Transcript PPT

Non-Text Passwords
CRyptography Applications Bistro
Jessica Greer
February 12, 2004
Outline
Speech-Generated Cryptographic Keys
Password Hardening Based on Keystroke
Dynamics
Other new ideas for non-text passwords
based on behavioral biometric features
Key Generation
Based on repeatable behavioral biometric
characteristics
 timing
 force of keystrokes
 voice frequencies
Aims to achieve two goals
 Breaking passwords will be no easier
 For some or most, breaking them will be harder
Speech-Generated Keys –
Monrose & Reiter
 System initialization
Generate key K
Generate 2m shares of K using
generalized secret sharing scheme,
with m a system param
Shares arranged within an m x 2 table
such that K can be reconstructed from
any set of m shares consisting of one
share from each row
K
2
m
Twist on traditional secret sharing
 Traditional defense: attacker will not possess
enough shares to reconstruct the secret
 In this case, an attacker would have all shares if
he had access to the physical device
 Requirement change: that the attacker will not
be able to find a sufficient set of valid shares in
the table (make an exhaustive search
computationally difficult)
Speech-Generated Keys –
Monrose & Reiter
Gathering behavioral
measurements
My voice is my
passport.
 User utters passphrase
 System performs front-end signal
processing and records
measurements about voice
features
Verify me?
(photo from www.imdb.com)
Signal processing
User utterance sampled at predefined
sampling rate
Minimum sampling rate on Compaq IPAQ:
32 kHz
Reduce computational and storage cost by
down sampling to 8 kHz (sufficient to
accurately capture signal) – throw 3 of 4
samples away
Signal processing
Signal then broken down and cleaned up
Sample must be clean so as to be an accurate
representation of user’s voice
Arranged into frames – 12-dimensional vectors
of reals
Background noise removed by calculating avg.
noise in white space in the sample and
subtracting it from entire length of sample
Sample data converted to bit sequence called a
feature descriptor; used to regenerate key
Gathering behavioral statistics
System measures m behavioral features
of a user’s utterance
Array of measurements concatenated into
a bit string for each login attempt
Gathering behavioral statistics
For each successful login attempt, the
system updates the history of feature
descriptors (consistent behavioral
features)
Distinguishing features
Security depends upon number of
distinguishing features of voice
A feature bai (a the account, i the feature)
is a distinguishing feature if
Ti > avg(bai) - k stddev(bai)
Ti < avg(bai) - k stddev(bai)
or
Going back to the 2 x m table…
Elements of table not consistently
accessed are randomly perturbed
Correct user should not encounter
perturbed (invalid) elements in table
The more often the user logs in, the
stronger the system becomes
Empirical results
For an implementation in which the table
was also encrypted with a password –
makes a dictionary attack against the
password up to 2^15 times more difficult
Password hardening based on keystroke
dynamics
Very similar concept – system begins as
secure as a traditional password system
and begins perturbing values in secretsharing table that are not repeated
consistently
Potential problems
 Painful to change password, if security greater
than traditional systems is essential – cost
associated with retraining the system
 In keystroke system, some degree of inference
can be made about keystroke dynamics if
password is known, and vice versa
 Not ideal for users who use different keyboards
 Security determined by degree of uniqueness of
user’s voice or typing style
Is it accurate enough?
 Bergadano, Gunetti, and Picardi think not
 Inherent variability in most behavioral biometric
identifiers is too great
 Propose using much longer samples and generating
key based on duration of digraphs and trigraphs (sets of
two and three consecutive letters)
 Not an appropriate substitute for traditional password
systems
 Greater inherent variability with longer samples?
For more information
www.biopassword.com
Free demo
www.mytec.com