TY - JOUR
T1 - Neuroscience meets cryptography
T2 - Crypto primitives secure against rubber hose attacks
AU - Bojinov, Hristo
AU - Sanchez, Daniel
AU - Reber, Paul
AU - Boneh, Dan
AU - Lincoln, Patrick
PY - 2014/5
Y1 - 2014/5
N2 - Cryptographic systems often rely on the secrecy of cryptographic keys given to users. Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the concept of implicit learning from cognitive psychology. Implicit learning refers to learning of patterns without any conscious knowledge of the learned pattern. We use a carefully crafted computer game to allow a user to implicitly learn a secret password without them having any explicit or conscious knowledge of the trained password. While the trained secret can be used for authentication, participants cannot be coerced into revealing it since they have no conscious knowledge of it. We performed a number of user studies using Amazon's Mechanical Turk to verify that participants can successfully re-authenticate over time and that they are unable to reconstruct or even robustly recognize the trained secret.
AB - Cryptographic systems often rely on the secrecy of cryptographic keys given to users. Many schemes, however, cannot resist coercion attacks where the user is forcibly asked by an attacker to reveal the key. These attacks, known as rubber hose cryptanalysis, are often the easiest way to defeat cryptography. We present a defense against coercion attacks using the concept of implicit learning from cognitive psychology. Implicit learning refers to learning of patterns without any conscious knowledge of the learned pattern. We use a carefully crafted computer game to allow a user to implicitly learn a secret password without them having any explicit or conscious knowledge of the trained password. While the trained secret can be used for authentication, participants cannot be coerced into revealing it since they have no conscious knowledge of it. We performed a number of user studies using Amazon's Mechanical Turk to verify that participants can successfully re-authenticate over time and that they are unable to reconstruct or even robustly recognize the trained secret.
UR - http://www.scopus.com/inward/record.url?scp=84899651018&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84899651018&partnerID=8YFLogxK
U2 - 10.1145/2594445
DO - 10.1145/2594445
M3 - Article
AN - SCOPUS:84899651018
SN - 0001-0782
VL - 57
SP - 110
EP - 118
JO - Communications of the ACM
JF - Communications of the ACM
IS - 5
ER -