OK, today I talk about ‘Towards new security primitives based on hard AI problems’. We all know that actually most security primitives are based on hard math problems, such as integer factorisation and discrete logarithm, but in 2003, using hard AI problems for security purposes was proposed at CMU. Everyone knows that Captcha is the most successful example. The research question we have asked is very simple: what else can we invent along this line? Can we do anything else in security primitives based on hard AI problems?
My next slide, which some people in this audience have seen before, is taken from a talk I gave at a Cambridge Security Seminar in 2007. At the time I was busy designing a new graphical password scheme, which is now known as Background Draw A Secret. I had a look at a popular graphical password scheme, which is called PassPoints. In this scheme basically each user has an image, you click five points on this image, and derive your password. Apparently you can apply image processing techniques to automatically grab all those salient points, those eye-catching points. Therefore, if you do a random combination of those salient points you effectively do a brute-force attack on the passwords. And in this system, because multiple users will use the same image to create and enter their passwords, some salient points are more popular than others, therefore they lead to ‘hotspots’. If the hotspots are detected then you effectively can launch a very successful dictionary attack to break PassPoints. The attack was demonstrated in two papers, one at USENIX Security’07 and the other at SOUPS’07.