Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Are human beings compatible with cryptography?

Jim Reavis
Network World on Security, 08/25/99

The technology of cryptography continues to move forward. Just last week NIST announced the five finalists for the Advanced Encryption Standard, all of which look to be virtually unbreakable encryption algorithms that can last well into the next century.

But are we going to be able to leverage these powerful encryption engines in a way that provides real security? While this is an important question for developers that incorporate encryption into solutions such as electronic commerce, what about the nontechnical end user? In particular, how do users secure their private keys and authentication methods?

Advertisement:

Cryptography experts point out that the strength of an encryption algorithm and large key sizes can be undermined in many applications by the weak pass phrases that are used to protect private keys and network logon schemes. The very thing that makes passwords tough to crack - long, random, meaningless strings of data - make them equally difficult to remember.

There are several negative outcomes to this dilemma: users select easy to remember passwords that are easy to crack; they use an insecure method of remembering the password, such as writing it down and storing it in an obvious place; or they forget the meaningless password and risk losing data.

Users are not stupid, but we are asking people to remember meaningless strings of data for everything from withdrawing money from cash machines to logging on to the LAN to encrypting files. The capabilities of the human brain are astounding, from vividly remembering an event that happened 50 years ago to creating great works of art. But we are asking people to think like computers instead of adapting our technology to people.

One company that has done some serious thinking about this dilemma is Counterpane Systems, headed by renowned cryptanalyst Bruce Schneier. In a whitepaper called Protecting Secret Keys with Personal Entropy, Counterpane proposes replacing a single, long passphrase with multiple small ones, tied to life experiences (First car I owned), free association, etc.

The theory works without the user having to be perfect, they just need to remember enough of the right answers to reconstruct the secret key. While Schneier's mathematical theory is solid, he admits in the paper that much more research must be done in the area of human interface design to understand the best types of questions to construct for users.

A company that has done more research in the area of psychology and its place in user authentication is id~arts, out of the U.K. They are promoting a simple technology they call "passfaces". Instead of remembering passwords, you remember human faces. On their Web site demo, you are presented with four successive screens containing nine faces. By selecting your four faces correctly, you are authenticated. There is no doubt that this type of technology is better adapted to the human brain than traditional passwords, but who knows how long it will take to make this type of authentication technology mainstream.

What about biometrics? It may well be that biometrics ultimately is the technology used to replace private keys and password authentication - it is very difficult to repudiate and you don't have to remember anything (Dang, I left my retinas at home again!). The current lack of standards and the high cost of hardware seem to be issues that can be resolved. The major problem I have with biometrics is that it is not simply authentication, it also identifies you. I want simple and secure authentication, but I also want anonymity.

The next time you see a password on a sticky note affixed to a user's screen, remember the human brain is not going to change and we need to research ways to adapt our powerful encryption technologies to the people using it.

RELATED LINKS

Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

Counterpane's Web site

Id~arts' Web site

More information on the Advanced Encryption Standard

Bill reopens encryption access debate
Network World, 08/16/99

Congress targets exported encryption tech
Network World, 07/23/99

U.S. committees approve encryption, other bills
Network World, 06/24/99

DES code cracked in record time
Network World, 01/20/99

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.