Designing Crypto Primitives Secure Against Rubber Hose Attacks A Paper by Hristo Bojinov Daniel Sanchez Paul Reber Dan Boneh Patrick Lincoln Presented By Course Advisor ID: 142266
Download Presentation The PPT/PDF document "Neuroscience Meets Cryptography:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Neuroscience Meets Cryptography:Designing Crypto Primitives Secure Against Rubber Hose Attacks
A Paper by Hristo Bojinov, Daniel Sanchez, Paul Reber, Dan Boneh, Patrick Lincoln.Presented By, Course AdvisorJwala N Rao. M, Dr. Huzur SaranDeepika M.
1
SIL-765Slide2
Cryptographic systems often rely on the secrecy of cryptographic keys given to users.
Many schemes cannot resist coercion attacks. These attacks are known as rubber hose cryptanalysis.In this paper, we present a defense against these attacks using implicit learning from cognitive psychology.
2SIL-765Slide3
Implicit Learning
Implicit learning involves the part of the brain called the basal ganglia that learns tasks such as riding a bicycle or playing golf by repeatedly performing those tasks.knowledge learned in this way is not consciously accessible to the person being trained.SIL-7653Slide4
Benefits over biometric authentication
Unlike Biometrics, authenticating information cannot be duplicated and participants cannot reveal it even if they want to.In addition, if the trained sequence is compromised, a new identifying sequence can be trained as a replacement, resulting in a change of password.SIL-7654Slide5
We use a computer game to plant a secret password in the participant’s brain - without conscious knowledge.
To use this system, participants would be initially trained to do a specific task called Serial Interception Sequence Learning (SISL).SIL-7655Slide6
The SISL Task and Applet
The execution of the Serial Interception Sequence Learning (SISL) task is central to the authentication system that we have developed.SISL is a task in which human participants develop sensitivity to structured information without being aware of what they have learned.The task requires participants to intercept moving objects (circles) delivered in a pre-determined sequence, much like this is done in the popular game “Guitar Hero”.SIL-765
6Slide7
SIL-7657Slide8
Initially each object appears at the top of one of
six different columns, and falls vertically at a constant speed until it reaches the “sink” at the bottom, at which point it disappears.The goal is to intercept every object as it nears the sink. Interception is performed by pressing the key that corresponds to the object’s column when the object is in the correct vertical position.SIL-765
8Slide9
The sequences are designed to prevent easy to remember patterns from emerging.
The result is that while the trained sequence is performed better than an untrained sequence, the participant usually does not consciously recognize the trained sequence. In order to confirm this SISL participants are typically asked to complete tests of explicit recognition in which they specify how familiar various sequences look to them.SIL-7659Slide10
The Basic Authentication System UsingImplicit Learning
The identification system operates in two steps: Training .Authentication.
SIL-765
10Slide11
Training
In the training phase, Users learn a secret key by playing the SISL game in a trusted environment. The secret key is similar to a sequence of 30 characters over the set S = {s;d; f ; j;k; l}. We only use 30-character sequences that correspond to an Euler cycle in the graph shown in the following figure.
These sequences have the property that every non-repeating bigram over S (such as ‘
sd
’, ‘
dj
’, ’
fk
’) appears exactly once.
SIL-765
11Slide12
SIL-76512Slide13
The trainee is presented with the 30-item secret key sequence repeated three times followed by 18 items selected from a random other sequence , for a total of 108 items.
This sequence is repeated five times, so that the trainee is presented with a total of 540 items. At the end of this sequence there is a short pause in the SISL game and then the entire sequence of 540 items is repeated six more times.This takes 30-45 minutes.SIL-765
13Slide14
Authentication
To authenticate , a trained user is presented with the SISL game where elements from the trained authentication sequence and untrained elements will be present.By exhibiting reliably better performance on the trained elements compared to untrained, the participant validates his or her identity. Let k0 be the trained 30-item sequence and let k1,k2 be two additional 30-item sequences chosen at random from S. The same sequences (k0;k1;k2) are used for all authentication sessions.Let ‘pi
’ be the fraction of correct keys the user entered during all plays of the sequence
‘
k
i
’
’.
The system declares that authentication succeeded if
p0 > average(p1, p2)+λ
SIL-765
14Slide15
Two Precautions:
First, verifying that the authenticator is a live human.Second, the final training speed is known to the authentication server and the attacker is unlikely to match that performance difference between the trained and untrained blocks. A performance gap that is substantially different from the one obtained after training indicates an attack.
SIL-765
15Slide16
Usability ExperimentsSIL-765
16Experiment 1: Implicit and Explicit LearningOur first experiment confirmed that implicit learning can be clearly detected
while explicit conscious sequence knowledge was minimal. Slide17
On the test block following training, participants performed the SISL task at an average rate of 79.2% correct for the trained sequence and 70.6% correct for the untrained sequence. The difference of 8.6% indicated better performance for trained sequence.
Explicit recognition test: Experiments showed that the participants would not be able to recall the 30-item sequence.
SIL-765
17Slide18
Experiment 2: Recall Over Time
SIL-76518After training, a group returned to the online applet after 1 week to a retention test and recognition assessment for the trained sequence. A separate group returned after
2 weeks for the retention and recognition tests.Slide19
SIL-76519Slide20
Security AnalysisBasic Coercion threat model:
Extraction Phase: Adversary intercept one or more users and get them to reveal as much as they can using coercion.Test Phase: The adversary on his own, submits to the authentication test and his goal is to pass the test.SIL-765
20Slide21
If the attacker intercepts ‘u’ users and subject each to ‘q’ queries, his chance of finding a valid sequence is
atmost ‘qu/|Ʃ|’ .Tests show that though the attacker captures 100 users and ask 10
5 queries per user, the probability is only 2
-16
.
SIL-765
21Slide22
Conclusion
Rubber hose attacks have long been the bane of cryptography. We have presented a solution for that.Future Work: To reduce authentication time.
SIL-765
22Slide23
Thank You!
SIL-76523