The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information — but you’re completely unaware that you’ve actually learnt anything; a bit like learning to ride a bike. In short, the system teaches the password to a part of your brain that you cannot physically access — but it is still there in your subconscious, just waiting to be tapped.
The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero (pictured below). There are six buttons — S, D, F, J, K, L — and the user has to hit the corresponding key (note) when the circle reaches the bottom (fret). During a typical training session of around 45 minutes, a user will make about 4,000 keystrokes — and here’s the genius bit: Around 80% of those keystrokes are being used to subconsciously teach you a 30-character password.
Before running, the game creates a random sequence of 30 letters chosen from S, D, F, J, K, and L, with no repeating characters. This equates to around 38 bits of entropy, which is thousands/millions of times more secure than your average, memorable password. This 30-character sequence is played back to the user three times in a row, and then padded out with 18 random characters, for a total of 108 items. This sequence is repeated five times (540 items), and then there’s a short pause. This entire process is repeated six more times, for a total of 3,780 items.
By this point, their experimental results suggest that the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game — but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence.
The most important aspect of this work is that it (seemingly) establishes a new cryptographic primitive that completely removes the danger of rubber-hose cryptanalysis — i.e. obtaining passkeys via torture or coercion. It also gives you deniability: If a judge or policeman orders you to hand over your password, you can plausibly say that you don’t actually know it. For a lot more information on the strengths and weaknesses of this cryptographic approach, called Serial Interception Sequence Learning (SISL) incidentally, hit up Bojinov’s research paper. Bojinov will present his findings at the Usenix Security Symposium in August.
With Black Hat, DEF CON, and the Usenix Security Symposium all taking place in the next few weeks, Bojinov’s SISL system is likely just the first of many awesome hacks that will emerge in due course. Last year saw the inaugural hacking of 4G and CDMA, opening car doors via SMS, and hacking wireless insulin pumps — and hopefully this year will be even better.