error-tolerant password recovery
DESCRIPTION
Error-Tolerant Password Recovery. To err is human, to forgive divine. Niklas Frykholm and Ari Juels RSA Laboratories. Password recovery: The problem. Elephant. Ron Rivest. Users classifiable into two types. 1. Those who don’t forget or lose passwords, e.g.,. - PowerPoint PPT PresentationTRANSCRIPT
Error-TolerantPassword Recovery
Niklas Frykholm and Ari JuelsRSA Laboratories
Password recovery: The problem
Users classifiable into two types
1. Those who don’t forget or lose passwords, e.g.,
2. Those who forget or lose passwords
Ron Rivest Elephant
Current method of password recovery:
use of “private” information SSN
– Not terribly private anymore Amount of last deposited cheque
– All Americans deposited $300 or $600 from IRS
Mother’s maiden name– For those of, e.g., Chinese origin, a handful
of surnames cover much of population
Date of birth
Special Report:October 5th is America's
most popular birthday.
Worst of all, “private” information must be stored on a server or available to customer service representatives
Aim #1:Use truly private questions
Examples:
“Fabio”– “What was the name of your first pet?”
“Uma”
– “What was the name of the first girl/boy you kissed?”
Answers are never revealed in explicit form to server or customer service representative, etc.
Answers open “vault” for user,
enabling recovery on client
How this might work
H H H H
answer 1 answer 2 answer 3 answer 15
...H(a2) H(a3) H(a15)H(a1)
How this might work
...H(a2) H(a3) H(a15)H(a1)X =
EX[ ] =
Aim #2: Tolerate user errors
Question: “What was the name of the first girl/boy you kissed?”
Hugh Grant
“Liz”?
“Bridget”?
“Dolly?”
“Peter?”
Now, during recovery...
...H(a2) H(a3) H(a15)H(a1)
Original key X =
User tries X’ =
...H(a3)H(a1)
Thus, we need to be able to open the vault if X’ X
Fuzzy commitment (JW ‘99)
Produce ciphertext = CX[K] of secret K under key X
We can decrypt K using any X’ such that X’ X
We learn only a little information about X
Idea: Use error-correcting code -- in unorthodox way– Throw away the message space!
Error-correcting code
c1 c2 c3
c5 c6 c7
c9 c10 c11
c4
c8
c12
fX
f(X) = c6
Error-correcting code
c1 c2 c3
c5 c6 c7
c9 c10 c11
c4
c8
c12
X
f(X) = ?????
Fuzzy commitment
c1 c2 c3
c5 c6 c7
c9 c10 c11
c4
c8
c12
K
X
= CX(K)
Given and X’X ...
Fuzzy commitment
c1 c2 c3
c6 c7
c9 c10 c11
c4
c8
c12
X
f(X’ - ) = K
X’f
K
Given alone...
Why is this secure?
c1 c2 c3
c6 c7
c9 c10 c11
c4
c8
c12
X
c5
K
Given alone...
Why is this secure?
c1 c2 c3
c6 c7
c9 c10 c11
c4
c8
c12
Xc5
K
Given alone...
Why is this secure?
c1 c2 c3
c6 c7
c9 c10 c11
c4
c8
c12
Xc5
K
Why is this secure?
c1 c2 c3
c6 c7
c9 c10 c11
c4
c8
c12
X
Given alone... I.e., says nothing about which codeword
c5
K
Fuzzy commitment
Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords
Very efficient encryption/decryption Tradeoff between leakage of X and
error-tolerance
Our password recovery scheme
X = H(a1) | H(a2) | … | H(a15) Select random codeword K Compute = CX[K] = X - K
Store vault = ( = CX[K]); EK[passwords] Given enough right answers, I.e., X’ X, we
can recover passwords Typical (secure) parameterization:
15 questions Any 11 will open vault
User answers questions, creates vault = CX[K]
Alice
Bob
Charlie
-- (fuzzy comm. to KA)
-- (fuzzy comm. to KB)
-- (fuzzy comm. to KC)
; (EKA[SKA],PKA )
; (EKB[SKB],PKB )
; (EKC[SKC],PKC )
User generates public/private key pair (SK, PK)
PKA
Alice (or admin) can add to vault without opening it
Alice
Bob
Charlie
-- (fuzzy comm. to KA)
-- (fuzzy comm. to KB)
-- (fuzzy comm. to KC)
; (EKA[SKA],PKA )
; (EKB[SKB],PKB )
; (EKC[SKC],PKC )
PKA
$$
Pass-words
By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SKA, and thus passwords securely using any Web-enabled device
Alice
Bob
Charlie
-- (fuzzy comm. to KA)
-- (fuzzy comm. to KB)
-- (fuzzy comm. to KC)
; (EKA[SKA],PKA )
; (EKB[SKB],PKB )
(EKC[SKC],PKC )
PKA
$$
Passwords
Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice’s vault
Alice
Bob
Charlie
-- (fuzzy comm. to KA)
-- (fuzzy comm. to KB)
-- (fuzzy comm. to KC)
;(EKA[SKA],PKA )
;(EKB[SKB],PKB )
;(EKC[SKC],PKC )
PKA
$$
Passwords
With external “hardening” server, can use fewer than 15 questions
Proving Security
This is the hardest part...– Random (or cryptographic) hash H does
not yield good results E.g., UOWHFs do not help (as hash is
published)
– We must customize hash as best we can to distribution over individual answers
– I.e., we craft H1,H2,…,H15 based on what form answers are likely to take
Refining the user experience (prototype)
For recovery only What questions should we ask? In what form do we pose the questions? How can we best “normalize” answers? How can we best jog the user’s memory? How many questions can we ask?
– Can use, e.g., 3 out of 5, with hardening server
What is the name of your doctor?
What did you give your mother for her 50th birthday?
What is your favorite piece of music?
What is the name of your father’s best friend?
What was the profession of your maternal grandfather?Where did you celebrate the millenium?
Questions?