Transcript PPT
Non-Text Passwords
CRyptography Applications Bistro
Jessica Greer
February 12, 2004
Outline
Speech-Generated Cryptographic Keys
Password Hardening Based on Keystroke
Dynamics
Other new ideas for non-text passwords
based on behavioral biometric features
Key Generation
Based on repeatable behavioral biometric
characteristics
timing
force of keystrokes
voice frequencies
Aims to achieve two goals
Breaking passwords will be no easier
For some or most, breaking them will be harder
Speech-Generated Keys –
Monrose & Reiter
System initialization
Generate key K
Generate 2m shares of K using
generalized secret sharing scheme,
with m a system param
Shares arranged within an m x 2 table
such that K can be reconstructed from
any set of m shares consisting of one
share from each row
K
2
m
Twist on traditional secret sharing
Traditional defense: attacker will not possess
enough shares to reconstruct the secret
In this case, an attacker would have all shares if
he had access to the physical device
Requirement change: that the attacker will not
be able to find a sufficient set of valid shares in
the table (make an exhaustive search
computationally difficult)
Speech-Generated Keys –
Monrose & Reiter
Gathering behavioral
measurements
My voice is my
passport.
User utters passphrase
System performs front-end signal
processing and records
measurements about voice
features
Verify me?
(photo from www.imdb.com)
Signal processing
User utterance sampled at predefined
sampling rate
Minimum sampling rate on Compaq IPAQ:
32 kHz
Reduce computational and storage cost by
down sampling to 8 kHz (sufficient to
accurately capture signal) – throw 3 of 4
samples away
Signal processing
Signal then broken down and cleaned up
Sample must be clean so as to be an accurate
representation of user’s voice
Arranged into frames – 12-dimensional vectors
of reals
Background noise removed by calculating avg.
noise in white space in the sample and
subtracting it from entire length of sample
Sample data converted to bit sequence called a
feature descriptor; used to regenerate key
Gathering behavioral statistics
System measures m behavioral features
of a user’s utterance
Array of measurements concatenated into
a bit string for each login attempt
Gathering behavioral statistics
For each successful login attempt, the
system updates the history of feature
descriptors (consistent behavioral
features)
Distinguishing features
Security depends upon number of
distinguishing features of voice
A feature bai (a the account, i the feature)
is a distinguishing feature if
Ti > avg(bai) - k stddev(bai)
Ti < avg(bai) - k stddev(bai)
or
Going back to the 2 x m table…
Elements of table not consistently
accessed are randomly perturbed
Correct user should not encounter
perturbed (invalid) elements in table
The more often the user logs in, the
stronger the system becomes
Empirical results
For an implementation in which the table
was also encrypted with a password –
makes a dictionary attack against the
password up to 2^15 times more difficult
Password hardening based on keystroke
dynamics
Very similar concept – system begins as
secure as a traditional password system
and begins perturbing values in secretsharing table that are not repeated
consistently
Potential problems
Painful to change password, if security greater
than traditional systems is essential – cost
associated with retraining the system
In keystroke system, some degree of inference
can be made about keystroke dynamics if
password is known, and vice versa
Not ideal for users who use different keyboards
Security determined by degree of uniqueness of
user’s voice or typing style
Is it accurate enough?
Bergadano, Gunetti, and Picardi think not
Inherent variability in most behavioral biometric
identifiers is too great
Propose using much longer samples and generating
key based on duration of digraphs and trigraphs (sets of
two and three consecutive letters)
Not an appropriate substitute for traditional password
systems
Greater inherent variability with longer samples?
For more information
www.biopassword.com
Free demo
www.mytec.com