Presentation is loading. Please wait.

Presentation is loading. Please wait.

Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.

Published byDiana Heath Modified over 11 years ago

Similar presentations

Presentation on theme: "Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories."— Presentation transcript:

1 Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories

2 Password recovery: The problem

3 Users classifiable into two types 1. Those who don t forget or lose passwords, e.g., 2. Those who forget or lose passwords Ron Rivest Elephant

4 Current method of password recovery: use of private information u SSN –Not terribly private anymore u Amount of last deposited cheque –All Americans deposited $300 or $600 from IRS Mother s maiden name –For those of, e.g., Chinese origin, a handful of surnames cover much of population

5 u Date of birth Special Report: October 5th is America's October 5th is America's most popular birthday. Worst of all, private information must be stored on a server or available to customer service representatives

6 Aim #1:Use truly private questions u Examples: Fabio – What was the name of your first pet? Uma – What was the name of the first girl/boy you kissed? u Answers are never revealed in explicit form to server or customer service representative, etc.

7 Answers open vault for user, enabling recovery on client

8 How this might work HH H H answer 1answer 2answer 3answer 15...H(a 2 )H(a 3 )H(a 15 )H(a 1 )

9 How this might work...H(a 2 )H(a 3 )H(a 15 )H(a 1 ) X = EX[EX[ ] =

10 Aim #2: Tolerate user errors Question: What was the name of the first girl/boy you kissed? Hugh Grant Liz ? Bridget ? Dolly? Peter?

11 Now, during recovery......H(a 2 )H(a 3 )H(a 15 )H(a 1 ) Original key X = User tries X =...H(a 3 )H(a 1 ) Thus, we need to be able to open the vault if X X

12 Fuzzy commitment (JW 99) u Produce ciphertext = C X [K] of secret K under key X We can decrypt K using any X such that X X u We learn only a little information about X u Idea: Use error-correcting code -- in unorthodox way –Throw away the message space!

13 Error-correcting code c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 f X f(X) = c 6

14 Error-correcting code c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X f(X) = ?????

15 Fuzzy commitment c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 K X = C X (K)

16 Given and X X... Fuzzy commitment c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X f(X - ) = K X f K

17 Given alone... Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X c5c5 K

18 Given alone... Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X c5c5 K

19 Given alone... Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X c5c5 K

20 Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X Given alone... I.e., says nothing about which codeword c5c5 K

21 Fuzzy commitment u Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords u Very efficient encryption/decryption u Tradeoff between leakage of X and error- tolerance

22 Our password recovery scheme u X = H(a 1 ) | H(a 2 ) | … | H(a 15 ) u Select random codeword K u Compute = C X [K] = X - K u Store vault = ( = C X [K]); E K [passwords] Given enough right answers, I.e., X X, we can recover passwords u Typical (secure) parameterization: v 15 questions v Any 11 will open vault

23 u User answers questions, creates vault = C X [K] Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ; (E K A [SK A ],PK A ) ; (E K B [SK B ],PK B ) ; (E K C [SK C ],PK C ) u User generates public/private key pair (SK, PK) PK A

24 u Alice (or admin) can add to vault without opening it Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ; (E K A [SK A ],PK A ) ; (E K B [SK B ],PK B ) ; (E K C [SK C ],PK C ) PK A $$ Pass- words

25 u By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SK A, and thus passwords securely using any Web-enabled device Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ; (E K A [SK A ],PK A ) ; (E K B [SK B ],PK B ) (E K C [SK C ],PK C ) PK A $$ Pass words

26 Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice s vault Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ;(E K A [SK A ],PK A ) ;(E K B [SK B ],PK B ) ;(E K C [SK C ],PK C ) PK A $$ Pass words With external hardening server, can use fewer than 15 questions

27 Proving Security This is the hardest part... –Random (or cryptographic) hash H does not yield good results v E.g., UOWHFs do not help (as hash is published) –We must customize hash as best we can to distribution over individual answers –I.e., we craft H 1,H 2,…,H 15 based on what form answers are likely to take

28 Refining the user experience (prototype) u For recovery only u What questions should we ask? u In what form do we pose the questions? How can we best normalize answers? How can we best jog the user s memory? u How many questions can we ask? –Can use, e.g., 3 out of 5, with hardening server

29 What is the name of your doctor? What did you give your mother for her 50th birthday? What is your favorite piece of music? What is the name of your father s best friend? What was the profession of your maternal grandfather? Where did you celebrate the millenium? Questions?

Download ppt "Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories."

Similar presentations

Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels LABORATORIES.

Handball: Simple Security Tools for Handheld Devices Niklas Frykholm, Markus Jakobsson, Ari Juels LABORATORIES.
Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.

Ari Juels RSA Laboratories Marty Wattenberg 328 W. 19th Street, NYC A Fuzzy Commitment Scheme.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
RSA.

RSA.
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
1 Pretty Good Privacy (PGP) Security for Electronic Email.

1 Pretty Good Privacy (PGP) Security for Electronic .
1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Public Key Cryptosystem

Public Key Cryptosystem
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
1 Linked List Demo Node third = new Node(); third.item = Carol; third.next = null; Node second = new Node(); second.item = Bob; second.next = third;

1 Linked List Demo Node third = new Node(); third.item = "Carol"; third.next = null; Node second = new Node(); second.item = "Bob"; second.next = third;
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
By Md Emran Mazumder Ottawa University Student no: 6282845.

By Md Emran Mazumder Ottawa University Student no:
Click on the Schedule 1 tab.

Click on the Schedule 1 tab.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Computer Security Set of slides 5 Dr Alexei Vernitski.

Computer Security Set of slides 5 Dr Alexei Vernitski.
Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.

Fuzzy Vaults: Toward Secure Client-Side Matching Ari Juels RSA Laboratories 10th CACR Information Security Workshop 8 May 2002 LABORATORIES.

Similar presentations

Ads by Google