A ton of energy gets put into advising and insisting that users create long, complex passwords to thwart guessing attacks. For many people (possibly as many as 1/3 of all users) this becomes such a pain in the a$$ that their ultra-secure passwords get written on yellow sticky notes attached to their laptop screen.

If the system under attack can’t monitor itself for hacking attempts, a strong complicated password makes sense, as the only defense between your data and a cracked system is compute time, which will only continue to get cheaper and more accessible.

But for mobile-aware encryption systems, intelligent monitoring and a more thought-out crypto architecture can make long complicated passwords (and the yellow stickies that go with them) unnecessary.

IceLock protects its crypto system with a multi-factor ephemeral key and a local autonomous monitoring system. When these are combined, the crypto system is protected by other defenses, beyond the brute force compute-time required to guess an unlikely password.

Some background on how we got here: In early generation data security systems, crypto keys are stored in hash tables on a key server. The password is mathematically altered, and then stored in this table and used to encrypt and decrypt data. To crack this, you keep trying different passwords until data decrypts to clear text. In hopes that a password might be a human-language word, guessing strategies often start by trying permutations of dictionary words in sequence (i.e. a dictionary attack) which is why policies often require symbols be used in passwords.

Another way unmonitored systems defend against brute force attacks is to slow down the authentication process, to reduce the number of guesses the software can perform in any given time frame. (No, we’re not kidding about this.)

IceLock works differently. It doesn’t mathematically alter a password to create the crypto key (the randomly generated key used to encrypt and decrypt data, unique for each computer). In fact the password is just one of 8 factors that make up the ephemeral key, all of which have to be present to unlock the crypto key. So guessing the password doesn’t get you access to the system all by itself. You also need to have a number of other conditions come together as you are authenticating in order to get access to encrypted data.

In addition, IceLock continuously monitors user activity. If a thief tries to guess the password, the system breaks down the ephemeral key after a pre-defined number of tries, which is determined by a policy setting you maintain in the IceLock service center. Once the ephemeral key has been decomposed, it can’t be recomposed until it obtains an “all clear” signal from the service center. Another policy setting controls what authorizes an “all clear” signal; it can be granted automatically upon reconnection, or policies can require a technician to manually re-enable access for machines that may have been hacked.

In addition, when a system’s ephemeral keys have been broken down due to the number of guessing attempts being exceeded, a service technician is notified as soon as the system reconnects to the Internet, so that the fact that someone tried to break into the machine is made known to support personnel.

Long, complicated passwords are a requirement for unmonitored systems. IceLock leverages web connectivity and other technology to provide more sophisticated and user-friendly defense mechanisms. Making passwords harder to guess is not a terrible idea, but there should be more working to defend the security of your confidential data than the brute force mathematics of probability.

And making yellow stickies unnecessary would go a long way to making encryption more secure.

Tags: brute force attack, dictionary attack, key systems, Laptop Encryption, secure passwords

This entry was posted on Thursday, May 22nd, 2008 at 9:38 am and is filed under Using IceLock. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.