8/6/2019 Chaos, Criticality And Encrypted P-CAPTCHAs -The Weak Password Problem

1/5

The weak password problem:

chaos, criticality, and encrypted p-CAPTCHAs

T.V. Laptyeva1, S. Flach1 (a) and K. Kladko2

1 Max-Planck-Institut fur Physik komplexer Systeme - Nothnitzer Strae 38, D-01187 Dresden, Germany2 Axioma Research - 555 Bryant Street, Palo Alto, CA 94303, USA

PACS 05.45.-a Nonlinear dynamics and ChaosPACS 89.20.Ff Computer science and technologyPACS 89.75.Fb Structures and organization in complex systems

Abstract. - Vulnerabilities related to weak passwords are a pressing global economic and securityissue. We report a novel, simple, and effective approach to address the weak password problem.

Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, andcomputational round-off errors we design an algorithm that strengthens security of passwords.The core idea of our method is to split a long and secure password into two components. The firstcomponent is memorized by the user. The second component is transformed into a CAPTCHAimage and then protected using evolution of a two-dimensional dynamical system close to a phasetransition, in such a way that standard brute-force attacks become ineffective. We expect ourapproach to have wide applications for authentication and encryption technologies.

Introduction. Computer and information securityhas been subject to intensive research for over 50 years.

This included investigation of cryptographic methods, aswell generic security of computing devices, operating sys-tems and networks. However, it is only relatively recentlythe importance of the human factor has been given properattention. Passwords are the common method for authen-tication and encryption used to secure digital life. Humanshave limited capacity to remember passwords and tend toselect passwords that are too simple and predictable. Se-curity breaches related to weak passwords are widespreadevents. Consumers and enterprises around the world arelooking for ways to address the weak password problem[1, 2]. In this paper we propose a method to addressthe problem by combining chaotic dynamics, phase tran-

sitions, and pattern recognition advantages of the humanbrain. A major building block of the proposed algorithm isthe dynamic behavior of complex extended non-linear sys-tems, in particular, Hamiltonian lattices close to a phasetransition [3,4]. These systems display non-ergodicity, de-terministic chaos [5], and spontaneous formation of coher-ent space-time structures. Building upon dynamical chaosand computational round-off errors and utilizing superior-ity of the human brain over computers with respect to

(a)E-mail: flach@pks.mpg.de

pattern recognition, our method protects a secret token,which can be used, in combination with a regular pass-

word, to derive a secret key for data encryption.It was estimated in 2009 that 86% of US companies

use password authentication and encryption [6]. A weakpassword used with a strong encryption or authentica-tion algorithm potentially makes a computer system vul-nerable to brute-force password search attacks. Studieshave shown that users will generally address the passwordcomplexity problem by using simple predictable pass-words [7, 8]. Schneier examined 34,000 MySpace onlinepasswords and concluded that 65% of them contained 8characters, with most frequently used passwords beingpassword1, abc123, myspace1, and password [8].Other user strategies include using the same password forevery account, writing down passwords, storing passwordsin files, and reusing or recycling old passwords. Horowitzreported that 15-20% of the users on a regular basis wrotedown their password on a Post-it note attached to thecomputer monitor [8]. Another study found that 66% ofusers keep password paper records at work and 58% keeppasswords in files [8].

Vulnerabilities related to weak passwords have signifi-cant economic effect globally. Results of a recent study[8,9] revealed that identity fraud affects nearly 5% of con-sumers, or nearly 10 million people in the USA per year.

p-1

arXiv:1103.6

219v1[cs.CR]31

Mar2011

8/6/2019 Chaos, Criticality And Encrypted P-CAPTCHAs -The Weak Password Problem

2/5

T.V. Laptyeva et al.

The total annual cost of identity fraud in the United Stateswas more than $55 billion in 2006 [9]. Vulnerabilities re-lated to weak passwords have significant economic effectglobally. Results of a recent study [8,9] revealed that iden-tity fraud affects nearly 5% of consumers, or nearly 10million people in the USA per year. The total annual costof identity fraud in the United States was more than $55

billion in 2006 [9].Cryptographic science utilizes discrete reversible func-

tions that operate on bit strings and take a secret keyas a parameter. As an example, Advanced EncryptionStandard (AES) [10] specifies an encryption function ap-proved for use by the US government. AES encrypts datain input/output blocks of 128 bits. The secret key lengthssupported by AES are 128, 192, and 256 bits. These longkey lengths were selected to make brute-force attacks in-feasible.

Over the years, a number of more sophisticated crypt-analysis attacks were described for various cryptographicalgorithms. Such attacks are usually very technical and

algorithm-specific and rely on finding statistical correla-tions in the cryptographic function to extract informationon the cryptographic key. However, an ideal cryptographicfunction depends on its inputs in a completely random waywith no correlations present. Therefore, a brute searchattack remains the essential attack used in real world tocompromise cryptographic algorithms.

For a completely random secret key used with the AESalgorithm, a brute-force attack is infeasible both presentlyand, probably, in the future. The situation changes dra-matically, when the key is limited to a smaller subspaceof keys. A common situation is that the key is either apassword, memorized by a human, or is derived from apassword using a function known to the attacker. A brutesearch over a small subspace can be done efficiently.

A typical brute-force search attack requires that the at-tacker is in possession of the encrypted text (Ciphertext)C, and that the true key belongs to a subspace of keys S.The attacker can mount a Ciphertext-Only Attack by iter-ating through the space S and attempting to decrypt C ineach case into a Candidate Plain Text. Now the attackerneeds to determine whether it is the True Plain Text.This Recognition Problem is, therefore, a necessary part ofCiphertext-Only Attack, and amounts to designing an ef-ficient algorithm denoted as the Recognition Oracle (RO).

Implementations of ROs make use of the block-encryptionstructure, standard file formats, and correlations in TruePlain Text.

Scheme. We assume that confidential data is en-crypted by a symmetric encryption algorithm, such asAES. The encryption key used is a combination of areasonable-strength password component (such as 105

combinations), which we denote as Short Password SP andan additional Strong Key SK. The difference between ourmethod and existing cryptographic technologies is that theuser is not asked to memorize SK. Instead, the graphical

representation of SK is embedded into a two-dimensionalimage ISK of a momentary state of a nonlinear Hamil-tonian two-dimensional lattice system. This embeddingis similar to embeddings used for Completely AutomatedPublic Turing test to tell Computers and Humans Apart(CAPTCHAs) [1113], therefore, we also coin it passwordCAPTCHA or p-CAPTCHA. A time evolution of the two-

dimensional lattice is then performed. The chaotic evolu-tion transforms the p-CAPTCHA into a chaotic latticestate. Since our Hamiltonian system is close to a phasetransition, this chaotic state will contain regularities atvarious space scales, such as a domain structures. If oneencodes lattice site positions and velocities using float-ing point numbers, such regularities will be manifested inmore-significant bits of such encoding, the less-significantbits will have pseudo-random nature due to the dynamicalchaos in the system.

atD a D c r p t one y iFa i dle

n ry eE c pt d

a aD t

ENCRYPTION

Initial Strong Key

Integration Forward

Masked ISK

Short Password

DECRYPTION

Short Password

Masked ISK

Integration Backward

Restored ISK

ATTACK

Incorrect Image

Integration Backward

No ISK

ISK Restoring Failed

Fig. 1: Schematic flow of the encryption, decryption and attackprocesses.

This provides us an opportunity to split the stateinformation for each lattice site into somewhat-regularand pseudo-random components by splitting each float-ing point number into, e.g., the most significant half andthe least significant half. The most significant halves thenform the somewhat-regular component of the state infor-mation that we store in plain text. The least significanthalves form the pseudo-random component of the stateinformation. We store this pseudo-random component inencrypted form, where encryption is performed using aregular password, memorized by a user. To restore thefull state, one decrypts the pseudo-random component,and then combines it with the somewhat-regular compo-nent.

Let us now assume that both the somewhat-regularcomponent (stored in plain text) and the pseudo-randomcomponent (stored encrypted) are available to the at-tacker. To mount a brute-force attack the attacker willscan through the password space. For each passwordthe attacker will decrypt the pseudo-random component.Since the component is pseudo-random, the results of de-cryption will look the same to the attacker independent ofwhether the correct password was selected. Therefore, no

p-2

8/6/2019 Chaos, Criticality And Encrypted P-CAPTCHAs -The Weak Password Problem

3/5

The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs

effective Recognition Oracle recognizing the correct pass-word from an incorrect one can be built at this stage.On the next stage the attacker will combine the pseudo-random component with the somewhat-regular componentto obtain the state of the system and integrate equationsof motions in the reverse time direction to obtain a candi-date p-CAPTCHA image. Only the correct password will

lead to the p-CAPTCHA image. However images gener-ated by the attacker for incorrect passwords will show thelevel of intra-image regularities similar to the correct p-CAPTCHA. Therefore, computer-based Recognition Ora-cles will not be efficient.

A legitimate user in possession of the SP can decryptthe pseudo-random component and combine it with theplain text somewhat-regular component. Using the timereversibility of Hamiltonian systems, the system is evolvedin the reverse time direction to regain the p-CAPTCHAand recognize the strong key SK from the image. Thecombined SP and SP are then used to decrypt the actualconfidential data (see Fig.1).

Implementation. In order to implement the strat-egy described above, we consider a two-dimensional squarelattice ofNN coupled double-well oscillators depicted inFig.2, which is described by the Hamiltonian

H =

Ni,j=1

1

2p2ij

1

2u2ij +

1

4u4ij + Fij

,

Fij =k=1

1

2

(ui+k,j uij)

2 + (ui,j+k uij)2. (1)

Fig. 2: The two-dimensional square lattice of coupled double-

well oscillators described by Eq.(1). The springs indicate thenearest neighbour interactions. The double-well onsite po-tential for each oscillator includes two equilibrium positionsuij = 1.

The lattice indices i, j correspond to the two directionsfor the square lattice. The equations of motion read uij =H/pij , pij = H/uij and are invariant under timereversal. We use N = 69 and perform time evolutionof the system using the symplectic Verlet algorithm [14].The time step for the numeric integration is h = 0.01, anddouble precision is used.

The system (1) served as a simple model for structuralphase transitions e.g. in ferroelectric materials as BaTiO3and also SrTiO3 [15]. The phase transition is of the secondorder [16] at a certain critical value of the energy densitywhich can be set roughly equal to the average tempera-ture T. At high temperatures the oscillators traverse thepotential barrier easily, therefore, the average polarization

order parameter M = 1N2ij sign(uij) is zero for large

N. For low temperatures the energy of each oscillator is

0.1 1.0 10.0

M

0

1.0

0.5

T

Fig. 3: Dependence of the order parameter M on the temper-ature T for Eq.(1). The red circle at the bottom indicates theoperational point of the algorithm.

not sufficient to overcome the potential barrier, and theinteraction between oscillators enforces an ordered phasewith M= 0. The temperature dependence ofM is shown

in Fig. 3. The phase transition point is Tc 1.The evolution of system (1) in the vicinity of the transi-

tion point is characterized by a spatial correlation lengthwhich diverges exactly at the phase transition point. Closeto the phase transition large clusters of the low tempera-ture phase emerge and disappear spontaneously. To ini-tialize the system, we assign random values to the mo-menta pij such that the kinetic energies p

2ij/2 satisfy

a Boltzmann distribution ep2/2 with a temperature

T 1 = 0.9 (red circle in Fig.3) and coordinatesuij = 1. We then integrate the equations of motion upto a time of the order of 200 time units (t.u.) at which alltemporal correlations decay. The image of the thermal-ized local order parameter density distribution (the signsof the oscillator coordinates) is shown in Fig. 4.

After that we imprint the SK (here the word CHAOS)into the system and obtain the ISK or p-CAPTCHA (seeFig. 5 and left top image ISK/RESTORED ISK inFig.6).

In order to protect SK, we integrate the equations of mo-tion further to some time (bottom-left image MASKEDISK in Fig.6).

Since the equations of motion are time reversible, we caninvert the integration, and expect to regain the original

p-3

8/6/2019 Chaos, Criticality And Encrypted P-CAPTCHAs -The Weak Password Problem

4/5

T.V. Laptyeva et al.

10 20 30 40 50 60

+

10

20

30

40

50

60

Fig. 4: The thermalized state of Eq.(1) with parameters T =0.9, N = 69 in the color coding of coordinates after forwardintegration up to = 200 t.u.

state ISK after back integration over the same time . This

is particularly true for the Verlet discretization, which isalso completely time reversible. However, the underlyingdynamical system is non-integrable and, therefore, chaotic[17]. Small perturbations will grow exponentially fast aset where is the largest Lyapunov exponent [17]. We alsonote that the numerical integration algorithm, while beingperfectly invertible in time, generates round-off errors (fordouble precision, at the 15th digit after the point). Thesesmall errors will accumulate exponentially fast in time.Therefore, there exists the maximum loopback time which still allows return to ISK. For larger loopback timesthe image ISK is lost in the high dimensional phase spaceof the system after the loopback evolution is performed.

We find that 400 t.u.Our strategy is then to choose to be close to . With

= 350 t.u. we can still integrate backwards and regainthe image ISK. The restored image is practically identicalto the original p-CAPTCHA we started with in Fig.5.

Slightest errors in the velocities and positions of theoscillators will be amplified when integrating back, andinhibit return to ISK. Indeed, we show this by slightly de-tuning the coordinate of an oscillator in the final statefar from the original image location (right bottom im-age MASKED ISK WITH DETUNED SITE in Fig.6):u20,20 u20,20 + 0.00001. Backward integration of thecorrupted state leads to a loss of the ISK (right top imageNO ISK/RESTORING FAILED in Fig.6). The stateof the system integrated forward in time (left bottom im-age MASKED ISK in Fig.6) can be now be split intosomewhat-regular and pseudo-random components. Thepseudo-random component is then encrypted using SP.The somewhat-regular component is stored in plain text.

Knowledge of the password SP allows the legitimate userto decrypt the pseudo-random component and regain thecorrect state, which is then integrated in the reverse timedirection, leading to ISK. The strong key SK together withthe short password SP is now used in a combination as a

10 20 30 40 50 60

+

10

20

30

40

50

60

Fig. 5: Initial ISK (p-CAPTCHA) of Eq.(1) with parametersT = 0.9, N = 69 in color coding of coordinates. Note that therestored image (after forward integration to = 350 t.u. andbackward integration to the origin) yields practically the sameimage.

secure secret token to decrypt protected data.

KSIDEKSAM

KSIDEKSAM

KSION

Fig. 6: The evolution of the image p-CAPTCHA into a chaoticstate and its reobtaining by integrating backwards (two leftimages). A slight detuning of one oscillator coordinate u20,20u20,20+0.00001 (shown by the arrow in the bottom right image)

of the chaotic state, followed by a backward integration, missesthe image completely, leading to another random image of achaotic state.

The attacker attempting a brute-force attack has to vi-sually analyze each image obtained by time-evolution ofeach incorrect state corresponding to each incorrect pass-word tried. For 105 SP combinations a good time estimatefor this human-intensive activity will be days. Simply in-creasing the space of SP to 106 severely limits the attacker,while still maintaining a reasonably short SP.

p-4

8/6/2019 Chaos, Criticality And Encrypted P-CAPTCHAs -The Weak Password Problem

5/5

The weak password problem: chaos, criticality, and encrypted p-CAPTCHAs

Outlook. To conclude, we present an approach thatrelates the fields of dynamical chaos, criticality, and pat-tern recognition to cryptography. This approach allows usto use the evolution of a chaotic Hamiltonian system neara phase transition to embed and protect a secret tokenthat can subsequently be used for cryptographic purposes,such as encryption of confidential data. Our method can

be readily and straightforwardly implemented on a widevariety of existing computer systems and devices and, toour view, provides a significant step forward in protectionof confidential data as compared to the currently availablemethods of password-based encryption. We hope that ourfindings can open a promising topic for future research.Potential future directions include searching for optimalHamiltonian and non-Hamiltonian systems to be used as afoundation for our method, optimizing the performance ofthe method so that it can be executed on devices with lowcomputational power, as well as designing better imageembedding and evolution algorithms to provide strongerprotections against computer-based image recognition.

We thank P. Fulde and R. Khomeriki for useful discus-sions and a careful reading of the manuscript.

REFERENCES

[1] Sikorski R. and Peters R., Science, 278 (1997) 2144.[2] Stross R., The New York Times, Sept.5 (2010) .[3] Cataliotti F. S., Burger S., Fort C., Maddaloni

P., Minardi F., Trombettoni A., Smerzi A. and In-guscio M., Science, 293 (2001) 843.

[4] Donner T., Ritter S., Bourdel T., Oettl A., KoehlM. and Esslinger T., Science, 315 (2007) 1556.

[5] Stark J. and Hardy K., Science, 301 (2003) 1192.[6] Zhang J., Luo X., Akkaladevi S. and Ziegelmayer

J., Eur. J. Inf. Syst., 18 (2009) 165.[7] Adams A. and Sasse M. A., Comm. ACM, 42 (1999) 41.[8] Hoonakker P., Bornoe N. and Carayon P., in Proc.

of the Human Factors and Ergonomics Society, 53rd An-

nual Meeting 2009, p. 459.[9] Monahan M. T., Identity Fraud Survey Report: Iden-

tity Fraud Is Dropping, Continued Vigilance Necessary

(Pleasanton, CA: Javelin Strategy and Research) 2007.[10] Advanced Encryption Standard, FIPS, 197 (2001)

(available at http://csrc.nist.gov/publications/fips/).[11] von Ahn L., Blum M. and Langford J., in Advances

in Cryptology, EUROCRYPT-2003, Vol. 2656 2003,p. 646.

[12] von Ahn L., Maurer B., McMillen C., Abraham D.and Blum M., Science, 321 (2008) 1465.

[13] Canetti R., Halevi S. and Steiner M., Cryp-tology ePrint Archive, 276 (2006) (available athttp://eprint.iacr.org).

[14] Verlet L., Phys. Rev., 159 (1967) 98.[15] Schneider T. and Stoll S., Phys. Rev. Lett., 31 (1973)

1254.

[16] Stanley H. E., Introduction to Phase Transitions andCritical Phenomena (Clarendon Press, Oxford) 1971.

[17] Lichtenberg A. J. and Liebermann M. A., Regularand Stochastic Motion (Springer, Berlin) 1982.

p-5

http://csrc.nist.gov/publications/fips/http://eprint.iacr.org/http://eprint.iacr.org/http://csrc.nist.gov/publications/fips/