1 / 17

Non-Text Passwords

Non-Text Passwords. CRyptography Applications Bistro Jessica Greer February 12, 2004. Outline. Speech-Generated Cryptographic Keys Password Hardening Based on Keystroke Dynamics Other new ideas for non-text passwords based on behavioral biometric features. Key Generation.

mabli
Download Presentation

Non-Text Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Non-Text Passwords CRyptography Applications Bistro Jessica Greer February 12, 2004

  2. Outline • Speech-Generated Cryptographic Keys • Password Hardening Based on Keystroke Dynamics • Other new ideas for non-text passwords based on behavioral biometric features

  3. Key Generation • Based on repeatable behavioral biometric characteristics • timing • force of keystrokes • voice frequencies • Aims to achieve two goals • Breaking passwords will be no easier • For some or most, breaking them will be harder

  4. Speech-Generated Keys – Monrose & Reiter • System initialization • Generate key K • Generate 2m shares of K using generalized secret sharing scheme, with m a system param • Shares arranged within an m x 2 table such that K can be reconstructed from any set of m shares consisting of one share from each row K 2 m

  5. Twist on traditional secret sharing • Traditional defense: attacker will not possess enough shares to reconstruct the secret • In this case, an attacker would have all shares if he had access to the physical device • Requirement change: that the attacker will not be able to find a sufficient set of valid shares in the table (make an exhaustive search computationally difficult)

  6. Speech-Generated Keys – Monrose & Reiter • Gathering behavioral measurements • User utters passphrase • System performs front-end signal processing and records measurements about voice features My voice is my passport. Verify me? (photo from www.imdb.com)

  7. Signal processing • User utterance sampled at predefined sampling rate • Minimum sampling rate on Compaq IPAQ: 32 kHz • Reduce computational and storage cost by down sampling to 8 kHz (sufficient to accurately capture signal) – throw 3 of 4 samples away

  8. Signal processing • Signal then broken down and cleaned up • Sample must be clean so as to be an accurate representation of user’s voice • Arranged into frames – 12-dimensional vectors of reals • Background noise removed by calculating avg. noise in white space in the sample and subtracting it from entire length of sample • Sample data converted to bit sequence called a feature descriptor; used to regenerate key

  9. Gathering behavioral statistics • System measures mbehavioral features of a user’s utterance • Array of measurements concatenated into a bit string for each login attempt

  10. Gathering behavioral statistics • For each successful login attempt, the system updates the history of feature descriptors (consistent behavioral features)

  11. Distinguishing features • Security depends upon number of distinguishing features of voice • A feature bai (a the account, i the feature) is a distinguishing feature if • Ti > avg(bai) - k stddev(bai) or • Ti < avg(bai) - k stddev(bai)

  12. Going back to the 2 x m table… • Elements of table not consistently accessed are randomly perturbed • Correct user should not encounter perturbed (invalid) elements in table • The more often the user logs in, the stronger the system becomes

  13. Empirical results • For an implementation in which the table was also encrypted with a password – makes a dictionary attack against the password up to 2^15 times more difficult

  14. Password hardening based on keystroke dynamics • Very similar concept – system begins as secure as a traditional password system and begins perturbing values in secret-sharing table that are not repeated consistently

  15. Potential problems • Painful to change password, if security greater than traditional systems is essential – cost associated with retraining the system • In keystroke system, some degree of inference can be made about keystroke dynamics if password is known, and vice versa • Not ideal for users who use different keyboards • Security determined by degree of uniqueness of user’s voice or typing style

  16. Is it accurate enough? • Bergadano, Gunetti, and Picardi think not • Inherent variability in most behavioral biometric identifiers is too great • Propose using much longer samples and generating key based on duration of digraphs and trigraphs (sets of two and three consecutive letters) • Not an appropriate substitute for traditional password systems • Greater inherent variability with longer samples?

  17. For more information • www.biopassword.com • Free demo • www.mytec.com

More Related