Discussion on Pass-Algorithsm
July 14, 2006 by jgrossWilliam Cheswick, Lumeta Corporation
Passwords can be sniffed
• One-time passwords defeat this
• Traditionally done with hardware (e.g. securecard keys)
• Works for high-security areas
o Doesn’t work for banks
• Can we do this without hardware
o Human-computed response to challenge
o It would be nice is Joe Sixpack could do this
o Don’t allow dictionary attacks
• Even 4-digit PINs
• Text-based challenge-response
o Obfuscation in challenges
o User can type in junk – only a portion matters
o If you don’t enter enough junk
• Banks want replacement for online passwords/PINs
o Other applications – “emergency holographic” passwords
o Perhaps user-selectable alternative to regular password
• Lit review goes back to 1968
o Geeky account logins
o Or earlier – 1950’s-1960’s Harry Harrison story in War With the Robots
o Ad hoc algorithms since 1968
o Information theoretic approaches (memorize 9 random letters)
• Related signs
o Baseball signs
• Base coach signaling batter/runner
• 100 years of lore on using them and cracking them
• Examples
Activator – proceed with the play
Cancellation signal – forget everything I’ve told you up to date
Automatic switch
Combination signal
Dead zone – nullify next command
Live sign
Indicator – sign that a live signal
Key – sign that unlocks the indicator
Pump system – number of signals given is the signals themselves
o Magicians mind-reading tricks?
o Espionage fieldcraft
• Example
o Use keyboard to map 2-digit numbers to symbols
• For 42 – move two keys down from the four – so f
• Modular arithmetic seems to be easy
• User may have to remember a small number of an indicator character
o Modula arithmetic
o Are all of these mathematical?
• What about counting vowels
• Cog psych concerns
o Declarative vs. procedural knowledge
• Entropy concerns
o How do you compute entropy?
o Forcing users to include enough random information