[ISN] Computer game secures crypto systems from rubber hose attacks

From: InfoSec News <alerts_at_private>
Date: Mon, 23 Jul 2012 11:03:07 -0500 (CDT)
http://arstechnica.com/security/2012/07/guitar-hero-crypto-blunts-rubber-hose-attacks/

By Dan Goodin
Ars Technica
July 20, 2012

A team of cryptographers and neuroscientists said they've devised an 
alternative password mechanism that allows users to authenticate 
themselves to a system using secret credentials that can't be revealed 
to adversaries.

The user interface, proposed in a research paper scheduled to be 
presented at next month's Usenix Security Symposium, is intended to 
blunt so-called rubber-hose attacks, in which an adversary extracts a 
cryptographic key out of the owner using the threat of bodily harm or 
similar coercion. Rather than requiring a user to memorize a password or 
another pattern that can be described to an attacker, it relies on a 
long sequence of keystrokes that are remembered though a cognitive 
psychology concept known as implicit learning. Like the steps for riding 
a bicycle or playing a piano sonata, the precise sequence is impossible 
for a human to articulate.

"In this paper we focus on user authentication where implicit learning 
is used to plant a password in the human brain that can be detected 
during authentication, but cannot be explicitly described by the user," 
the authors wrote. "Such a system avoids the problem that people can be 
persuaded to reveal their password."

In addition to making the key strokes impossible to reveal, the 
system—which uses an interface that closely resembles the video game 
Guitar Hero—requires a sequence of key taps that has about "38 bits of 
entropy," since there are almost 248 billion combinations that can be 
used. User-chosen passwords, by contrast, provide only about 10 bits of 
security, according to a research paper published earlier this year by 
Joseph Bonneau, who recently obtained a PhD on passwords and personal 
identification numbers from the University of Cambridge. Entropy and 
security in this context are roughly equivalent.

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
Received on Mon Jul 23 2012 - 09:03:07 PDT

This archive was generated by hypermail 2.2.0 : Mon Jul 23 2012 - 11:25:58 PDT