Presentation is loading. Please wait.

Presentation is loading. Please wait.

HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University."— Presentation transcript:

1 HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University

2 Background Concerned with designing secure human-executable authentication protocols Authentication protocol: process for a human to prove his unique identity to a computer Examples: typing password at prompt, keying in PIN at ATM

3 Background Need for such schemes comes from fact that all current authentication schemes have flaws Protocols need to withstand observation by adversaries, loss or compromise of any hardware (smart cards, biometrics, etc. vulnerable)

4 Challenge-response Computer asks a series of questions If answered correctly, user is authenticated, otherwise they are locked out Very common in practice as aids to recall forgotten passwords To be used for authentication, challenges cannot be repeated

5 HumanAUT HumanAUT is a challenge-response scheme with a shared secret between the human, who answers challenges using the secret, and the computer, which generates a unique random challenge on demand, such that the correct response depends on the shared secret

6 Previous scheme – Hopper Presented in ASIACRYPT ’01 Challenge is a large grid with n digits, shared secret is subset of size k Response is sum of these k digits mod 10

7 Previous scheme – Hopper Respond to 7 challenges, with exactly one response incorrect Makes learning by observation NP- hard Takes work to break; for n = 1000, k = 19, work is  2 78

8 Previous scheme – A. Blum Challenge is set of n bits, secret is two subsets of size log(n) (log(1000) = 10) Response is mode (more common bit) of first subset  parity (cumulative  ) of second subset Based on a difficult machine learning problem; hard to determine both sets Predicting response  knowing both sets, if the mode bit is “noisy”

9 Producing potential protocols Tried to create protocol that combines security guarantee of Hopper with simple calculations of Blum Schemes had at best marginal improvement over Hopper No real efficient way to generalize bits to digits, other than to use something similar to Hopper

10 A more practical problem Proposed by M. Blum Want a protocol that is secure after three authentications are observed Instead of any number Allows much simpler protocols, and would still be much more secure in practice than PINs

11 Letter mappings Each person has their own private mapping from letters to single digits 10 26 possible random mappings,  86 bits of secret Possible to learn a random mapping in 5 minutes Rue, “Eighty-six bits of memory magic”, 2002 Taught mapping to truly random digits

12 A A maps to 1 It is the 1 st letter of the alphabet

13 B B maps to 0

14 C C maps to 0

15 D D maps to 9 Dressed to the 9’s (there’s no D-9’ing it)

16 E E maps to 7 E s v n

17 F F maps to 3 F is made of 3 lines - reeFth

18 G G maps to 2 Goody goody 2 shoes

19 Let’s review A – 1 (1st letter of alphabet) B – 0 (B00) C – 0 (C  0) D – 9 (dressed to the 9’s, no D-9’ing) E – 7 (sEvEn) F – 3 (free  three) G – 2 (goody goody 2 shoes)

20 The protocol Challenge is a random 3-letter “word” Each letter can only appear once in a challenge (or else information is leaked) Thus there are = 2600 challenges Response is sum of the digits that those 3 letters map to, taken mod 10 Repeat 6 times, 1/10 6 chance of guessing

21 Example Challenge:FBA 301301 Challenge:GED 279279 ++ ++ = 4 = 8

22 Security analysis Each challenge-response represents an equation in 3 of 26 variables Every authentication is a set of 6 linear equations, which can be treated as vectors These vectors then form a binary matrix, where each row has 3 1’s and 23 0’s

23 Security analysis Assume an attacker has observed some challenge-response pairs, and thus has formed such a matrix from the equations When could he predict the answer to a new challenge?

24 Independence He can determine the solution to a new challenge c if that challenge can be expressed in terms of the vectors of M That is, if c is not independent of M Goal: given a matrix M with n equations (rows), find how likely is it that a new challenge c is independent

25 Rank The rank of a matrix is the number of linearly independent rows in that matrix If rank(M) < rank([M c]), then c is independent of M

26 Calculations Use Mathematica to calculate Pr[rank(M) < rank([M c])] vs. n, given random M with n rows and random c Get a nice graph For n = 18 (6 equations * 3 authentications), Pr[independence]  98%, so very likely that adversary cannot predict correct response

27 Probability of dependence

28 What I did on my summer vacation Did independent study (same topic) last spring Enjoyed the experience and learned a lot about research methods and such Convinced me that I should go to grad school

29

30 Previous scheme – A. Blum Challenge is set of n bits, secret is two subsets of size log(n) Response is mode (more common bit) of first subset  parity (cumulative  ) of second subset Based on a difficult machine learning problem; hard to determine both sets Predicting answer is equivalent to knowing both sets

31 Proposed scheme Based on both of these previous schemes, as well as ideas from Charlie Garrod Started as a way to generalize Avrim’s scheme from bits to digits Improvement is that it is easier and faster to execute

32 Proposed scheme Challenge is set of n digits Secret is two subsets, A and B, of size log(n) m A is mode of the parities (even or odd) of the digits in A (0 or 1), m B is mode of the parities the digits in B If m A  m B = 0, response is sum of digits in A mod 10, else response is sum of digits in B mod 10

33 Security analysis Each digit could affect the mode of parities (and thus the choice of which subset to add), and does affect the sum Thus learning membership in the secret subset has the same work complexity – For n = 1024, work  2 78

34 Executability analysis Hopper’s scheme: 18 additions / response 7 responses / authentication 126 total additions Guessing succeeds 1 out of 1.1*10 6 trials Proposed scheme: 2 counts to 5, 9 additions / response 6 responses / authentication 54 total additions Guessing succeeds 1 out of 10 6 trials

35 A consideration Subsets must have an odd number of elements or else there is a possibility of having a set where both parities occur the same number of times Could use 11 digit subsets (work factor increases to 2 85 ), or 9-digit and 11-digit subsets to have a secret of the same size

36 Presentation 2674 8943 0614 2352 Can be presented as a grid of digits on a map – Easier for people to recall Locations on a map Secret subsets ( and ) are randomly distributed AB

37 Presentation 2674 8943 0614 2352 Modes of parities are even (0) and odd (1) 0  1 = 1, so use B Response is 7+3+1+2=3

38 Modeling with equations

Download ppt "HumanAUT Secure Human Identification Protocols Adam Bender Avrim Blum Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,

Theoretical Program Checking Greg Bronevetsky. Background The field of Program Checking is about 13 years old. Pioneered by Manuel Blum, Hal Wasserman,
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.

Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.

Reliability of Disk Systems. Reliability So far, we looked at ways to improve the performance of disk systems. Next, we will look at ways to improve the.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
HumanAUT Secure Human Identification Protocols Adam Bender Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.

HumanAUT Secure Human Identification Protocols Adam Bender Manuel Blum Nick Hopper The ALADDIN Center Carnegie Mellon University.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

Similar presentations

Ads by Google