TY - GEN

T1 - Towards new security primitives based on hard ai problems (Transcript of discussion)

AU - Yan, Jeff

PY - 2013

Y1 - 2013

N2 - OK, today I talk about ‘Towards new security primitives based on hard AI problems’. We all know that actually most security primitives are based on hard math problems, such as integer factorisation and discrete logarithm, but in 2003, using hard AI problems for security purposes was proposed at CMU. Everyone knows that Captcha is the most successful example. The research question we have asked is very simple: what else can we invent along this line? Can we do anything else in security primitives based on hard AI problems?My next slide, which some people in this audience have seen before, is taken from a talk I gave at a Cambridge Security Seminar in 2007. At the time I was busy designing a new graphical password scheme, which is now known as Background Draw A Secret. I had a look at a popular graphical password scheme, which is called PassPoints. In this scheme basically each user has an image, you click five points on this image, and derive your password. Apparently you can apply image processing techniques to automatically grab all those salient points, those eye-catching points. Therefore, if you do a random combination of those salient points you effectively do a brute-force attack on the passwords. And in this system, because multiple users will use the same image to create and enter their passwords, some salient points are more popular than others, therefore they lead to ‘hotspots’. If the hotspots are detected then you effectively can launch a very successful dictionary attack to break PassPoints. The attack was demonstrated in two papers, one at USENIX Security’07 and the other at SOUPS’07.

AB - OK, today I talk about ‘Towards new security primitives based on hard AI problems’. We all know that actually most security primitives are based on hard math problems, such as integer factorisation and discrete logarithm, but in 2003, using hard AI problems for security purposes was proposed at CMU. Everyone knows that Captcha is the most successful example. The research question we have asked is very simple: what else can we invent along this line? Can we do anything else in security primitives based on hard AI problems?My next slide, which some people in this audience have seen before, is taken from a talk I gave at a Cambridge Security Seminar in 2007. At the time I was busy designing a new graphical password scheme, which is now known as Background Draw A Secret. I had a look at a popular graphical password scheme, which is called PassPoints. In this scheme basically each user has an image, you click five points on this image, and derive your password. Apparently you can apply image processing techniques to automatically grab all those salient points, those eye-catching points. Therefore, if you do a random combination of those salient points you effectively do a brute-force attack on the passwords. And in this system, because multiple users will use the same image to create and enter their passwords, some salient points are more popular than others, therefore they lead to ‘hotspots’. If the hotspots are detected then you effectively can launch a very successful dictionary attack to break PassPoints. The attack was demonstrated in two papers, one at USENIX Security’07 and the other at SOUPS’07.

U2 - 10.1007/978-3-642-41717-7_3

DO - 10.1007/978-3-642-41717-7_3

M3 - Conference contribution/Paper

AN - SCOPUS:84893355957

SN - 9783642417160

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 11

EP - 18

BT - Security Protocols XXI

A2 - Christianson, Bruce

A2 - Malcolm, James

A2 - Stajano, Frank

A2 - Anderson, Jonathan

A2 - Bonneau, Joseph

PB - Springer Verlag

CY - Berlin

T2 - 21st International Workshop on Security Protocols XXI

Y2 - 19 March 2013 through 20 March 2013

ER -