Mnemonic Guard
personal verification technology
based on old memory
overcoming security-paradox
without risking privacy
Mnemonic Security, Inc.
http://www.mneme.co.jp
so easy to lose
15% of businessmen lost some mobile
devices in 2001 in Japan according to
Gartner Japan.
→ Whether ubiquitous computing will come
true as a dream or a nightmare hinges on
whether or not there is a valid personal
verification technology.
human factor
×
• Assume that terminals talk each other.
→ It is the terminal devices that matter.
→ Users are viewed as protein-made operation robots.
→ Vulnerability of human beings is often out of sight.
• Assume that people talk each other via terminals.
→ It is people in the real life that matter.
→ Terminal devices are just tools held in people’s hands.
→ Vulnerability of human beings is always in focus.
significance of personal verification
Encrypted data must be
made human-readable
when presented to the
authorized individuals.
>
＝
Even the perfectly
unbreakable encryption is
invalid in front of a
successful impersonator.
Personal verification is the key
to rejecting impersonators and
protecting data from stealth
security of personal verification
Easy-to-remember passwords commonly used are too vulnerable.
It is widely believed that the solutions should be
Place the passwords under stricter control
Use the unique human body as the passwords
Reject those who do not have the specified tokens
Combine the above
Taken for granted
Who proved, and how？
Paradox of Password
Intent
Make it longer, more inorganic, and change it more often.
Then, security should improve!
write it down and
carry it around or
paste it
cannot
remember
towards collapse of
security
Fatal collapse under mobile environment
With accounts increasing, even the brightest start to see collapse
Intent
Reject those who fail, say, three times.
Then, security should improve!
Rejection = Loss of business.
Solution is to write down or
use unforgettable personal
data
Unforgettable data
are the easiest for
impersonators to
find out
towards collapse
of security
Paradox of Biometrics
Intent
By nature false
rejection cannot
be eliminated.
furthermore,
Passwords to be
registered just in
case
Use the unique features of human body as verification data.
Then, security should improve!
Rejection = Loss of
business. Rely on
backup/recovery
passwords provided in
OR style
Obliged to use the
easiest-to-break data
unless a memo is
allowed to be carried
around or pasted..
Forget biometrics!
Break passwords!
towards worst
collapse of security
Valid where we do not have to rely on passwords , say, in our own place.
The human body cannot be replicated, but features of the body can be easily
replicated despite its nature of privacy.
That the identification (who is this person?) is different to the verification (is this
person who claims to be?) is too often overlooked.
Paradox of Tokens
Intent
Reject those who fail to produce the necessary tokens.
Then, security should improve!
Endeavor not
to leave it
behind
Tokens left behind
＝ Loss of business
Endeavor not to lose
both devices &
tokens at a time
Try to
escape from
this loop
Increase the chances of
simultaneous loss or
stealth of devices &
tokens
Back to “Token left
behind”
Use just-in-case
passwords in OR
style
towards worst
collapse of security
Valid where we do not have to rely on passwords, say, in our own place.
Paradox of Combination
Intent
Each solution may have its weakness. Combine them.
Then, security should improve!
Combination in AND style: The problem of “Rejection = Loss of business”
will only get deteriorated.
Combination in OR style: Security of the whole system will be
determined by that of the weakest component, that is,
the just-in-case passwords in most cases.
There are no third combination style other than AND and OR.
↓
Combination will not help security improve,
but help spread the false sense of security.
Security Paradox
ironical phenomenon
that a good intention to improve security
ends up with paradoxical result; collapse
Paradox of
Paradox of
Tokens
Password
Paradox of
Biometrics
Paradox of
Combination
what identity
Identity of Token, Body and Personality
– What matters for business and information security?
Identity of Token
–
Tokens tell nothing about in whose hands they are now.
Identity of Body
–
Cases of multiple-personality with disintegrated memory
Identity of Personality
–
Sustained and integral memory
It is the personality, not token or body, that matters for business.
Verification of identity of personality cannot be replaced by
body or token identification.
establish identity of personality
Identity of the personality can be established only by verifying the memory
shared by the individuals and the system.
Objective personal data unique to an individual, which can be written down
in letters and numbers, can be easily gathered by impersonators.
Subjective emotion-influenced visual images memorized by an individual
cannot, particularly when they have survived decades.
→
→
Research the methods to verify the visual images.
Develop solutions to make the good use of long-term memory
→
Also, make every effort to mitigate the stress that people feel.
first step to overcome security paradox
merits and limitations of picture-based passwords
Merits of image-based verification
easier to retain since it is visually concrete
easier to revive, because of re-cognition of what is in sight,
not re-call of what is out of sight.
Limitations of simple image-based passwords
Still subject to oblivion, not freed of security paradox
Not strong enough on a small screen
Mnemonic Guard
overcome security paradox
Photos of pet dogs we used
to love decades ago are
mixed with decoy dogs.
For those who loved those
memorable dogs, there could
be no failure in verification.
An impersonator, who has to
try random choice, will be
rejected as soon as they
make the sort of mistakes
that the legitimate user can
hardly make.
The device will be made not
to work or the alarm system
will be triggered.
The user should only select
the registered symbols to
complete the verification.
The sort of mistakes that the
legitimate user can make will
be tolerated and retrials will
be encouraged.
In case of a forced access,
the user can select the
emergency symbol as well as
the verification symbols so
that the system will know the
emergency without the
intimidator noticing the silent
communication.
Mnemonic Guard
overcome security paradox
An example of
the verification
screen prepared
for an 80-years
old lady, who
uses, as the
verification data
or the passsymbols, 3 or 4
old photos taken
20 years ago of
her granddaughters.
On a small
screen, each
symbol, when
pointed, could
be enlarged for
showing details.
Mnemonic Guard: simple operation
for reliable identity verification
For the legitimate user: Easy and simple operation of selecting a few or
several symbols registered as verification data.
The sort of mistakes that the legitimate user can make will be
tolerated and the user can keep retrying without feeling stress.
For an impersonator: Mnemonic Guard software provides not just the
user verification but also the impersonator verification. The
impersonator will be rejected at a very early stage of the trial.
The user can build or get built their own verification pictures from old
photos or similarly emotion-influenced objects. There
cannot be failure in verification by oblivion.
Also provided are functions of emergency signaling, child-lock/fail-proof,
enlarge/shrink, optional input, etc, for the best possible usability.
products
data leakage from mobile devices
on the market for Windows2000 and PocketPC
illegal access to domain controllers and web-servers
on the way to the market
illegal login into specific application software
under development
illegal physical access to data centers
under planning with monitor invisibility technology
projects
assured P2P communications platform to protect
privacy with minimum risks on law and order
alliance: Fujitsu PST, Prof Hideki Imai of Tokyo University
government project with IPA
picture production business for the busy and elderly
alliance: VIO, Tokyo University, NILS
government project with TAO
user・system mutual verification system
alliance: Tokyo University, Fujitsu PST, VIO
to be government project with TAO
Mnemonic Security, Inc.