Skip to content

protecting password input with acoustic one-time-pads

2014-01-04
think of a situation where you sit in the tram next to someone and you want to unlock your portable device. it’s pretty stupid that anyone (including surveillance cameras) who watches you typed can basically see your password. the same problem occurs on stationary computers when you are (*gasp*) not alone in the room.
this is a proposal of a fairly simple way of encrypting a password on it’s way from your brain to the computer.
 
here is my solution:
  1. for easy in-brain encryption we recommend a hexadecimal numeric password. let’s take „5A491C6E“ as an example. of course, important passwords should be longer. a hexadecimal keypads offer decent data rate on a small area and it’s regularity helps visualizing the encryption.
  2. when being prompted to enter the password (for example tapping on the „enter password“ field) you are given a random digit over the headphone. that is the key for encrypting the first digit.
  3.  you remember the first digit of you password (5) and add it to the digit you just got over your headphone (let’s say it’s 2) and add them (7). don’t carry anything, if you get „13“ just enter the „3“.
  4. you type in your result on the keypad. you recieve the next random digit to encrypt the next digit of the password and so on. with some practice, this should go pretty quickly.
  5. as you type it in, the device can decrypt each digit with the key it gave you. you hit enter and you’re finished.
the key you recieve acts as a one-time-pad, which is, in itself, resistant to cryptoanalysis. much more importantly, it is easily performed in the head.
the key might be spoken by voice synthesis or might be encoded with tones in some way.
 
obviously everyone who hears what you’re hearing and sees what you type can still decypher your password.
it should be transmitted as quietly as possible. sound-insulating headphones are very advantageous.
other possible attack vectors would be the head phone cable’s electromagnetic emmissions or involuntary gestures or eye movements that may perhaps reveal the key or password (training should help with that). but any of these measures are much harder than watching a person type.
and, of course, insecure hardware and software (in particular proprietary operating systems) can offer volunerabilities or back doors on their own.
this image may help illustrate the process:
Image

edit 2014-02-15:
i have to admit, i thougt the adding was easier to visualize. XOR isn’t quite intuitive either. but both are perfecty learnable. after trying it, i think i prefer XOR.

Advertisements
No comments yet

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s

%d Bloggern gefällt das: