1 / 29

Error-Tolerant Password Recovery

Error-Tolerant Password Recovery. To err is human, to forgive divine. Niklas Frykholm and Ari Juels RSA Laboratories. Password recovery: The problem. Elephant. Ron Rivest. Users classifiable into two types. 1. Those who don ’ t forget or lose passwords, e.g.,.

Download Presentation

Error-Tolerant Password Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Error-TolerantPassword Recovery To err is human, to forgive divine... Niklas Frykholm and Ari Juels RSA Laboratories

  2. Password recovery: The problem

  3. Elephant Ron Rivest Users classifiable into two types 1. Those who don’t forget or lose passwords, e.g., 2. Those who forget or lose passwords

  4. Current method of password recovery:use of “private” information • SSN • Not terribly private anymore • Amount of last deposited cheque • All Americans deposited $300 or $600 from IRS • Mother’s maiden name • For those of, e.g., Chinese origin, a handful of surnames cover much of population

  5. Special Report:October 5th is America's most popular birthday. • Date of birth • Worst of all, “private” information must be stored on a server or available to customer service representatives

  6. “What was the name of your first pet?” “Fabio” • “What was the name of the first girl/boy you kissed?” “Uma” Aim #1:Use truly private questions • Examples: • Answers are never revealed in explicit form to server or customer service representative, etc.

  7. My passwords My private keys Answers open “vault” for user,enabling recovery on client

  8. answer 1 answer 2 answer 3 answer 15 H H H H H(a1) H(a2) H(a3) H(a15) How this might work ...

  9. EX[ ] = My private keys How this might work X = H(a1) H(a2) H(a3) ... H(a15)

  10. “Dolly?” “Liz”? “Peter?” “Bridget”? Hugh Grant Aim #2: Tolerate user errors • Question: “What was the name of the first girl/boy you kissed?”

  11. H(a1) H(a2) H(a3) H(a15) H(a1) H(a3) ... Now, during recovery... Original key X = ... User tries X’ = Thus, we need to be able to open the vault if X’ X

  12. Fuzzy commitment (JW ‘99) • Produce ciphertext  = CX[K] of secret K under key X • We can decrypt K using any X’ such that X’ X • We learn only a little information about X • Idea: Use error-correcting code -- in unorthodox way • Throw away the message space!

  13. X f Error-correcting code c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 f(X) = c6

  14. X Error-correcting code c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 f(X) = ?????

  15. X K  = CX(K) Fuzzy commitment c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12

  16. X’ X K f Given  and X’X ... f(X’ - ) = K Fuzzy commitment c1 c2 c3 c4 c6 c7 c8 c9 c10 c11 c12

  17. X K Given  alone... Why is this secure? c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12

  18. X Given  alone... Why is this secure? c1 c2 c3 c4 c5 c6 c7 c8 K c9 c10 c11 c12

  19. X Given  alone... Why is this secure? c1 c2 c3 c4 c5 c6 c7 c8 K c9 c10 c11 c12

  20. X Given  alone... I.e.,  says nothing about which codeword Why is this secure? K c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12

  21. Fuzzy commitment • Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords • Very efficient encryption/decryption • Tradeoff between leakage of X and error-tolerance

  22. Our password recovery scheme • X = H(a1) | H(a2) | … | H(a15) • Select random codeword K • Compute  = CX[K] = X - K • Store vault = ( = CX[K]); EK[passwords] • Given enough right answers, I.e., X’ X, we can recover passwords • Typical (secure) parameterization: • 15 questions • Any 11 will open vault

  23. MyVault.com ; (EKA[SKA],PKA ) -- (fuzzy comm. to KA) PKA ; (EKB[SKB],PKB ) -- (fuzzy comm. to KB) ; (EKC[SKC],PKC ) -- (fuzzy comm. to KC) • User answers questions, creates vault  = CX[K] Alice Bob Charlie • User generates public/private key pair (SK, PK)

  24. $$ MyVault.com -- (fuzzy comm. to KA) ; (EKA[SKA],PKA ) Pass- words PKA -- (fuzzy comm. to KB) ; (EKB[SKB],PKB ) -- (fuzzy comm. to KC) ; (EKC[SKC],PKC ) • Alice (or admin) can add to vault without opening it Alice Bob Charlie

  25. $$ MyVault.com -- (fuzzy comm. to KA) ; (EKA[SKA],PKA ) Pass words PKA -- (fuzzy comm. to KB) ; (EKB[SKB],PKB ) -- (fuzzy comm. to KC) (EKC[SKC],PKC ) • By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SKA, and thus passwords securely using any Web-enabled device Alice Bob Charlie

  26. $$ MyVault.com -- (fuzzy comm. to KA) ;(EKA[SKA],PKA ) Pass words PKA -- (fuzzy comm. to KB) ;(EKB[SKB],PKB ) -- (fuzzy comm. to KC) ;(EKC[SKC],PKC ) • Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice’s vault Alice Bob Charlie • With external “hardening” server, can use fewer than 15 questions

  27. Proving Security This is the hardest part... • Random (or cryptographic) hash H does not yield good results • E.g., UOWHFs do not help (as hash is published) • We must customize hash as best we can to distribution over individual answers • I.e., we craft H1,H2,…,H15 based on what form answers are likely to take

  28. Refining the user experience (prototype) • For recovery only • What questions should we ask? • In what form do we pose the questions? • How can we best “normalize” answers? • How can we best jog the user’s memory? • How many questions can we ask? • Can use, e.g., 3 out of 5, with hardening server

  29. Questions? What was the profession of your maternal grandfather? Where did you celebrate the millenium? What is the name of your doctor? What did you give your mother for her 50th birthday? What is your favorite piece of music? What is the name of your father’s best friend?

More Related