Error-TolerantPassword Recovery

Niklas Frykholm and Ari JuelsRSA Laboratories

Password recovery: The problem

Users classifiable into two types

1. Those who don’t forget or lose passwords, e.g.,

2. Those who forget or lose passwords

Ron Rivest Elephant

Current method of password recovery:

use of “private” information SSN

– Not terribly private anymore Amount of last deposited cheque

– All Americans deposited $300 or $600 from IRS

Mother’s maiden name– For those of, e.g., Chinese origin, a handful

of surnames cover much of population

Date of birth

Special Report:October 5th is America's

most popular birthday.

Worst of all, “private” information must be stored on a server or available to customer service representatives

Aim #1:Use truly private questions

Examples:

“Fabio”– “What was the name of your first pet?

”

“Uma”

– “What was the name of the first girl/boy you kissed?”

Answers are never revealed in explicit form to server or customer service representative, etc.

Answers open “vault” for user,

enabling recovery on client

How this might work

H H H H

answer 1 answer 2 answer 3 answer 15

...H(a2) H(a3) H(a15)H(a1)

How this might work

...H(a2) H(a3) H(a15)H(a1)X =

EX[ ] =

Aim #2: Tolerate user errors

Question: “What was the name of the first girl/boy you kissed?”

Hugh Grant

“Liz”?

“Bridget”?

“Dolly?”

“Peter?”

Now, during recovery...

...H(a2) H(a3) H(a15)H(a1)

Original key X =

User tries X’ =

...H(a3)H(a1)

Thus, we need to be able to open the vault if X’ X

Fuzzy commitment (JW ‘99)

Produce ciphertext = CX[K] of secret K under key X

We can decrypt K using any X’ such that X ’ X

We learn only a little information about X

Idea: Use error-correcting code -- in unorthodox way– Throw away the message space!

Error-correcting code

c1 c2 c3

c5 c6 c7

c9 c10 c11

c4

c8

c12

fX

f(X) = c6

Error-correcting code

c1 c2 c3

c5 c6 c7

c9 c10 c11

c4

c8

c12

X

f(X) = ?????

Fuzzy commitment

c1 c2 c3

c5 c6 c7

c9 c10 c11

c4

c8

c12

K

X

= CX(K)

Given and X’X ...

Fuzzy commitment

c1 c2 c3

c6 c7

c9 c10 c11

c4

c8

c12

X

f(X’ - ) = K

X ’f

K

Given alone...

Why is this secure?

c1 c2 c3

c6 c7

c9 c10 c11

c4

c8

c12

X

c5

K

Given alone...

Why is this secure?

c1 c2 c3

c6 c7

c9 c10 c11

c4

c8

c12

Xc5

K

Given alone...

Why is this secure?

c1 c2 c3

c6 c7

c9 c10 c11

c4

c8

c12

Xc5

K

Why is this secure?

c1 c2 c3

c6 c7

c9 c10 c11

c4

c8

c12

X

Given alone... I.e., says nothing about which codeword

c5

K

Fuzzy commitment

Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords

Very efficient encryption/decryption Tradeoff between leakage of X and

error-tolerance

Our password recovery scheme

X = H(a1) | H(a2) | … | H(a15) Select random codeword K Compute = CX[K] = X - K

Store vault = ( = CX[K]); EK[passwords] Given enough right answers, I.e., X’ X, we

can recover passwords Typical (secure) parameterization:

15 questions Any 11 will open vault

User answers questions, creates vault = CX[K]

Alice

Bob

Charlie

-- (fuzzy comm. to KA)

-- (fuzzy comm. to KB)

-- (fuzzy comm. to KC)

; (EKA[SKA],PKA )

; (EKB[SKB],PKB )

; (EKC[SKC],PKC )

User generates public/private key pair (SK, PK)

PKA

Alice (or admin) can add to vault without opening it

Alice

Bob

Charlie

-- (fuzzy comm. to KA)

-- (fuzzy comm. to KB)

-- (fuzzy comm. to KC)

; (EKA[SKA],PKA )

; (EKB[SKB],PKB )

; (EKC[SKC],PKC )

PKA

$$

Pass-words

By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SKA, and thus passwords securely using any Web-enabled device

Alice

Bob

Charlie

-- (fuzzy comm. to KA)

-- (fuzzy comm. to KB)

-- (fuzzy comm. to KC)

; (EKA[SKA],PKA )

; (EKB[SKB],PKB )

(EKC[SKC],PKC )

PKA

$$

Passwords

Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice ’s vault

Alice

Bob

Charlie

-- (fuzzy comm. to KA)

-- (fuzzy comm. to KB)

-- (fuzzy comm. to KC)

;(EKA[SKA],PKA )

;(EKB[SKB],PKB )

;(EKC[SKC],PKC )

PKA

$$

Passwords

With external “hardening” server, can use fewer than 15 questions

Proving Security

This is the hardest part...– Random (or cryptographic) hash H does

not yield good results E.g., UOWHFs do not help (as hash is

published)

– We must customize hash as best we can to distribution over individual answers

– I.e., we craft H1,H2,…,H15 based on what form answers are likely to take

Refining the user experience (prototype)

For recovery only What questions should we ask? In what form do we pose the questions? How can we best “normalize” answers? How can we best jog the user’s memory? How many questions can we ask?

– Can use, e.g., 3 out of 5, with hardening server

What is the name of your doctor?

What did you give your mother for her 50th birthday?

What is your favorite piece of music?

What is the name of your father’s best friend?

What was the profession of your maternal grandfather?Where did you celebrate the millenium?

Questions?