Error-Tolerant Password Recovery

1. Error-TolerantPassword Recovery To err is human, to forgive divine... Niklas Frykholm and Ari Juels RSA Laboratories

2. Password recovery: The problem

3. Elephant Ron Rivest Users classifiable into two types 1. Those who don’t forget or lose passwords, e.g., 2. Those who forget or lose passwords

4. Current method of password recovery:use of “private” information • SSN • Not terribly private anymore • Amount of last deposited cheque • All Americans deposited $300 or $600 from IRS • Mother’s maiden name • For those of, e.g., Chinese origin, a handful of surnames cover much of population

5. Special Report:October 5th is America's most popular birthday. • Date of birth • Worst of all, “private” information must be stored on a server or available to customer service representatives

6. “What was the name of your first pet?” “Fabio” • “What was the name of the first girl/boy you kissed?” “Uma” Aim #1:Use truly private questions • Examples: • Answers are never revealed in explicit form to server or customer service representative, etc.

7. My passwords My private keys Answers open “vault” for user,enabling recovery on client

8. answer 1 answer 2 answer 3 answer 15 H H H H H(a1) H(a2) H(a3) H(a15) How this might work ...

9. EX[ ] = My private keys How this might work X = H(a1) H(a2) H(a3) ... H(a15)

10. “Dolly?” “Liz”? “Peter?” “Bridget”? Hugh Grant Aim #2: Tolerate user errors Question: “What was the name of the first girl/boy you kissed?”

11. H(a1) H(a2) H(a3) H(a15) H(a1) H(a3) ... Now, during recovery... Original key X = ... User tries X’ = Thus, we need to be able to open the vault if X’ X

12. Fuzzy commitment (JW ‘99) • Produce ciphertext  = CX[K] of secret K under key X • We can decrypt K using any X’ such that X’  X • We learn only a little information about X • Idea: Use error-correcting code -- in unorthodox way • Throw away the message space!

13. X f Error-correcting code c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 f(X) = c6

14. X Error-correcting code c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 f(X) = ?????

15.  X K  = CX(K) Fuzzy commitment c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12

16.  X’ X K f Given  and X’X ... f(X’ - ) = K Fuzzy commitment c1 c2 c3 c4 c6 c7 c8 c9 c10 c11 c12

17.  X K Given  alone... Why is this secure? c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12

18.  X Given  alone... Why is this secure? c1 c2 c3 c4 c5 c6 c7 c8 K c9 c10 c11 c12

19.  X Given  alone... Why is this secure? c1 c2 c3 c4 c5 c6 c7 c8 K c9 c10 c11 c12

20.  X Given  alone... I.e.,  says nothing about which codeword Why is this secure? K c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12

21. Fuzzy commitment • Cryptographically-strong (info. theoretic) security if code is large enough, i.e, if there are enough codewords • Very efficient encryption/decryption • Tradeoff between leakage of X and error-tolerance

22. Our password recovery scheme • X = H(a1) | H(a2) | … | H(a15) • Select random codeword K • Compute  = CX[K] = X - K • Store vault = ( = CX[K]); EK[passwords] • Given enough right answers, I.e., X’  X, we can recover passwords • Typical (secure) parameterization: • 15 questions • Any 11 will open vault

23. MyVault.com ; (EKA[SKA],PKA ) -- (fuzzy comm. to KA) PKA ; (EKB[SKB],PKB ) -- (fuzzy comm. to KB) ; (EKC[SKC],PKC ) -- (fuzzy comm. to KC) • User answers questions, creates vault  = CX[K] Alice Bob Charlie • User generates public/private key pair (SK, PK)

24. $$ MyVault.com -- (fuzzy comm. to KA) ; (EKA[SKA],PKA ) Pass- words PKA -- (fuzzy comm. to KB) ; (EKB[SKB],PKB ) -- (fuzzy comm. to KC) ; (EKC[SKC],PKC ) • Alice (or admin) can add to vault without opening it Alice Bob Charlie

25. $$ MyVault.com -- (fuzzy comm. to KA) ; (EKA[SKA],PKA ) Pass words PKA -- (fuzzy comm. to KB) ; (EKB[SKB],PKB ) -- (fuzzy comm. to KC) (EKC[SKC],PKC ) • By answering, e.g., 11 out of 15 questions, Alice can, e.g., recover SKA, and thus passwords securely using any Web-enabled device Alice Bob Charlie

26. $$ MyVault.com -- (fuzzy comm. to KA) ;(EKA[SKA],PKA ) Pass words PKA -- (fuzzy comm. to KB) ;(EKB[SKB],PKB ) -- (fuzzy comm. to KC) ;(EKC[SKC],PKC ) • Can be a universal service: E.g., Amazon, Citibank, etc. can all store keys in Alice’s vault Alice Bob Charlie • With external “hardening” server, can use fewer than 15 questions

27. Proving Security This is the hardest part... • Random (or cryptographic) hash H does not yield good results • E.g., UOWHFs do not help (as hash is published) • We must customize hash as best we can to distribution over individual answers • I.e., we craft H1,H2,…,H15 based on what form answers are likely to take

28. Refining the user experience (prototype) • For recovery only • What questions should we ask? • In what form do we pose the questions? • How can we best “normalize” answers? • How can we best jog the user’s memory? • How many questions can we ask? • Can use, e.g., 3 out of 5, with hardening server

29. Questions? What was the profession of your maternal grandfather? Where did you celebrate the millenium? What is the name of your doctor? What did you give your mother for her 50th birthday? What is your favorite piece of music? What is the name of your father’s best friend?