiable into two types

Elephant

Ron Rivest

Users classifiable into two types

1. Those who don’t forget or lose passwords, e.g.,

2. Those who forget or lose passwords


Current method of password recovery use of private information

Current method of password recovery:use of “private” information

  • SSN

    • Not terribly private anymore

  • Amount of last deposited cheque

    • All Americans deposited $300 or $600 from IRS

  • Mother’s maiden name

    • For those of, e.g., Chinese origin, a handful of surnames cover much of population


Error tolerant password recovery

Special Report:October 5th is America's

most popular birthday.

  • Date of birth

  • Worst of all, “private” information must be stored on a server or available to customer service representatives


Aim 1 use truly private questions

  • “What was the name of your first pet?”

“Fabio”

  • “What was the name of the first girl/boy you kissed?”

“Uma”

Aim #1:Use truly private questions

  • Examples:

  • Answers are never revealed in explicit form to server or customer service representative, etc.


Answers open vault for user enabling recovery on client

My passwords

My private keys

Answers open “vault” for user,enabling recovery on client


How this might work

answer 1

answer 2

answer 3

answer 15

H

H

H

H

H(a1)

H(a2)

H(a3)

H(a15)

How this might work

...


How this might work1

EX[

]

=

My private keys

How this might work

X =

H(a1)

H(a2)

H(a3)

...

H(a15)


Aim 2 tolerate user errors

“Dolly?”

“Liz”?

“Peter?”

“Bridget”?

Hugh Grant

Aim #2: Tolerate user errors

Question: “What was the name of the first girl/boy you kissed?”


Now during recovery

H(a1)

H(a2)

H(a3)

H(a15)

H(a1)

H(a3)

...

Now, during recovery...

Original key X =

...

User tries X’ =

Thus, we need to be able to open the vault if X’ X


Fuzzy commitment jw 99

Fuzzy commitment (JW ‘99)

  • Produce ciphertext  = CX[K] of secret K under key X

  • We can decrypt K using any X’ such that X’  X

  • We learn only a little information about X

  • Idea: Use error-correcting code -- in unorthodox way

    • Throw away the message space!


Error correcting code

X

f

Error-correcting code

c1

c2

c3

c4

c5

c6

c7

c8

c9

c10

c11

c12

f(X) = c6


Error correcting code1

X

Error-correcting code

c1

c2

c3

c4

c5

c6

c7

c8

c9

c10

c11

c12

f(X) = ?????


Fuzzy commitment

X

K

= CX(K)

Fuzzy commitment

c1

c2

c3

c4

c5

c6

c7

c8

c9

c10

c11

c12


Fuzzy commitment1

X’

X

K

f

Given  and X’X ...

f(X’ - ) = K

Fuzzy commitment

c1

c2

c3

c4

c6

c7

c8

c9

c10

c11

c12


Why is this secure

X

K

Given  alone...

Why is this secure?

c1

c2

c3

c4

c5

c6

c7

c8

c9

c10

c11

c12


Why is this secure1

X

Given  alone...

Why is this secure?

c1

c2

c3

c4

c5

c6

c7

c8

K

c9

c10

c11

c12


Why is this secure2

X

Given  alone...

Why is this secure?

c1

c2

c3

c4

c5

c6

c7

c8

K

c9

c10

c11

c12


Why is this secure3

X

Given  alone...

I.e.,  says nothing about which codeword

Why is this secure?

K

c1

c2

c3

c4

c5

c6

c7

c8

c9

c10

c11

c12


Fuzzy commitment2

Fuzzy commitment

  • Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords

  • Very efficient encryption/decryption

  • Tradeoff between leakage of X and error-tolerance


Our password recovery scheme

Our password recovery scheme

  • X = H(a1) | H(a2) | … | H(a15)

  • Select random codeword K

  • Compute  = CX[K] = X - K

  • Store vault = ( = CX[K]); EK[passwords]

  • Given enough right answers, I.e., X’  X, we can recover passwords

  • Typical (secure) parameterization:

    • 15 questions

    • Any 11 will open vault


Error tolerant password recovery

MyVault.com

; (EKA[SKA],PKA )

-- (fuzzy comm. to KA)

PKA

; (EKB[SKB],PKB )

-- (fuzzy comm. to KB)

; (EKC[SKC],PKC )

-- (fuzzy comm. to KC)

  • User answers questions, creates vault  = CX[K]

Alice

Bob

Charlie

  • User generates public/private key pair (SK, PK)


Error tolerant password recovery

$$

MyVault.com

-- (fuzzy comm. to KA)

; (EKA[SKA],PKA )

Pass-

words

PKA

-- (fuzzy comm. to KB)

; (EKB[SKB],PKB )

-- (fuzzy comm. to KC)

; (EKC[SKC],PKC )

  • Alice (or admin) can add to vault without opening it

Alice

Bob

Charlie


Error tolerant password recovery

$$

MyVault.com

-- (fuzzy comm. to KA)

; (EKA[SKA],PKA )

Pass

words

PKA

-- (fuzzy comm. to KB)

; (EKB[SKB],PKB )

-- (fuzzy comm. to KC)

(EKC[SKC],PKC )

  • By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SKA, and thus passwords securely using any Web-enabled device

Alice

Bob

Charlie


Error tolerant password recovery

$$

MyVault.com

-- (fuzzy comm. to KA)

;(EKA[SKA],PKA )

Pass

words

PKA

-- (fuzzy comm. to KB)

;(EKB[SKB],PKB )

-- (fuzzy comm. to KC)

;(EKC[SKC],PKC )

  • Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice’s vault

Alice

Bob

Charlie

  • With external “hardening” server, can use fewer than 15 questions


Proving security

Proving Security

This is the hardest part...

  • Random (or cryptographic) hash H does not yield good results

    • E.g., UOWHFs do not help (as hash is published)

  • We must customize hash as best we can to distribution over individual answers

  • I.e., we craft H1,H2,…,H15 based on what form answers are likely to take


Refining the user experience prototype

Refining the user experience (prototype)

  • For recovery only

  • What questions should we ask?

  • In what form do we pose the questions?

  • How can we best “normalize” answers?

  • How can we best jog the user’s memory?

  • How many questions can we ask?

    • Can use, e.g., 3 out of 5, with hardening server


Questions

Questions?

What was the profession of your maternal grandfather?

Where did you celebrate the millenium?

What is the name of your doctor?

What did you give your mother for her 50th birthday?

What is your favorite piece of music?

What is the name of your father’s best friend?


  • Login