Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories

Password recovery: The problem

Users classifiable into two types 1. Those who don t forget or lose passwords, e.g., 2. Those who forget or lose passwords Ron Rivest Elephant

Current method of password recovery: use of private information u SSN –Not terribly private anymore u Amount of last deposited cheque –All Americans deposited $300 or $600 from IRS Mother s maiden name –For those of, e.g., Chinese origin, a handful of surnames cover much of population

u Date of birth Special Report: October 5th is America's October 5th is America's most popular birthday. Worst of all, private information must be stored on a server or available to customer service representatives

Aim #1:Use truly private questions u Examples: Fabio – What was the name of your first pet? Uma – What was the name of the first girl/boy you kissed? u Answers are never revealed in explicit form to server or customer service representative, etc.

Answers open vault for user, enabling recovery on client

How this might work HH H H answer 1answer 2answer 3answer 15...H(a 2 )H(a 3 )H(a 15 )H(a 1 )

How this might work...H(a 2 )H(a 3 )H(a 15 )H(a 1 ) X = EX[EX[ ] =

Aim #2: Tolerate user errors Question: What was the name of the first girl/boy you kissed? Hugh Grant Liz ? Bridget ? Dolly? Peter?

Now, during recovery......H(a 2 )H(a 3 )H(a 15 )H(a 1 ) Original key X = User tries X =...H(a 3 )H(a 1 ) Thus, we need to be able to open the vault if X X

Fuzzy commitment (JW 99) u Produce ciphertext = C X [K] of secret K under key X We can decrypt K using any X such that X X u We learn only a little information about X u Idea: Use error-correcting code -- in unorthodox way –Throw away the message space!

Error-correcting code c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 f X f(X) = c 6

Error-correcting code c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X f(X) = ?????

Fuzzy commitment c1c1 c2c2 c3c3 c5c5 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 K X = C X (K)

Given and X X... Fuzzy commitment c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X f(X - ) = K X f K

Given alone... Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X c5c5 K

Given alone... Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X c5c5 K

Given alone... Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X c5c5 K

Why is this secure? c1c1 c2c2 c3c3 c6c6 c7c7 c9c9 c 10 c 11 c4c4 c8c8 c 12 X Given alone... I.e., says nothing about which codeword c5c5 K

Fuzzy commitment u Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords u Very efficient encryption/decryption u Tradeoff between leakage of X and error- tolerance

Our password recovery scheme u X = H(a 1 ) | H(a 2 ) | … | H(a 15 ) u Select random codeword K u Compute = C X [K] = X - K u Store vault = ( = C X [K]); E K [passwords] Given enough right answers, I.e., X X, we can recover passwords u Typical (secure) parameterization: v 15 questions v Any 11 will open vault

u User answers questions, creates vault = C X [K] Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ; (E K A [SK A ],PK A ) ; (E K B [SK B ],PK B ) ; (E K C [SK C ],PK C ) u User generates public/private key pair (SK, PK) PK A

u Alice (or admin) can add to vault without opening it Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ; (E K A [SK A ],PK A ) ; (E K B [SK B ],PK B ) ; (E K C [SK C ],PK C ) PK A $$ Pass- words

u By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SK A, and thus passwords securely using any Web-enabled device Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ; (E K A [SK A ],PK A ) ; (E K B [SK B ],PK B ) (E K C [SK C ],PK C ) PK A $$ Pass words

Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice s vault Alice Bob Charlie -- (fuzzy comm. to K A ) -- (fuzzy comm. to K B ) -- (fuzzy comm. to K C ) ;(E K A [SK A ],PK A ) ;(E K B [SK B ],PK B ) ;(E K C [SK C ],PK C ) PK A $$ Pass words With external hardening server, can use fewer than 15 questions

Proving Security This is the hardest part... –Random (or cryptographic) hash H does not yield good results v E.g., UOWHFs do not help (as hash is published) –We must customize hash as best we can to distribution over individual answers –I.e., we craft H 1,H 2,…,H 15 based on what form answers are likely to take

Refining the user experience (prototype) u For recovery only u What questions should we ask? u In what form do we pose the questions? How can we best normalize answers? How can we best jog the user s memory? u How many questions can we ask? –Can use, e.g., 3 out of 5, with hardening server

What is the name of your doctor? What did you give your mother for her 50th birthday? What is your favorite piece of music? What is the name of your father s best friend? What was the profession of your maternal grandfather? Where did you celebrate the millenium? Questions?