Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

protecting password input with acoustic one-time-pads

think of a situation where you sit in the tram next to someone and you want to unlock your portable device. it’s pretty stupid that anyone (including surveillance cameras) who watches you typed can basically see your password. the same problem occurs on stationary computers when you are (*gasp*) not alone in the room.
this is a proposal of a fairly simple way of encrypting a password on it’s way from your brain to the computer.
here is my solution:
  1. for easy in-brain encryption we recommend a hexadecimal numeric password. let’s take “5A491C6E” as an example. of course, important passwords should be longer. a hexadecimal keypads offer decent data rate on a small area and it’s regularity helps visualizing the encryption.
  2. when being prompted to enter the password (for example tapping on the “enter password” field) you are given a random digit over the headphone. that is the key for encrypting the first digit.
  3.  you remember the first digit of you password (5) and add it to the digit you just got over your headphone (let’s say it’s 2) and add them (7). don’t carry anything, if you get “13″ just enter the “3″.
  4. you type in your result on the keypad. you recieve the next random digit to encrypt the next digit of the password and so on. with some practice, this should go pretty quickly.
  5. as you type it in, the device can decrypt each digit with the key it gave you. you hit enter and you’re finished.
the key you recieve acts as a one-time-pad, which is, in itself, resistant to cryptoanalysis. much more importantly, it is easily performed in the head.
the key might be spoken by voice synthesis or might be encoded with tones in some way.
obviously everyone who hears what you’re hearing and sees what you type can still decypher your password.
it should be transmitted as quietly as possible. sound-insulating headphones are very advantageous.
other possible attack vectors would be the head phone cable’s electromagnetic emmissions or involuntary gestures or eye movements that may perhaps reveal the key or password (training should help with that). but any of these measures are much harder than watching a person type.
and, of course, insecure hardware and software (in particular proprietary operating systems) can offer volunerabilities or back doors on their own.
this image may help illustrate the process:
Reposted byeigenvaluemondkroete

Don't be the product, buy the product!