The safety of fuzzy secrets

Every day, millions of Americans log into “secure” Web pages and computer databases — from personal e-mail to bank accounts to corporate files — using passwords that are amalgamations of initials, birthdays, and the names of pets or children. If it’s a particularly important or complex password, they may write it down, as 64 percent of respondents in a 2003 survey by SearchSecurity.Com said they did.

All this makes for a very insecure world of computer-stored data, according to Leonid Reyzin, a College of Arts and Sciences assistant professor of computer science and a cryptographer. “The problem with passwords is that there’s an inherent conflict between a secure password and an easy-to-remember password, and you want both,” says Reyzin.

He argues that attaining real computer security requires a new approach to cryptography, and the National Science Foundation (NSF) agrees. It has awarded Reyzin a 2006 CAREER Award, $400,000 over the next five years, to pursue a collection of research initiatives titled Cryptography Outside the Box. Some of Cryptography Outside the Box will attempt to improve “cryptographic models,” the mathematical approximations of real-world computer-user and hacker habits and capabilities, which are used to prove, mathematically, that a particular computer security program works.

Traditionally, says Reyzin, these models make certain assumptions that just don’t hold up to reality. For instance, the models often falsely assume that computers themselves are “black boxes,” where, as Reyzin puts it, “whatever is computed inside doesn’t leak information until it’s sent out somewhere [such as the Internet].”

Unfortunately, research has shown that a hacker can discover secret, multidigit security keys just by measuring the electromagnetic radiation, power usage, and computation time of a computer running an encryption program. Another unrealistic assumption of cryptographic models is that computer users have access to perfectly random security keys that they can carry with them and recall at will and that are never stolen.

“That is, of course, very difficult to implement in real life,” says Reyzin. “We all know that we don’t actually carry around 60-digit secret keys. At best, we carry around some tiny little passwords in our heads that are not much good for security.” “Passwords are so easily guessed because we’re forcing [computer] users to remember them and remember them precisely,” he adds. He thinks a better solution might be so-called “fuzzy secrets,” such as answers to questionnaires, key stroke timing, or mouse-drawn sketches, which are not so easily guessed but allow for a certain degree of inexactness.

Consequently, turning fuzzy secrets into workable cryptographic tools is another focus of Cryptography Outside the Box. “There are many things that we as humans can remember very well, but not precisely,” Reyzin says. Fuzzy secrets can also include biometric measurements such as fingerprints and iris scans, which are very close but never exactly the same from measurement to measurement. While the secrets may be fuzzy, the potential payoff of better computer security is crystal clear.

According to the 2005 Computer Crime and Security Survey, conducted by the FBI and the San Francisco–based Computer Security Institute, 56 percent of surveyed companies, nonprofits, and government offices experienced a computer security breach in the past year, up from 53 percent in 2004, equaling an average loss of $204,000 per respondent. And the need for more security will only increase with the growing number of portable, and networked, computing devices, which are easily lost or stolen.

It was Edgar Allen Poe, with his keen interest in ciphers and enigmas, who predicted that “human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.” Reyzin is optimistic that modern cryptography may eventually break that cycle.

“We’re starting to chip away at that idea that cryptography is sort of a cat-and-mouse game that continues forever,” he says, by proving the mettle of security tools with mathematical precision. Still, he admits, “[While a mathematical] proof is comforting, it’s only as good as how well the real world matches your model.”