View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Mnemonic Guard
personal verification technology
based on old memoryovercoming security-paradox
without risking privacy
Mnemonic Security, Inc.
http://www.mneme.co.jp
so easy to lose
15% of businessmen lost some mobile devices in 2001 in Japan according to Gartner Japan.
→ Whether ubiquitous computing will come true as a dream or a nightmare hinges on whether or not there is a valid personal verification technology.
human factor
• Assume that terminals talk each other. → It is the terminal devices that matter. → Users are viewed as protein-made operation
robots. → Vulnerability of human beings is often out of sight.
• Assume that people talk each other via terminals. → It is people in the real life that matter. → Terminal devices are just tools held in people’s hands. → Vulnerability of human beings is always in focus.
×
significance of personal verification
Encrypted data must be made human-readable when
presented to the authorized individuals.
=
>Personal verification is the keyto rejecting impersonators and
protecting data from stealth
Even the perfectly unbreakable
encryption is invalid in front of a successful
impersonator.
security of personal verification
Easy-to-remember passwords commonly used are too vulnerable. It is widely believed that the solutions should be
Place the passwords under stricter controlUse the unique human body as the passwordsReject those who do not have the specified tokensCombine the above
Taken for granted Who proved, and how ?
Paradox of Password
Make it longer, more inorganic, and change it more often.Then, security should improve!
cannot remember
write it down and carry it around or paste it
towards collapse of
security
Fatal collapse under mobile environment
With accounts increasing, even the brightest start to see collapse
IntentReject those who fail, say, three times.Then, security should improve!
Unforgettable data are the easiest for impersonators to find out
Rejection = Loss of business. Solution is to write down or use unforgettable personal data
towards collapse of
security
Intent
Paradox of BiometricsUse the unique features of human body as verification data.Then, security should improve!
towards worst collapse of
security
Intent
By nature false rejection cannot be eliminated.
Rejection = Loss of business. Rely on backup/recovery passwords provided in OR style
Forget biometrics!
Break passwords!
furthermore,Obliged to use the easiest-to-break data unless a memo is allowed to be carried around or pasted..
Passwords to be registered just in case
Valid where we do not have to rely on passwords , say, in our own place.
The human body cannot be replicated, but features of the body can be easily replicated despite its nature of privacy.
That the identification (who is this person?) is different to the verification (is this person who claims to be?) is too often overlooked.
Paradox of Tokens
Reject those who fail to produce the necessary tokens.Then, security should improve!
towards worst collapse of
security
Intent
Tokens left behind
= Loss of business
Endeavor not to leave it behind
Back to “Token left behind”
Use just-in-case passwords in OR style
Try to escape from this loop
Increase the chances of simultaneous loss or stealth of devices & tokens
Endeavor not to lose both devices & tokens at a time
Valid where we do not have to rely on passwords, say, in our own place.
Paradox of Combination
Combination in AND style: The problem of “Rejection = Loss of business”
will only get deteriorated.
Combination will not help security improve, but help spread the false sense of security.
Combination in OR style: Security of the whole system will be determined by that of the weakest component, that is,
the just-in-case passwords in most cases. There are no third combination style other than AND and OR.
↓
Each solution may have its weakness. Combine them.
Then, security should improve!
Intent
Security Paradox
ironical phenomenon
that a good intention to improve security
ends up with paradoxical result; collapse
Paradox of Biometrics
Paradox of
Password
Paradox of Tokens
Paradox of Combinatio
n
what identity
Identity of Token, Body and Personality– What matters for business and information security?
Identity of Token– Tokens tell nothing about in whose hands they are now.
Identity of Body– Cases of multiple-personality with disintegrated memory
Identity of Personality– Sustained and integral memory
It is the personality, not token or body, that matters for business. Verification of identity of personality cannot be replaced by
body or token identification.
establish identity of personality
Identity of the personality can be established only by verifying the memory shared by the individuals and the system.
Objective personal data unique to an individual, which can be written down in letters and numbers, can be easily gathered by impersonators.
Subjective emotion-influenced visual images memorized by an individual cannot, particularly when they have survived decades.
→ Research the methods to verify the visual images. → Develop solutions to make the good use of long-term memory
→ Also, make every effort to mitigate the stress that people feel.
first step to overcome security paradox
merits and limitations of picture-based passwords
Merits of image-based verification
easier to retain since it is visually concrete
easier to revive, because of re-cognition of what is in sight,
not re-call of what is out of sight.
Limitations of simple image-based passwords Still subject to oblivion, not freed of security paradox Not strong enough on a small screen
Mnemonic Guardovercome security paradox
The user should only select the registered symbols to complete the verification.
The sort of mistakes that the legitimate user can make will be tolerated and retrials will be encouraged.In case of a forced access, the user can select the emergency symbol as well as the verification symbols so that the system will know the emergency without the intimidator noticing the silent communication.
Photos of pet dogs we used to love decades ago are mixed with decoy dogs.
For those who loved those memorable dogs, there could be no failure in verification.
An impersonator, who has to try random choice, will be rejected as soon as they make the sort of mistakes that the legitimate user can hardly make. The device will be made not to work or the alarm system will be triggered.
Mnemonic Guardovercome security paradox
An example of the verification screen prepared for an 80-years old lady, who uses, as the verification data or the pass-symbols, 3 or 4 old photos taken 20 years ago of her grand-daughters.
On a small screen, each symbol, when pointed, could be enlarged for showing details.
Mnemonic Guard: simple operationfor reliable identity verification
For the legitimate user: Easy and simple operation of selecting a few or several symbols registered as verification data.
The sort of mistakes that the legitimate user can make will be tolerated and the user can keep retrying without feeling stress.For an impersonator: Mnemonic Guard software provides not just the user verification but also the impersonator verification. The impersonator will be rejected at a very early stage of the trial.
Also provided are functions of emergency signaling, child-lock/fail-proof, enlarge/shrink, optional input, etc, for the best possible usability.
The user can build or get built their own verification pictures from old photos or similarly emotion-influenced objects. There cannot be failure in verification by oblivion.
products
data leakage from mobile deviceson the market for Windows2000 and PocketPC
illegal access to domain controllers and web-servers
on the way to the market
illegal login into specific application softwareunder development
illegal physical access to data centers under planning with monitor invisibility technology
projects
Mnemonic Security, Inc.
picture production business for the busy and elderly
alliance: VIO, Tokyo University, NILS government project with TAO
assured P2P communications platform to protect privacy with minimum risks on law and order
alliance: Fujitsu PST, Prof Hideki Imai of Tokyo University government project with IPA
user ・ system mutual verification systemalliance: Tokyo University, Fujitsu PST, VIOto be government project with TAO