1. 1 Carnegie Mellon Mike Reiter Professor of ECE and CS Carnegie Mellon University Title Goes Here Toward Fixing the Compliance Defects of Public Key Cryptography

2. 2 Carnegie Mellon Compliance Defects in PKI [Davis 1996] Compliance defect: “a rule of operation that is difficult to follow and that cannot be enforced” Local Registration Authority (LRA) Public key + attributes Certification Authority (CA) Certificate Directory Compliance defect Inability to verify the CA’s public key. “tomato” Compliance defect Inability to adequately protect the private key.

3. 3 Carnegie Mellon Compliance Defects as a User Interface Issue Users have neither  The patience to verify a large string of hex digits 0x4CA682F9D910BF7343B29C502A15F5D8 versus 0x4CA682F9D910BF7843B28C502A15F5D8  The capacity to remember strong cryptographic keys 0x4CA682F9D910BF7343B29C502A15F5D8 Problem gets worse with longer keys and hashes

4. 4 Carnegie Mellon Keeping it in Perspective Compliance defects are not unique to PKI  Surety’s digital notary service relies on users to compare a hash published in the New York Times to a computed one  File encryption poses similar challenges as protecting a private key does These compliance defects are not the only user interface problem for cryptographic (or security) systems [Kent 1997; Whitten & Tygar 1999; …]

5. 5 Carnegie Mellon How to Fix Compliance Defects Remember, a compliance defect is: “A rule of operation that is difficult to follow  cannot be enforced” To fix a compliance defect, one conjunct must be negated That is, either  Improve the user interface  Impose an enforcement mechanism

6. 6 Carnegie Mellon Imposing an Enforcement Mechanism Protecting the private key  Give the user her private key on a PIN-activated smartcard  Choose the password for the user  Force the user to choose a stronger password (e.g., proactive password checking) Verifying the root’s public key  Somehow do it for the user (a la Firefox and IE) Changes the user interface for the worse, e.g., [Bishop 1991] Difficult to do well at the scale of the Internet

7. 7 Carnegie Mellon Improving the User Interface Make the user interface more pleasant … Pleasant  graphical Pictures are easier to remember than words Some cognitive theories:  Pictures share fewer common perceptual features and so must be discriminated from a smaller set of possible alternatives  Human brain has separate verbal and non-verbal memories  Recognizing a face but not the person’s name  Recognizing a melody but not its name … Or keep the same interface but make it more effective

8. 8 Carnegie Mellon Snowflakes [Levien 1996] A graphical approach to displaying hash outputs  Computed in < 200 lines of C

9. 9 Carnegie Mellon Random Art [Bauer 1998; Perrig & Song 1999] Another approach to visualizing hash outputs  Hash value used as seed to generate a function f: [  1,1] 2  [  1,1] 3  f(x, y) is the RGB triple for pixel at (x, y)

10. 10 Carnegie Mellon Random Art: How it Works Function f is generated from a grammar that permits coin flips  All coin flips generated pseudorandomly from seed Grammar can include other functions, e.g.,  sin  cos  exp  square root

11. 11 Carnegie Mellon Graphical Passwords [Blonder 1996; Jermyn et al. 1998] Suitable mainly for PDAs permitting stylus input Useful for encrypting private key, or seeding its generation Sequence = (2,2)(3,2),(3,3),(2,3),(2,2),(2,1),(5,5) Key = hash(Sequence) pen-up

12. 12 Carnegie Mellon Security of Graphical Passwords How might one argue that graphical passwords are more secure than text ones?  Show that number of memorable graphical passwords exceeds number of memorable text passwords How does one quantify the memorable graphical passwords? A memorable password is one for which there exists a short algorithm to generate it. Hypothesis

13. 13 Carnegie Mellon “Complexity” of a Graphical Password Program : Digit Digit Block Block: Stmt Block Stmt: Instr | Repeat Digit Block End Instr: Up | Down | Right | Left | Penup | Pendown Digit: 1 | 2 | 3 | 4 | 5 Grammar Complexity = 26 Complexity = length of shortest program that generates the password

14. 14 Carnegie Mellon Memorable Password Space Comp = 24 Comp = 39 Comp = 42 Surpasses size of the dictionary used in [Klein 1990].

15. 15 Carnegie Mellon Encryption Application for Palm Pilot Password inputInternal representation Plaintext Password inputInternal representation

16. 16 Carnegie Mellon The Challenge of Graphical Schemes How secure are they, really? Can an attacker generate a key for which the snowflake or art depiction fools someone with non-negligible probability?  Depends on lighting, size of representation, printer quality, … Is the entropy of a graphical password really better than a text password? Only user studies will tell …

17. 17 Carnegie Mellon Making the Old Interface More Effective Mainly applies to private key protection  Less so for root key validation “Old interface” = password “Making it more effective” = making dictionary attacks harder Two approaches we will discuss here  Use the network  Use the user

18. 18 Carnegie Mellon Using the Network [Lomas et al. 1989; Bellovin & Merritt 1992; …; Perlman & Kaufman 1999] Store private key in a protected server that authenticates user before sending the private key “tomato” Server User:Bob Pwd :tomato Key : Use “tomato” to set up strong encryption key Eavesdropper gains nothing to use in offline dictionary attack Forces dictionary attacks to occur online  Server can detect and stop them But … break-in at server leaks private key  Possibly after an offline dictionary attack

19. 19 Carnegie Mellon Reducing Trust in the Server [MacKenzie & Reiter 2001] Keep the key at the client, but in a disabled state Server Server confirms that current user = user who initialized device “tomato” Break-in at server leaks nothing Online dictionary attack possible only after device is captured  Server can again detect and stop the attack  Offline attack requires capture of both client device and server

20. 20 Carnegie Mellon Reducing Trust in the Client [MacKenzie & Reiter 2001; Boneh et al. 2001; c.f., Ganesan 1985] Can disable the device if stolen  Even if attacker knows the user’s password Server Server confirms that current user = user who initialized device “tomato” p  start(, m) p s  finish(, p, m) Same properties as before, plus disabling Known techniques depend on particular form of private key  All use function sharing primitives

21. 21 Carnegie Mellon Server Delegation Delegation enables use of local server  Or a smartcard for “offline” operation (1) (2) (3) (4) Device can unilaterally revoke delegated servers

22. 22 Carnegie Mellon Using the User [Soutar et al. 1996; Davida et al. 1998; Juels & Wattenberg 1999; Monrose et al. 1999; …] Use biometric features during entry of a password to construct a hardened password  Hardened password useful for key encryption Portables not equipped with hardware for most biometric techniques, but do typically have a keyboard a microphone or

23. 23 Carnegie Mellon (3) Arrange in a 2-column table Initialization (1) Choose hardened password (2) Break it into “shares” (4) Encrypt with text password

24. 24 Carnegie Mellon Reconstructing the Hardened Password Hardened password Table decrypted using entered password Biometric features induce “cut” through table  One element per row is selected  Selected elements used to reconstruct hardened password

25. 25 Carnegie Mellon Repeated logins Hardening the Hardened Password Imposter System “learns” user’s biometric features over repeated logins Pieces not used by correct user are destroyed Enhances protection even against imposter who knows the password

26. 26 Carnegie Mellon Dictionary Attacks For each incorrect password guess, decrypted table is random For the correct password guess, decrypted table is correct one attack slowdown factor  time to tell these apart

27. 27 Carnegie Mellon Guessing EntropyFalse Negative Rate 481 recorded logins from 20 users typing the same 8-character password. 15 features. Keystroke Experiments