Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
Phd 2014 World Cup Impact Report (Pre-newsletter)
Next
Download to read offline and view in fullscreen.

Share

Identity assurance & expanded password system

Download to read offline

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Identity assurance & expanded password system

  1. 1. Identity Assurance & Expanded Password System Summary: Security of the real/cyber-fused society hinges on “Assured Identity”, which hinges on “Shared Secrets” in cyberspace. The text password has been the shared secrets for many decades. We now need a successor to the text password. There exists a promising candidate, an Expanded Password System which accepts images as well as characters and which generates a high-entropy password from a hard-to-forget password. Multi-factor authentications and ID federations (single-sign-on services and password management tools) are operated with the password. The password is indispensable for the biometric products operated in cyber space. As such we are unable to live without the password and yet it is obvious that the conventional character password no longer suffices. Expanded Password System that accepts images on top of characters is expected to play a very significant role. The problem to be addressed by our solution is huge, with billions of people suffering the same big headache. Substantial revenues will be expected for the business of providing the most practicable solutions. We already have several products developed for the Japanese market. Therefore we will not have to start the development from scratch, but will only have to re-write the software in the English language with the latest cryptography and anti-hacking measures for the global market with a relatively small budget. (1) Introduction It is well known that digital currencies would not exist without cryptography, but not many people are aware that digital identity assurance, say, the issue relating to passwords is also crucial: Assume that a digital currency be protected by an encryption key of 256-bit entropy and the program to manage the digital currency system be protected by a manager’s password such as P@$$WoRd1234 or a PIN like 3485, the chances may well be that the currency management system will have been taken over by the criminals who broke the password/PIN rather than those who tried to attack the 256-bit encryption key. Without the reliable digital identity assurance, such emerging industries and critical infrastructures as below would also be infeasible. - Electronic Healthcare - Pandemic-resistant Teleworking - ICT-assisted Disaster Prevention, Rescue & Recovery - Hands-Free Operation of Wearable Computing - Hands-Free Payment & Empty-Handed Shopping - Humanoid Robots - Internet of Things and, needless to say, Cyber Defence & Law Enforcement The passwords to be registered have to satisfy following requirements: - The password should be strong enough. - The same password should not be reused across multiple accounts. - The memo on which passwords are written could be used indoor but should not be brought outdoor.
  2. 2. It is possible to satisfy one of them. But it is not possible to satisfy all of them. It is not what average humans can do. It is known that humans can firmly remember and correctly recall only 5 text passwords on average, whilst the number of services requiring password protection is now thought to be over 20 and ever increasing for most of us, with urges to change them more frequently in the aftermath of recurring password leakage incidents. (2).Alternative password systems? In response to this perplexing situation, biometrics, multi-factor solutions and ID federations (single-sign-on services & password management tools) are often advocated as an alternative to the password. Some people even shout that the password is dead or should be killed dead. However, the password could be killed only when there is an alternative to the password. Something belonging to the password(PIN, passphrase, etc)and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). If wisely operated all those solutions could certainly help alleviate the pains of difficult-to-manage passwords, either by the better convenience obtained by sacrificing the confidentiality (biometrics & ID federations) or by the enhanced confidentiality obtained by sacrificing the convenience (2/multi-factors). But it would be inappropriate to call them an alternative to the password - biometric solutions are generally operated together with a password for self-rescue in case of false rejection, one of the multi-factors is a password and the ID federations require the password called a master-password. The password cannot be killed until there is a true alternative to it. (To be more closely discussed in the appendix.) It is too obvious, anyway, that the conventional text password alone can no longer sustain the need of the age and we urgently require a successor to it, which should be found from among the broader family of the passwords and the likes. Textual passwords, with PIN (numbers-only password) included, could suffice two decades ago when computing powers were still limited, but the ever accelerating computing powers have now made the textual passwords too vulnerable for many of the cyber activities. The same computing powers are, however, now enabling us to handle images and pictures, providing us with the alternative to the vulnerable textual passwords. Now its successor is wanted beyond texts. We can remember and recall only 5 text passwords on average, not due to our silliness or laziness, but due to the cognitive phenomenon called "Interference of Memory". Memories of numbers and alphabets, which contain very limited information, are subject to the severe interference of memory which causes terrible confusions in what we remember, whereas the memories of images and pictures, particularly those of episodic/autobiographic memories that contain a great deal of information with emotional feeling, are not. This indicates that we can easily manage passwords well beyond 5 or 10 when we make good use of the episodic image memories. It could thus make the optimal alternative to the textual passwords when we make sure that confidentiality is not lost. Most of the humans are thousands times better at dealing with image memories than text memories. The former has the history of hundreds of millions of years while the latter is still very new to us. I wonder
  3. 3. what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices. (3) Expanded Password System The Expanded Password System “Mnemonic Guard” that we advocate, which makes use of episodic image memory in addition to textual memory, can be viewed as an enhanced successor to text-only password systems on its own. Furthermore, the Expanded Password System will enable us to see truly powerful multi-factor authentications with a strong unique password being used as one of the factors for all different accounts, whether indoor or outdoor. With the Expanded Password System used as a rescue-password in case of false rejection, biometric solutions will offer good convenience without much sacrificing the confidentiality. We would also be able to see truly reliable decentralized ID federations with a strong unique password being used as the master-password for each of single-sign-on services and password management tools. The outcome will be the most highly assured identity achieved through the most reliable “shared secrets” Identity verification which has been represented by seals and handwritten signatures is not just one of the many factors for cyber security, but is the very foundation of the social infrastructure without which no social life can exist. This relation between the society and the identity verification will not change so long as humans live social lives. Mnemonic Guard, pioneer of the Expanded Password System., can well be a legitimate successor to seals and handwritten signatures so long as humans need cyberspace. As the successor to seals, handwritten-signatures and text passwords, the Expanded Password System is expected to help support the cyber society so long as humans need it.
  4. 4. Remark 1: “Assured Identity”, “shared secrets” and “IPV” are defined in “Good Practice Guide No.45 Identity Proofing and Verification of an Individual” issued by UK Cabinet Office. Remark 2: The idea of using pictures for passwords is not new. It has been around for more than two decades but the simple forms of pictorial passwords were not as useful as had been expected. For the UNKNOWN pictures that we manage to remember afresh are still easy to forget or get confused, if not as badly as random alphanumeric characters. Mnemonic Guard is new in that we make good use of KNOWN images that are associated with our episodic/autobiographic memory. Since these pictures are the least subject to the interference of memory, it enables us to manage dozens of unique strong passwords without reusing the same password across many accounts or carrying around a memo with passwords on it. Furthermore, we no longer need to manage to remember the relations betweens accounts and passwords because each account shows its own unique picture matrix. The Expanded Password System is inclusive of textual as well as non-textual passwords. Users can retain the textual passwords as before while they expand their password memory to include the non-textual passwords without being impeded by the cognitive effect of “interference of memory”. It is extremely difficult to imagine the users who would suffer disadvantage or inconvenience by taking up the expanded password system. Remark 3: High-entropy passwords generated from low-entropy passwords
  5. 5. Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of high-entropy passwords with the Expanded Password System that handles images as well as characters. Each image/character is identified by the image identifier data which can be any long. Assume that your password is “CBA123” and that those characters are identified as X4s&, eI0w, and so on. When you input CBA123, the authentication data that the server receives is not the easy-to-break “CBA123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required. When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “CBA123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “CBA123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers. This function of managing strong passwords by weak text passwords is one of the secondary merits of the Expanded Password System. Remark 4: Passwords & CorrespondingAccounts Being able to recall strong passwords is one thing. Being able to recall the relations between accounts and the corresponding passwords is another. When unique matrices of images are allocated to different accounts with the Expanded Password System, those unique matrices of images will be telling you what images you could pick up as your passwords. The Expanded Password System thus frees us from the burden of managing the relations between accounts and the corresponding passwords. The merits of Expanded Password System are closely discussed at http://mneme.blog.eonet.jp/default/files/proposition_of_expanded_password_system.pdf The outline of Mnemonic Guard is available at http://mneme.blog.eonet.jp/default/files/outline_of_mnemonic_security.pdf < Appendix> More discussions on related themes (I) Volitional Participation We naturally wish to retain the volitional participation in all the critical aspects of our life whether in the real world or in the cyber space. AccountA Account B Account C Account D Account E, F, G, H, I, J, K, L-----------
  6. 6. The likes of passwords, which cannot be practiced without users’ volition, must stay with us for good in the cyber space because the volitional participation in proofing and verification of users’ identity cannot be ensured otherwise. What are desirable from this view point are (a) a firmly remembered password on its own. (b) password management tools and single-sign-on services that are managed by a firmly remembered master password, (c) multi-factor authentications with a firmly remembered password as one of the factors and (d) biometric products that are operated together with a firmly remembered password by AND/Conjunction (we need to go through both passwords and biometrics) What are NOT desirable from the view point of volitional participation are (e) so-called auto-login solutions, which allow us to sleep peacefully or drink much only when we are on our own in a securely locked room and (f) biometrics products operated without a password altogether or operated together with a password by OR/Disjunction (we need only to go through either passwords or biometrics) as in the cases of Touch ID and most of the products now on the market, which could bring such awkward situations as http://mashable.com/2013/09/11/girl-fingerprint-scanner/ (II) Identity Assurance FOR mobile devices as against Identity Assurance BY mobile devices Should we apply the operation models of “Identity assurance BY mobile devices” to “Identity Assurance FOR mobiles devices”, we would need to carry around two mobiles devices all the time. It may be recommended for the types of cyber activities that require the best possible security practices. For most of the cyber activities, for which carrying around 2 mobile devices all the time is too heavy a burden, however, the best security practices may well be using just a high-entropy password, which can possibly stand the dictionary attacks and brute-force attacks, possibly with some Q&A based on the MNO-held real-time information where desirable. (III) Convenience versus Security The themes discussed here are (1) ID federations,, (2) PKI, (3) Two/multi-factor authentication, (4) Biometrics, (5)Auto-login and (6) PIN. (1) ID federations ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business. It would also be desirable to require multiple security levels for different levels of services. The most important accounts should desirably be protected by the strongest possible passwords unique to each account. Needless to say, the strength of the master-password for ID federations is crucially important. (2) PKI The PKI software and the private key stored on a token or phone can effectively proves the identity of the token or phone, but not the identity of a person who is holding the token or phone. The tokens and phones are easily left behind, lost, stolen and abused. Then the password would be the last resort.
  7. 7. (3) Two/Multi-factor authentications Two is larger than one on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily left behind, lost, stolen and abused. Then the password would be the last resort. A truly reliable 2-factor solution required for important accounts needs the use of the most reliable password. (4) Biometrics Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. Biometric products operated by (1) are not known. The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset. Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y - xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password. It is very worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”. Incidentally, it is not possible to compare the strength of biometrics operated on its own with that of a password operated on its own. There are no objective data about the overall vulnerability of biometric solutions (not just false acceptance rate when false rejection is near-zero but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that it may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.) (5)Auto-login Auto-login is what we cannot achieve with the passwords but we can so easily achieve with the likes of electronic tattoos and swallowed chips. We know that the function of having someone else login to our phone/tablet/PC on our behalf while we are unconscious is already realized by biometrics as shown again in http://mashable.com/2013/09/11/girl-fingerprint-scanner/ But with the likes of electronic tattoos and hypodermic or swallowed microchips, we can expect the third persons to login to our accounts on our behalf a bit more gently and silently. The third persons would not have to behave very carefully not to wake us up. All that they have to do is just placing our PC/tablet/phone in the vicinity of our unconscious bodies. Then they would have a freehand over our accounts on our behalf. Some people, for whom convenience is the top priority, might regard this as a proof that the passwords have the fatal drawbacks. We are, however, of the view that this tells us how critical it is to involve the confirmation of the users’volition to make the login for identity authentication. (6) PIN Many people take it for granted that PIN is easier to remember than an alphanumeric password because it is simpler. The fact is, however, that PIN, a numbers-only short password, is even more subject to the
  8. 8. interference of memory exactly because it is simpler, say, it contains less information, which gets the user confused more easily and more badly than a longer alphanumeric password. It is, therefore, more difficult for us to eliminate the reuse across many accounts. You could listen to yourself for your own experience. (IV) Statistics on Rampant False Sense of Security: Two university researchers in Japan carried out a brief survey in November 2014 about how the security of (1) PKI, (2) fingerprint scan and (3) onetime password are perceived by 49 university students in science and technology sectors. Below is the result. (In the brackets are the numbers of students who are learning information security.) (1.) Do you know PKI? Yes 34 (31), No 15 (0) (To those who answered Yes) Do you think that a PKI-loaded IC card provides higher security than a password? Yes 12 (12), No 1 (1), No change 4 (4), Do not know 12 (9), Depends 4 (4), NoAnswer 1 (1) (2) Do you know of the fingerprint scanners loaded on smart devices? Yes 44 (28), No 5 (3) (To those who answered Yes) Do you think that a fingerprint scanner provides higher security than a password? Yes 16 (11), No 7 (5), No change 4 (2), Do not know 12 (8), Depends 5 (2) (3) Do you know OTP (onetime password)? Yes 39 (30), No 10 (1) (To those who answered Yes) Do you think that a onetime password provides higher security than a remembered password? Yes 17 (5), No 1 (1), No change 3 (2), Do not know 10 (8), Depends 7 (6), No Answer 1 (1) The answer we expected were either “Do not know” or “Depends” for all the 3 questions, preferably followed by “because there are no objective data that enable us to directly compare the security of PKI/OTP/Finger-Scan operated on its own and that of the password operated on its own. And, PKI/OTP/Finger-Scan operated with a password by AND/Conjunction (we need to go through both the former and the latter) is securer than the same password only, but PKI/OTP/Finger-Scan operated together with a password by OR/Disjunction (we need only to go through either the former or the latter) is less secure than the same password only.” That many students gave (Yes) to (1) and (3) is somehow understandable because PKI and OTP are generally operated with a password by AND/Conjunction . But it is very worrying that so many students learning information security (11 out of 28) gave (Yes) to (2) For Apple’s Touch ID and most other finger-scanners on the market are operated together with a backup/fallback password by OR/Disjunction in case of the false rejection. False sense of security about a threat could be even worse than the threat itself. This survey is not large enough to extract a decisive conclusion, but we could well imagine that this chilling false sense of security is even more rampant among the people who have not learnt or are not learning information security as a major subject. <End>
  • Massimo1434

    Jul. 26, 2015

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Views

Total views

613

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

4

Shares

0

Comments

0

Likes

1

×