Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks
Authors: H. Bojinov, D. Sanchez, P. Reber, D. Boneh, and P. Lincoln
Abstract:
Cryptographic systems often rely on the secrecy of cryptographic keys
given to users. Many schemes, however, cannot resist coercion attacks
where the user is forcibly asked by an attacker to reveal the key.
These attacks, known as rubber hose cryptanalysis, are often the
easiest way to defeat cryptography. We present a defense
against coercion attacks using the concept of implicit learning from
cognitive psychology. Implicit learning refers to
learning of patterns without any conscious knowledge of the learned
pattern. We use a carefully crafted computer game to plant a secret
password in the participant's brain without the participant having any
conscious knowledge of the trained password. While the planted secret
can be used for authentication, the participant cannot be coerced into
revealing it since he or she has no conscious knowledge of it. We
performed a number of user studies using Amazon's Mechanical Turk to
verify that participants can successfully re-authenticate over time and
that they are unable to reconstruct or even recognize short fragments of the
planted secret.
Reference:
In proceedings of Usenix security 2012.
Related papers: See our survey paper at CACM: Commun. ACM 57(5): 110-118 (2014)