u Palm pros: –Cheap –Convenient –Someday ubiquitous –Smartcard alternative? u Palm cons: –Easily stolen –No tamper resistance –Often used for sensitive data –New (sometimes clumsy) style of data entry
Despite this, we want: u To prevent unauthorized access u Get good security from low entropy keys u Alert/disable in case of unauthorized access u Achieve functionality like backup in hostile environments
Attackers may u Steal devices and copy them surreptitiously u Emulate copied devices completely u See all old transcripts u Do fairly serious computing (2 50 or so…) u Mount some on-line attack
Problem with passwords on palm devices u Passwords geared toward keyboards –Palm devices use other data entry u Some studies suggest superiority of visual memory (e.g., Sheperd) u The visual approach... –Jermyn et al., Xerox PARC, Blonder, Perrig, Passfaces –Only Jermyn et al. suitable for palm devices
Visual Passwords Your PIN consists of a point on an image (or multiple such) Icons help stimulate the user s memory
Visual Passwords Error-tolerance techniques allow user to come only close to point, but security remains maximal Training routine helps fix PIN in user s memory Prototype available
Some more problems with passwords Users and passwords don t mix well: –Either too long to be easily memorized (high entropy) –Or too short to be used effectively in naïve manner u For example, AES encryption of credit cards
Credit-Card Vault Special non-redundant encryption protects card and bank account numbers with just a PIN -- Protection even against a determined hacker Prototype available
Encryption using low-entropy keys u To encrypt a list of PINS: –Select master PIN -- call it M –E[PIN 1 ] = PIN 1 M –E[PIN 2 ] = PIN 2 M, etc. u But a credit card is not so simple: –Has redundancy: Check digit –Unprotected parts may give clues to attacker
Accommodate credit-card structure u Idea: Isolate essential digits –Strip away check digit –Strip away bank numbers u Encrypt remaining digits under stream cipher mod 10 –RC4(key) 10 (cc digits) u Note: Decryption with any key yields a valid- looking credit card number
Credit-card vault Can we do Social Security Numbers? Names? Addresses?
Infrared Palm Lock Small key locks and unlocks PalmPilot Strong key would be inexpensive ($2) to manufacture in quantity
Current prototype is conceptual –Static key –20-bit entropy u Evolution: –Static key, 80-bit entropy encryption key –Rolling key, rolling encryption –Bluetooth -- interactive variant Infrared Palm Lock
Digital Signing on the Palm Online approaches may suffer from spotty connectivity Palm is convenient platform for signing An offline digital signing key protected with a PIN is vulnerable to attack if palm device is stolen I agree to buy 1000 shares of Enron at $100/share from Ken.
Our aim Distinguish attacker–generated signatures from real signatures u Alert authorities of any attacks But make alarm silent –attacker should be unable to distinguish a good signature from a bad one u All with a low-entropy PIN!
Funkspiel schematic h s1s1 s2s2 s3s3 s4s4 hh hh h r1r1 r2r2 r3r3 s i = h(s i, i) r i = h(s i, PIN) Incorporate r i into message to be signed Verifier can check correctness of r i
Why does this yield silent alarm? h s1s1 s2s2 s3s3 s4s4 hh hh h r1r1 r2r2 r3r3 r2r2 s2s2 ? ? Attacker cant learn s 2 because of one-wayness of h Attacker cant learn PIN because she cant learn s 2 Attacker cant tell whether shes tripping alarm if she signs using s 3
Inserting r i into standard scheme u We use RSA-PSS (Bellare-Rogaway) u RSA-PSS supplies random padding of messages to be signed using RSA – to avoid existential forgery u Padding has some random component, some redundancy u We let r i be the random portion
The Big Picture u Everybody can verify signatures using standard RSA-PSS Alarm center can check PIN, too, for silent alarm ! Alarm center can, e.g., inform bank if theft suspected
LABORATORIES Prototypes available for visual passwords, credit-card vault, and IR key Patents pending on visual passwords