Burdens of Proof: Cryptographic Culture and Evidence Law in the Age of Electronic Documents

Memory

The Cryptographic Imagination 169 and understood by cryptographic engineers,” with the hope of trading “some theoretical generality for more applicability to various applications and designs.”33 Such proposals are symptoms of a healthy scientific process: given that theory and practice are both constantly evolving, the fitness of models is a question that must necessarily remain open and subject to permanent negotiation. In the remainder of this chapter, I want to explore some of the possibilities suggested by the ROM controversy and the emergence of the physical security model. If cryptographic practice already integrates a broad diversity of modes of persuasion, and if the “standard model” can be extended to incorporate the unruly materiality of the computer, what research avenues might this open up? Here, I explore some strands of research that draw on other materialities as design resources: those of human bodies, for example, and their capacity for memory, perception, cognition, and those of the material world—for example, paper and sealed envelopes. Just like that of the computer, these materialities have largely remained outside the purview of the “standard model,” as their formalization results in proofs which perhaps no longer feel as clean and rigorous as those obtained within purely abstract models. Memory Memory constitutes one of the most widespread elements of security technology design, as exemplified by the challenge-and-response protocols (login, password) that today secure access to most electronic services and devices. In theory, access control based on textual passwords should offer adequate security, because, for eight-character passwords of digits and mixed-case letters, the total numbers of choices, the password space, is about 2 × 1014 , or about 2 hundred trillion possible passwords. However, users understandably choose easy-to-remember passwords, combinations of letters and numbers that have some meaning attached to them.34 Thus, given the constraints of human memory, a password scheme’s security is more appropriately defined by the size of its memorable password space than that of its full password space.35 Instead of undertaking an exhaustive key search, attackers can draw guesses from dictionaries with just a few million words to effectively capture a significant portion of that muchreduced memorable password space. 170 Chapter 7 To help thwart such dictionary attacks, systems typically implement rules that coerce users in selecting passwords more evenly spread across the total password space of the scheme—for example, mixing letters and typographical characters, using passphrases, or enforcing frequent replacement .36 However, users often respond to such measures with even worse security strategies, for example, writing down their passwords under their mouse pads. As Smith quips, classical password selection rules imply that the best passwords “must be impossible to remember and never written down.”37 One interesting response to this seemingly intractable conundrum has been to take advantage of the dual linguistic and graphical dimensions of textual passwords.38 That is, passwords are memorized, but also input into computers as written signs. This approach leads to possible strategies for enhancing the memorability of passwords by coupling together visual and linguistic mnemonic techniques. Such approaches are interesting on two levels: on the one hand, they might effectively increase the memorable password space without additionally burdening the user’s memory; on the other hand, to measure this effectiveness, researchers must somehow integrate into their mathematical models the empirical insights provided by experimental psychologists working in the field of memory and cognition. Input Orderings A first strategy stems from the realization that computer software and input devices impose a specific temporal order on the way users enter their passwords : first letter first, second letter second . . . last letter last. Yet using a graphical input device, it is possible to decouple the elements of the input from their temporal order. That is, the various characters of a password can be entered according to different ordering strategies—for example, by starting with the last character, from the outside in, or any other input strategy (see figure 7.2). This decoupling immediately leads to a sizable increase of the password space: for a password of k characters where k = 8, the new password space exceeds the conventional one by a factor of k! = 40320. Obviously, not all ordering strategies are equally memorable, and it is not clear how one might quantify the increase in the memory password space other than by empirical trials. Nevertheless, the scheme provides a first entry point into The Cryptographic Imagination...