Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
Huh?

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


                                         

Game & Performance Authentication (GPA)

Play a game and gain authenticated access
  (-2)
(-2)
  [vote for,
against]

The security of any password based authentication scheme cannot protect you beyond WHAT your hacker can enter. Even when public key and encryption are implemented, your password can still be known through torture, key logger, social engineering, bedside eavesdropping and so on. In country like UK, you are already guilty by not devulging password under authority subpoena. No matter how strong your encryption scheme is, the problem of having a unique password ( long string )is that it is still not unique enough and that it can be written down on paper. When you are placed in a life threatening situation, this uniqueness can only be protected by how much you can withstand physical and emotional force of pain. Brute force isnt likely to be government's cup of tea if they want you to crack in 24 hours. The magic question of hacker and authority is still "WHAT is your password" ? Once WHAT is known, whatever related to WHAT is history. Game & Performance based authentication (GPA) solves this problem because password uniqueness is no longer on one dimension. Besides WHAT, under the GPA-scheme, hacker has to know HOW is your password WHEN is your password WHY is your password WHERE is your password

The best way to capture these 5 dimensions of information is through the implemention of a game. No 2 persons play a game the same way. Be it chess, DOOM, space invader, pac man, an individual's strategy (performance) is different from another. Even when I have a hacker watching over my shoulder when I play, there is no way this person can replicate my performance and strategy. Let say I am shooting a DOOM monster in the leg, I can shoot it at the knee (WHERE) 3 inches below the knee (WHERE) twice within 1 second but 2 seconds after 15:00 hour (WHEN) by unneccessarily re-loading my pistol between the 2 triggers (HOW) and still keep the monster alive because the monster should get up and scratch me ( WHY ). The hacker standing behind me is unlikely to emulate my strategy because I have spent hours perfecting my technique that I can do it blind folded. Performance is so unique that it is unlikely that the performer will be subject to torture because it takes time to heal from an injury in order to bring performance back to previous level of competency. If you know a particular sport and exercise that take years of hard work to build up your motion-sensor-captured SIGNATURE MOVE such as tennis, running, yoga, karate, golf, it will be even harder for a hacker to take up yoga classes and copy that move. This will be good news for sport celebrity, Guinness record and sport world record holder because performance is only one of a kind. If you run into problem with authority, you simply safeguard your password by blaming it on your being too old or too tired to perform. At least there is no law against being old. I dont mean that everyone must have a motion capture lab and race track installed in every house, this scheme can be implemented by playing a simple Java game of space invader. Imagine that your password compose of upper case and lower case letters and the 9 numeric keys. On the game screen, there are as many as 61 invaders awaiting to attack you. (26 uppercase +26 lower case+ 9 numeric keys=61). Each invader represents one of these keys, all you have to do to gain access is to shoot them in a special sequence while avoid getting hit. Since the invader attacks you randomly, brute force will become unattractive because it is made too slow. Let say the password is HhiJHOIjoiOIpU7, a hacker has to try shooting HhiJHOIjoiOIpU7 more than twice to find a performed sequence. There is no use to knowing the hit list sequence HhiJHOIjoiOIpU7 because the strategy is still the missing link. If this idea is widely implemented in retail check out, I am envisioning people armed with bluetooth-equipped gun or joystick, just like the old west cowboy and then play a little shooting game and complete their purchases.

cocobk, Jul 05 2004

Monolith http://monolith.sourceforge.net/
"Muddying the waters of the digital copyright debate." [Detly, Oct 04 2004]

Original Monolith File Processor http://goroadachi.c...i/2001-monolith.gif
Primitive 'bakers were known to bone ideas [thumbwax, Oct 04 2004]

Version 2 http://aftergrog.dr...om/archives/Who.jpg
[angel, Oct 04 2004]

[link]






       My brain hurts...
MikeOliver, Jul 05 2004
  

       My eyes hurt...
skinflaps, Jul 05 2004
  

       Would you believe it? They already do that at my 1337 local grocery store!!1!   

       The objective of the game is to maneuver a pointing device from one side to the other side of a surface while keeping its tip touched to the surface. Given how dull this is, it's amazing how much people will give you if you can produce the right "signature".
jutta, Jul 05 2004
  

       what's the frequency kenneth?
xclamp, Jul 05 2004
  

       [jutta], you crack me up.   

       As for the idea, I think it takes some people long enough to get through a checkout as it is...
Lacus Trasumenus, Jul 05 2004
  

       Center of mass if I'm in a hurry, and head shots if the occasion calls for it
normzone, Jul 06 2004
  

       //I am envisioning people armed with bluetooth-equipped gun//

And I'm imagining them armed with a bullet equipped gun. It'll be the only way to get through the checkout before you grow old and die.
DrBob, Jul 06 2004
  

       I think I`d rather just go with the dna security...   

       or better yet, why not use your Aura as a unique signature.   

       them things are harder to copy. :P   

       a shooting sequence really isn`t that hard to copy. it requires skill in that specific action. it would only mean that it doesn`t take hackerskills to hack anymore.
Keeper of the Blue Flame, Jul 06 2004
  

       Thanks to a mis-spent youth I was a dab hand at a number of old coin-op arcade games: Defender, Gauntlet, Golden Axe & Streetfighter II to name a few. I doubt if I would be as good at them today. My point is linked to [jutta]'s; the users themselves have to be able to recreate their 'signature', whether this is a scribble on a receipt or a high score in a game is irrelevant. If the system is based on a skill - how easy is it to replicate? I've had off days while playing table tennis and, damn it, I'm sure that I am doing the strokes right but I keep losing points! Its bad enough losing a game but to be charged with fraud for not recreating my password that'd be mental!
Jinbish, Jul 07 2004
  

       Sorry, but I don't like your original idea very much. But it did get me thinking about how to make it hard for someone to force you to reveal a key to decript a file, and I had some ideas.   

       I was surprised that the UK could legally make you reveal a password. I wonder how the following method would hold up in court.   

       What if you have a directory on your disk named "private and or potentially incriminating data". Now this directory has many files with filenames that don't directly correspond to their contents. Some of these files are encripted using one key and other files are encripted using a different key. You may use as many keys as you can remember. In addition, there are files with similar file names that appear to be encripted, but contain random data so that there is no known key that will generate a valid decripted file. There is a program in that directory for creating such dummy files.   

       Therefore, when you get the subpoena to reveal the keys to decript these files, you can give the keys for some of the files and make a plausible claim that the rest of the files have no known valid key. You can demonstrate the program in that directory to support your claim. The government could theoretically try to say that it is illegal to store a file for which you don't have the key to prevent such a thing, but then wouldn't that apply to any email provider storing an encripted email message?   

       A more realistic implementation would probably not be designed to so blatently game the system by at least making it look like the other files may belong to somebody else so you have a real reason for not knowing the passwords, but logically it's the same thing.
scad mientist, Jul 07 2004
  

       [sm] - have you read about the monolith file processor?
Detly, Jul 07 2004
  

       //I was surprised that the UK could legally make you reveal a password//   

       i can't remember my passwords for most things. guess they'd lock me up. ignorance is the ultimate security.
xclamp, Jul 07 2004
  

       [Detly] No, and googling for "monolith file processor" gets zero results. What is it?
scad mientist, Jul 08 2004
  

       [sm] - added link :)
Detly, Jul 08 2004
  

       So, what you're saying is, that I need to shoot the staff of a Grocery Store in an alphanumeric sequence that not only matches my password, but has that certain "je ne se quois" that ne'er-do-well hackers can try all they want to *recognize* as being uniquely mine, yet not *duplicate.*
thumbwax, Jul 09 2004
  

       [Detly] Thanks. That's an interesting approach to rationalize free distribution of copyrighted material.   

       I guess my idea is also a way to rationalize breaking a law, but since it isn't a law where I live, I don't feel too bad.
scad mientist, Jul 09 2004
  

       I'm not saying that their argument is perfect - and neither are they - but I found it interesting. It could be though of as a more general type of encryption. One question is, if I copyright my private GPG key and use it to encrypt a copyright work, who has the copyright on the final file?   

       But this is getting off topic.
Detly, Jul 10 2004
  
      
[annotate]
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle