Date: Sun, 25 Jan 2009 03:33:10 -0500From: Steven J Klein <steveklein@mac.com>Subject: England's NHS loses patient data: bad news, good news, bad news

Bad news: A National Health Service employee lost a flash drive containing personal information of up to 6,360 patients.

Good news: The data on the flash drive was encrypted.

Bad news: The password was written on a sticky-note attached to the drive.

Paraphrased from the *Lancashire Evening Post*

1

2

Neo: I suppose the most obvious question is: how can I trust you?

The Oracle: Bingo! It is a pickle. The bad news is that there’s no way if you can really know whether I’m here to help you or not, so it’s really up to you . You just have to make your own mind to either accept what I’m going to tell you, or reject it.

“Have I reached the party to whom I am speaking?” -- Lily Tomlin as Ernestine

3

FIPS-181* Password Gen StandardPassword Score (Mac OS X)

Chester WEAK

blibdonbiz FAIR

gothignuhoiv FAIR

gothignuhoiv$ GOOD

Gothignuhoiv GOOD

Gothignuhoiv$ EXCELLENT

tapes8(Lynne EXCELLENT

cusmannyukjagomm GOOD

4

* http://www.itl.nist.gov/fipspubs/fip181.htm

Leaky Authentication #1 *

Welcome to XYU Computing Services

Enter Username: foople

*** Unknown Username – Retry

Enter Username: _

5* -- Adapted from Pfleeger & Pfleeger

Leaky Authentication #2*

Welcome to XYU Computing Services

Enter Username: foople

Enter Password: *******

*** Authentication Failed

*** Attempt 1 of 3

Enter Username: _

6* -- Adapted from Pfleeger & Pfleeger

Leaky Authentication #3*

Enter Username: fopple

Enter Password: *******

*** Authentication Failed

*** Attempt 1 of 3

Enter Username: foople

Enter Password: *******

*** Authentication Succeeded

Welcome to XYU Computing Services

->

7* -- Adapted from Pfleeger & Pfleeger

8

Schneier on Passwords

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

9

There’s always paper

10

Radica’s Password Journal

11

Schneier on Passwords

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

12

NO !!!Passwords aren’t the answer for all system authentication needs

CAPTCHAS

• "Completely Automated Public Turing test to tell Computers and Humans Apart.”– Luis von Ahn, Manuel

Blum, Nicholas J. Hopper (all of Carnegie Mellon University), and John Langford (then of IBM) in 2000

13

14

What you have: Security Tokens

15

One-time password w/ clock

16

One-time password using an iterated Hash function

17

Iterated password allows a simple attack if Alice fails to authenticate the server

18

ISO SC27 Example

19

ISO SC27 Attack 1

20

ISO SC27 Attack 2

21

Protocol Design Gotcha’s

• Replay attacks• Reflection attacks• Oracle / Dictionary attacks• Extra participants

Best advice: Don’t design your own if you can avoid it!Use a standard, well-vetted protocol instead!

22

What you are: Biometrics

23

Identity is always driven by our senses, each with variable levels of accuracy

Of course, choosing which sense to use in any given identification situation is subject to– Environment– Etiquette– Local laws

Sight and Sound

• With speech, we believe we know who we’re talking to because – We may recognize their voice (fairly strong

authentication, but subject to colds, etc.)– We called them on the telephone and we that we

reached the right person (uhm, well maybe ... )– They called us on the telephone and assume they

are who they say they are (uhm, well ...)

26

Sight Only

• We may be able to see the person (strong authentication, but subject to haircuts or hair coloring, tans, aging, weight loss, etc.)

• With the written word, we believe we know who is “talking” to us because– the publishers must have checked …– that’s their logo on the webpage …– the label on that watch really says Rolex™, but it’s just

printed small … right?– surely not all of those Nigerian emails are fraudulent

27

Touch

• Embossed seals on paper• Highly-developed tactile senses of sight-

impaired folks

28

... But awkward to do quickly or with the general public

Smell

Humans aren’t particularly good at this one– “I know that perfume”– “Gee, your hair smells terrific!”– “Uhm, could you stand over there?”

29

Again, tough to do with the general public, but there is ongoing research ...

Taste

Beyond identifying basalt samples in the “lick lab” of Geology 101, Humans just aren’t gifted here.

30

Credibility of Identity Varies

• Depends upon context and environment• May be influenced by others• May change from day to day• May be misled by disguises

31

Old ways of establishing identity

Before the digital age, these were based upon physical things/actions or sensory inputs.

Is digital identity an improvement?

Are strong biometrics the answer?The ones that work best scare people the most

Plus, they are hard to obtain without getting up close

And they’re really personal!

35

Why are biometrics scary?Biometrics cannot be replaced

– most biometrics are not a secret – once compromised, compromised forever

What if a biometric is used for cross matching?– Biometrics collected for one application can be

shared to retrieve other private information (health care, law-enforcement, financial background)

Biometrics Challenge

Can we find a technique which permits us to safely replace biometrics as easily as a stolen credit card ?

38

One solution is to use Cancelable Biometrics• Intentional repeatable

distortion– alters signal but still in

correct format– generates a similar signal

each time

• Compromised scenario:– a new distortion creates a

new biometrics

• Comparison scenario:– different distortions for

different accounts

© New Yorker Magazine (Charles Addams)

39

Hash Functions : Ideal for passwords and text

33B21856A91D2FBB5BC4144C69B23F85

FIRE ALL LINUX PROGRAMMERS

43C08679B2FD54C65467DDCC9C00AD49

1 character difference

65 bitsdifference !!

SHA

HIRE ALL LINUX PROGRAMMERS

SHA

Can we simply hash a fingerprint?!

40

Hashing : Doesn’t work for biometrics

26 pointsmatch

Don’t match at ALL !!F313C86188DDE96bD48AD5

8CDECDB9E8

SHA

80BC979099C2FA643E4C54

32A03E01B8

SHA

15 pointsdon’t match

OK

Encryption vs. Distortion

41

Encryption Intentional Distortion

Encrypted signal does not resemble original.

Transformed signal looks like a normal signal.*

Original is recovered after decryption.

Original signal is generally not recoverable.

What we need is a way of moving around in the space of a class of biometric data in an irreversible manner

ONE WAY

MAPPIN

G

43

Open issuesPractical:

Will this solve fake input (fake finger, fake face)?– No, if we have access to the transform database

Where do we store the transform?– server– smartcard/card

Theoretical: How many distortion transforms are possible for a given biometrics?

Is the original signal reconstructible from a set of distorted versions?

Technical: Which distortion transform model is better: signal or feature?

– possibly a combination of both

How will the error rates change?

44

XY Permutation (feature domain)block scramble

>> points positions are distorted rather than whole image <<

45

Radial Permutation Transform

7

7

sector scramble

46

Direction Field Transformsurface warp

47

Impact on PerformanceBEST

WORST

Selection of possible error tradeoffs

more imposters get in

genuine person more often rejected

48 25 October 2006

Fingerprint example: two impressions

Registration based on “core” and “delta”

Original 1 Original 2

49 25 October 2006

Distorted versions still appear similar

Distorted 1 Distorted 2

50 25 October 2006

Fingerprints mostly matched by “Minutiae”Finding minutiae

Livescan Input Enhancement

Match ridge endings and bifurcations between prints and evaluate

51 25 October 2006

Minutiae of distortions match, but not to original

Original 1 Distorted 1 Distorted 2

no match match

52 25 October 2006

Real example: two images of the same face

53 25 October 2006

Registration and Distortion

54

Cancelable Biometrics: ExampleTwo images of the same face

repeatable distortion

DON’TMATCH

DON’T MATCH

MATCH

MATCH

55

Distortions have limits

Cancelable Biometrics in the Marketplace ?

The company genkey has an product called BioHash® SDK .

http://www.genkey.com/en/technology/biohashr-sdk

56

Identity Verified!

57

Coin Flipping Protocol*

58

1 Alice & Bob generate public-key/private-key pairs2 Alice creates 2 messages, one for heads and one for tails. Alice encrypts them

both with her public key and sends them to Bob in random order:EA(M1), EA(M2)

3 Bob chooses one at random, encrypts it with his public key and returns it to AliceEB(EA(Mn)), where n or 1 or 2

4 Alice can’t read it, but decrypts it with her private key and returns it to BobDA(EB(EA(M)))=> EB(M1) or EB(M2)

5 Bob decrypts the message to reveal the result (heads or tails) and sends to Alice6 Alice reads the result and verifies the string is correct7 Alice and Bob reveal their key-pairs so that both can verify the other didn’t cheat

Works only if PK algorithm is commutative: DA(DB(EA(EB(M)))) = DB(DA(EA(EB(M))))

* Adapted from Schneier, pp. 90-91

Biometric Scanner!

59

Zero Knowledge Example 1

How can I prove to you that I know where Waldo is in the picture, without giving away his specific position?

Start with a sheet of paper much larger than the picture, cut a small hole in it, and place the hold over Waldo.

The viewer can see Waldo, but cannot be sure how the picture is positioned under the cover.

60

61

62

Zero Knowledge Example 2• Alice says she can count the # of leaves on a tree.• Bob selects a tree, and tells Alice to look away.• Bob says he will pick between 1 and 100 leaves from the tree.• Bob tells Alice to turn around.• Alice correctly tells him how many leaves he picked. The

probability of Alice guessing correctly is 1/100.• They repeat the cycle, and Alice is correct again, while the

probability of guessing correctly twice (independently) is 1/10000 !• The more times they repeat the cycle with Alice answering

correctly, the less likely it is that she is guessing.• THEREFORE, Alice must be able to count the leaves on the tree!

63

ZK Example 2: Proving knowledge of a private key*

64

1 Alice says she knows Carol’s private key and wants to prove it to Bob without revealing it OR decrypting anything encrypted with Carol’s keys. Carol’s public key is e, private key is d, and RSA modulus is n .

2 Alice and Bob agree on a random k and m such that km = e (mod n)

3 Alice and Bob generate a random ciphertext, C.4 Alice computes, using Carol’s private key:

M = Cd mod n and then X = Mk mod n and sends X to Bob.5 Bob confirms that Xm mod n = C , and if it does, he believes Alice.

* - simplified, from Schneier pp.548-549