Human Doable Challenge-Response System

A Human Doable Challenge-Response System is a theoretical approach to secure identification between two parties. Its implementation would be used as an alternative to passwords and biometric security measures.


Preface
Most identity verification methods on the website involve using passwords or by recognizing a pre-defined picture displayed on the website. eg: SiteKey Image on Bank of America's website. These methods are still vulnerable to phishing attacks other attacks of the same nature.


Basics
Each person has a unique function F that the system he is trying to log into is also aware of.
The function must fit two constraints:
# If somebody sees N pairs (Y, F(Y)), they still cannot compute F(X) for some X they haven’t seen.
# It must be computable in the person's head

The system will issue the challenge x where the user must return the answer F(x) in order to log in.

Failed Example:

F(X) = 3X + 2X2

After you see (X,F(X)) for two different values
of X, you can learn the secret function


Advantages
This system prevents against phishing sites as well as untrusted terminal attacks. By having a secret function rather than a passphrase, even if the malicious party received F(X) they would not be able to comprise the user's information.


Pitfalls
A function that fits the properties above is difficult to come by, especially if many users must be provided with unique secret functions.
 
< Prev   Next >