Presentation is loading. Please wait.

Presentation is loading. Please wait.

Humanity versus Entropy: Problems with Keeping a Secret Eamon Johnson CWRU Math 408, Spring 2012 Project Presentation.

Published byDoreen Riley Modified over 9 years ago

Similar presentations

Presentation on theme: "Humanity versus Entropy: Problems with Keeping a Secret Eamon Johnson CWRU Math 408, Spring 2012 Project Presentation."— Presentation transcript:

1 Humanity versus Entropy: Problems with Keeping a Secret Eamon Johnson CWRU Math 408, Spring 2012 Project Presentation

2 Problem Statement Password: a secret used for authentication An ideal secret has a few qualities: – Hard to guess (high entropy) – Easy to remember – Easy to communicate – Easy to change Question: can entropy be increased without increasing difficulty of remembering, communicating, and changing the secret? 2

3 Background Real-time password complexity feedback increases entropy while making passwords harder to remember Other sources of personal entropy: – Things you know – Things you have – Things you are 3

4 Problems with Keeping a Secret Two underlying problems affect all practical sources of entropy: Limited Entropy – Misestimated entropy – Unchangeable secrets Single Point of Failure 4

5 Sources of Limited Entropy Imagination and Memory Personal Information – Personal Knowledge Questions – Shared History Biometrics – Information security versus authentication accuracy – Physical properties and behavioral properties 5

6 Delegation to a Single Point of Failure Secret Algorithms – Violations of Kerckhoffs's principle Off-line / Out-of-band Storage – Paper in your wallet External Technology – Physical Devices: Fobs, tokens, cards – Networked Services: single sign-on, OpenID 6

7 Combining Sources of Entropy All practical sources of entropy have well- known weaknesses, so they are often used in combination: multi-factor authentication Combination of schemes incurs a cost – Technology cost – Communication difficulty Question: how valuable is the secret? 7

8 Quantifying the Value of a Secret A secret has value by proxy when it is used to protect assets of value What is an asset worth? – Cost to return to a pre-compromise state – Time to return to a pre-compromise state – Asset value may fluctuate over time A secret-keeping mechanism has costs: – One time – Recurring 8

9 Proposal: Tiered Security 9

10 Example: Tiered Security 10 TierAsset ClassAsset ExamplePolicy 1Private informationMedical records, financial records Password in wallet, never cached 2Semi-private informationEmail access, Facebook access Password in wallet or device cache 3Useless / incorruptible information Rewards card login (only used to add points) Reused password Example tiers for personal information assets

11 Conclusion All practical sources of entropy are flawed: – Limited Entropy – Single Point of Failure Entropy must be bought Assuming acceptable risk is constant, the cost of applying the right security is the only manageable component 11

12 12 R. Munroe 2011, http://xkcd.com/936

Download ppt "Humanity versus Entropy: Problems with Keeping a Secret Eamon Johnson CWRU Math 408, Spring 2012 Project Presentation."

Similar presentations

CS5038 The Electronic Society

CS5038 The Electronic Society
1 Design of Key-Sharing System Based on a Unique Device Kenji Imamoto (Kyushu Univ.) Hiromi Fukaya (Pastel) Kouichi Sakurai (Kyushu Univ.)

1 Design of Key-Sharing System Based on a Unique Device Kenji Imamoto (Kyushu Univ.) Hiromi Fukaya (Pastel) Kouichi Sakurai (Kyushu Univ.)
An Analysis of the Alternatives to Traditional Static Alphanumeric Passwords Mahmoud Abaza and Brent Hunter School of Computing and Information Systems,

An Analysis of the Alternatives to Traditional Static Alphanumeric Passwords Mahmoud Abaza and Brent Hunter School of Computing and Information Systems,
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
Introduction CSCI 444/544 Operating Systems Fall 2008.

Introduction CSCI 444/544 Operating Systems Fall 2008.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
3d ..

3d ..
3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.

3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.

Users Are Not The Enemy A. Adams and M. A. Sasse Presenter: Jonathan McCune Security Reading Group February 6, 2004.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
05-899/17-500 Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.

05-899/ Usable Privacy and Security Colleen Koranda February 7, 2006 Usable Privacy and Security I.
A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.

A more efficient and secure dynamic ID- based remote user authentication scheme Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan in Computer Communications.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

Similar presentations

Ads by Google