Saturday, June 05, 2004

SEC: Recognition keys access

Recognition keys access TRN 060204: "Passwords are a problem. To be secure, a password must be non-obvious and changed often. Given the number of passwords the average person uses, and given the difficulty of keeping"

By Kimberly Patch, Technology Research News

Passwords are a problem. To be secure, a password must be non-obvious and changed often. Given the number of passwords the average person uses, and given the difficulty of keeping non-obvious and constantly changing passwords straight, it's not surprising that many people don't like them.

Researchers from Hebrew University in Israel are addressing the problem with a scheme that allows people to use a type of password that they don't have to consciously remember.

The scheme taps the way people learn through the instinctive imprinting process. When a person learns information via imprinting, he can recognize the information later but can't recall it in a way he can describe to someone else.

The scheme is fairly secure because it is truly random and cannot be stolen or shared voluntarily, said Scott Kirkpatrick, a professor of engineering and computer science at Hebrew University. "We don't know what we know."

The idea came from thinking about human memory as an inherent one-way function, said Kirkpatrick. A one-way function is a mathematical formula that is easy to solve in one direction but difficult solve in the other. Factoring, for instance, is a common mathematical one-way function. It is easy to multiply the factors of a number together to get the number, but difficult to derive the factors from the number, especially with very large numbers.

The way the human brain deals with complexity can be thought of as a one-way function, according to Kirkpatrick. It stores images with little conscious awareness of what was learned, and are easily recognized but difficult to describe, especially in detail.

The researchers' prototype system involves training a user on a series of images. To be authenticated a user must recognize a few of the images. Pictures, pseudo words and artificial grammar can all be used as items to be recognized. These three types of imprinting data have been thoroughly explored in perception and cognitive psychology literature, Kirkpatrick said.

The researchers tested users on prototype systems that used each of the three types of input.

In tests of the picture version, users went through a two-step process to get a set of user certificates, or unconscious passwords. Users were first shown a set of 100 to 200 pictures randomly selected from a database of 20,000 pictures. Pictures were organized in groups of 2 to 9 pictures with a common theme, and each user was certified on one picture from a given theme group. The user then practiced choosing certificate images from entire theme groups.

Later, in lieu of passwords, users identified most of a short series of certificate images. To guard against eavesdropping, each certificate picture is only used once, and the user retrains when they run low.

Subjects were able to recognize previously seen pictures with better than 90 percent accuracy for up to three months. According to the researchers' calculations, the chances that a user who guesses correctly four times in a row is an imposter is less than 1,000th of one percent.

Picture groups whose individual differences were more distinct were easier to retain over time, and recognition was just as good when picture groups contained six to nine pictures as when they contained just two pictures, according to Kirkpatrick.

In similar tests using pseudo words that are pronounceable in English but do not exist as valid words, accuracy rates varied from 70 to 90 percent over a three-month period. In similar tests using artificial grammar patterns accuracy rates varied more widely, with the best subject achieving a rate of 75 percent.

It is not difficult to make the basic scheme work, but there are challenges in making it practical, said Kirkpatrick. "We're finding many challenges in making the scheme compact, making it possible to use a smaller set of learned images repeatedly without giving the secret away to an eavesdropper, in making training easy and pleasant," he said.

The researchers are working on improving training, on identifying what learned information is most widely accessible, and on identifying variants of the scheme that meet the needs of different security levels, said Kirkpatrick.

Eventually, the method could be used as a part of more elaborate security systems, according to Kirkpatrick.

"I like the idea of developing computer-human interfaces in which the computer is a skeptic [and so] doesn't perform the actions of which it is capable until the human has convinced it that the need is genuine and the human is an appropriate person for whom to perform this action," he said. "This might lead to greater safety for all of us."

The method could be used practically within two years, according to Kirkpatrick. Kirkpatrick's research colleague was Daphna Weinshall. The researchers presented the work at the Computer Human Interaction (CHI) 2004 conference in Vienna, Austria, on April 24 to 29.


Post a Comment

<< Home

Get Firefox!