Abstract
We would like to quantify the assurance contained in an authentication secret. For instance, how much assurance does a customer convey to a bank by revealing that his Personal Identification Number (PIN) is 1111? We review a number of previously proposed measures, such as Shannon Entropy and min-entropy. Although each is appropriate under some assumptions, none is robust regarding the attacker’s knowledge about a nonuniform distribution. We therefore offer new measures that are more robust and useful. Uniform distributions are easy to analyze, but are rare in human memory; we therefore investigate ways to ”groom” nonuniform distributions to be uniform. We describe experiments that apply the techniques to highly nonuniform distributions, such as English names.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Becker, R.A., Chambers, J.M., Wilks, A.R.: The New S Language: A Programming Environment for Data Analysis and Graphics. Wadsworth & Brooks/Cole, Pacific Grove (1988)
Bentley, J.L., Mallows, C.L.: Problem submitted to American Mathematical Monthly (2005)
Bishop, M., Klein, D.V.: Improving system security via proactive password checking. Computers and Security 14(3), 233–249 (1995)
Cachin, C.: Entropy measures and unconditional security in cryptography, Ph.D. Thesis, ETH Zurich (1997)
Chew, M., Baird, H.S.: BaffleText: a Human Interactive Proof. In: Proceedings IS&T/SPI Document Recognition and Retrieval X Conference (ER&R 2003), Santa Clara, CA (January 2003)
Ellison, C., Hall, C., Milbert, R., Schneier, B.: Protecting secret keys with personal entropy. Future Generation Computer Systems 16(4), 311–318 (2000)
Feldmeier, D.C., Karn, P.R.: UNIX password security - ten years later. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 44–63. Springer, Heidelberg (1990)
Knuth, D.E.: The Art of Computer Programming. Sorting and Searching, vol. 3. Addison-Wesley, Reading (1973)
Mauer, U.M.: A unified and generalized treatment of authentication theory. In: Puech, C., Reischuk, R. (eds.) STACS 1996. LNCS, vol. 1046, pp. 387–398. Springer, Heidelberg (1996)
Morris, R., Thompson, K.: Password security: A case history. Comm. ACM 22(11), 594–597 (1979)
O’Gorman, L., Bagga, A., Bentley, J.: Call center customer verification by querydirected passwords. In: 8th Int. Financial Cryptography Conference, Florida, February 9-12 (2004)
Shannon, C.E.: A mathematical theory of communication. Bell System Tech. J. 27, 379–423, 623–656 (1948), http://cm.bell-labs.com/cm/ms/what/shannonday/paper.html
Shannon, C.E.: Communication theory of secrecy systems. Bell System Tech. J. 28, 656–715 (1949)
Smith, R.E.: Authentication – From Passwords to Public Keys, pp. 87–99. Addison-Wesley, Boston (2002)
Wischik, L.: The Paradox of the Surprise Examination (1996), http://www.wischik.com/lu/philosophy/surprise-exam.html
Yan, J., Blackwell, A., Anderson, R., Grant, A.: The memorability and security of passwords – some empirical results. TR 500, University of Cambridge, Computer Laboratory (September 2000), http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-500.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bentley, J., Mallows, C. (2005). How Much Assurance Does a PIN Provide?. In: Baird, H.S., Lopresti, D.P. (eds) Human Interactive Proofs. HIP 2005. Lecture Notes in Computer Science, vol 3517. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11427896_8
Download citation
DOI: https://doi.org/10.1007/11427896_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26001-1
Online ISBN: 978-3-540-32117-0
eBook Packages: Computer ScienceComputer Science (R0)