Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Computer game secures crypto systems from rubber hose attacks

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 23 Jul 2012 11:03:07 -0500 (CDT)
http://arstechnica.com/security/2012/07/guitar-hero-crypto-blunts-rubber-hose-attacks/

By Dan Goodin
Ars Technica
July 20, 2012
A team of cryptographers and neuroscientists said they've devised an alternative password mechanism that allows users to authenticate themselves to a system using secret credentials that can't be revealed to adversaries.
The user interface, proposed in a research paper scheduled to be presented at next month's Usenix Security Symposium, is intended to blunt so-called rubber-hose attacks, in which an adversary extracts a cryptographic key out of the owner using the threat of bodily harm or similar coercion. Rather than requiring a user to memorize a password or another pattern that can be described to an attacker, it relies on a long sequence of keystrokes that are remembered though a cognitive psychology concept known as implicit learning. Like the steps for riding a bicycle or playing a piano sonata, the precise sequence is impossible for a human to articulate.
"In this paper we focus on user authentication where implicit learning is used to plant a password in the human brain that can be detected during authentication, but cannot be explicitly described by the user," the authors wrote. "Such a system avoids the problem that people can be persuaded to reveal their password."
In addition to making the key strokes impossible to reveal, the system—which uses an interface that closely resembles the video game Guitar Hero—requires a sequence of key taps that has about "38 bits of entropy," since there are almost 248 billion combinations that can be used. User-chosen passwords, by contrast, provide only about 10 bits of security, according to a research paper published earlier this year by Joseph Bonneau, who recently obtained a PhD on passwords and personal identification numbers from the University of Cambridge. Entropy and security in this context are roughly equivalent. 

[...]


--
Learn how to be a Pen Tester, CISSP, ISSMP, or ISSAP with Expanding Security online.
Come to a free class and see how good and fun the program really is.
http://www.expandingsecurity.com/PainPill
Previous By Date Next
Previous By Thread Next

Current thread: