in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Guitar Hero Password Entry Prevents Rubber Hose Password Cracks

The psychological concept of "implicit learning" is being touted as a way of "memorizing" very complicated passwords that these cannot be revealed via blunt-force threats, aka "rubber hose attacks."  The password mechanism could mean enhanced security, I admit.  After all, the weakest part of any mobile security software, including disk encryption software like AlertBoot, is, pragmatically speaking, the password.

But, one thing has been bothering me since first reading of the benefits of this new password protection scheme: you must never underestimate the power of the rubber hose.

What is a Rubber Hose Attack? Hit Him with This $5 Wrench

A rubber hose attack is, namely, the use of violence:

  1. You have a password.
  2. I want the password.
  3. I torture you.
  4. You give me the password.
  5. I record it and use it.

It's as simple as that.  The techno-centric webcomic site has an excellent summary of the concept: hit him with this $5 wrench until he tells us the password.
Comics aside, this is actually a perfectly valid (and I assume actually employed) way of getting the password to encrypted data (N.B. - valid as in "it works" and not as in "it is acceptable").  And, unlike confessions, it's always verifiable: you type the password.  If it doesn't work, back to the rubber hose it is.

So, a password that is based on implicit learning -- riding a bicycle or playing a long piano piece is quoted in the arstechnica.com article as implicit learning instances, where "precise sequences are impossible for a human to articulate" -- appears as a reasonable way to safeguarding passwords.

Except that if you give me a bicycle, I can ride it.  And while I don't play musical instruments, my observation is that piano players that can play a piece on one piano can play it on another.  In other words, the above five steps can be modified to look like this:

  1. You have a password.
  2. I want the password.
  3. I torture you.
  4. I make you ride a bike or play a piano sonata or whatever, i.e., you give me the password.
  5. I record it and use it.

The only major difficulty would be finding a stand-in device for whatever the implicitly learned password happens to be.  The arstechnica.com article mentions the use of a "Guitar Hero"-like interface.  Assuming commercial products (I use the term loosely to mean "available if you have a decent amount of money") are released based on this latest password technology, I don't see how rubber hosing passwords can be prevented.


Related Articles and Sites:
http://arstechnica.com/security/2012/07/guitar-hero-crypto-blunts-rubber-hose-attacks/
http://www.extremetech.com/extreme/133067-unbreakable-crypto-store-a-30-character-password-in-your-brains-subconscious-memory

 
<Previous Next>

Data Breach Cost: Global Payments Reports Breach Cost $84.4 Million

Laptop Encryption Software: Hartford Hospital And VNA Healthcare Patient Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.