Home > Research > Publications & Outputs > Towards new security primitives based on hard a...

Links

Text available via DOI:

View graph of relations

Towards new security primitives based on hard ai problems (Transcript of discussion)

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review

Published
Publication date2013
Host publicationSecurity Protocols XXI: 21st International Workshop, Cambridge, UK, March 19-20, 2013, Revised Selected Papers
EditorsBruce Christianson, James Malcolm, Frank Stajano, Jonathan Anderson, Joseph Bonneau
Place of PublicationBerlin
PublisherSpringer Verlag
Pages11-18
Number of pages8
ISBN (Electronic)9783642417177
ISBN (Print)9783642417160
<mark>Original language</mark>English
Event21st International Workshop on Security Protocols XXI - Cambridge, United Kingdom
Duration: 19/03/201320/03/2013

Conference

Conference21st International Workshop on Security Protocols XXI
Country/TerritoryUnited Kingdom
CityCambridge
Period19/03/1320/03/13

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8263
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Workshop on Security Protocols XXI
Country/TerritoryUnited Kingdom
CityCambridge
Period19/03/1320/03/13

Abstract

OK, today I talk about ‘Towards new security primitives based on hard AI problems’. We all know that actually most security primitives are based on hard math problems, such as integer factorisation and discrete logarithm, but in 2003, using hard AI problems for security purposes was proposed at CMU. Everyone knows that Captcha is the most successful example. The research question we have asked is very simple: what else can we invent along this line? Can we do anything else in security primitives based on hard AI problems?
My next slide, which some people in this audience have seen before, is taken from a talk I gave at a Cambridge Security Seminar in 2007. At the time I was busy designing a new graphical password scheme, which is now known as Background Draw A Secret. I had a look at a popular graphical password scheme, which is called PassPoints. In this scheme basically each user has an image, you click five points on this image, and derive your password. Apparently you can apply image processing techniques to automatically grab all those salient points, those eye-catching points. Therefore, if you do a random combination of those salient points you effectively do a brute-force attack on the passwords. And in this system, because multiple users will use the same image to create and enter their passwords, some salient points are more popular than others, therefore they lead to ‘hotspots’. If the hotspots are detected then you effectively can launch a very successful dictionary attack to break PassPoints. The attack was demonstrated in two papers, one at USENIX Security’07 and the other at SOUPS’07.