CerebraLock

Index

Overview

Advantages

Disadvantages

The Big Picture

A Look at Numbers

Item Sets

Entry Screens (Compare Variant)

Entry Screens (Match Variant)

Locks

Summary

Overview top

This is a closer look at the CerebraLock Method. First we look at the advantages and disadvantages and how to get started. Then follows a detailed explanation of the underlying principles.

Advantages top

CerebraLock offers many advantages compared to current authentication methods. (Authentication is the process of proving that you are authorized to access a given resource.)

• there is no need to memorize anything. CerebraLock draws on knowledge you already have in your brain. Passwords are built from your unique memory and life experience.

• passwords cannot be written down or told to someone else. Password entry is visual and requires you to be there (and to be conscious). There is no: 'We took your device, now give us your password so we can rifle through your stuff at our leisure.'

• no need to periodically change passwords. CerebraLock creates a list of passwords and picks a different one unpredictably for every access.

• no need to hide your password entry. An observer can stand right next to you and won't be able to discern your password. Also, the very next access will require a different password. Keylogging and phishing become futile.

• the security (length) of your passwords can be easily adjusted, depending on your requirements. It is also adjusted automatically: if a wrong password is entered twice, the next access will require a much longer password. For you, access will take longer, for an attacker it will be impossible or, at least, become much, much harder! After successful entry you will go back to shorter passwords.

• all passwords use the same principle, whether they fall in the 'easy' or 'paranoid' part of the security range.

• each password has a built in coercion function - it is really two passwords in one. You can decide at the time of entry whether you want to access your data normally or pretend to access your data and instead display a different set of data.

• CerebraLock does not require any special hardware and therefore no extra expense. There is no gadget which can be lost, stolen, damaged or tampered with during shipping.

• CerebraLock is culture independent. It uses images and text which you provide and does not depend on any language or region.

• there is no magic or black box involved (other than encryption). If you can follow the explanation below, you will know what makes CerebraLock secure and how you can keep it secure.

Disadvantages top

Disadvantages? What do you mean disadvantages?

• the main disadvantage of CerebraLock is the effort to set up your passwords. You will have to make at least one list of 20 to a hundred items of images or text. Text items are easier to enter, but will be harder to use. Images are easier to use, but harder to prepare. Luckily this will have to be done only very rarely!

You will have to decide for yourself if the advantages outweigh the disadvantages.

• entering a password in CerebraLock is more time consuming than simply entering a string of text (especially if that string is '12345')! Depending on how you set it up, it may take 15 to 45 seconds to go through an access sequence. To lessen the pain, CerebraLock requires only one or two access sequences while (and until) you are logged in.

• passwords need a lot more storage space. But this is a disadvantage only compared to storing conventional passwords. Compared to the available storage space, a few megabytes are insiginificant.

• if you should somehow suffer memory loss through injury or age or become otherwise incapacitated, you may not be able to remember your passwords or go through an access sequence. This will make your data inaccessible.

This aspect certainly requires some further consideration. It is something you should keep in mind as well.

Further consideration has been given, and the solution is described in Identities: Managed Group or Group. Groups allow different persons (e.g. your significant other) to access the same information with their own passwords.

The Big Picture top

Here is the minimal preparation to use CerebraLock:

One-time Setup:
• read at least some of the documentation. CerebraLock is a new concept. Understanding the inner workings will greatly enhance its usefulness.

• create an identity (user account).

• create at least one item set. An item set is a collection of text items or images.

• categorize the item set. This means looking at each item and assigning one of three categories to it (known, unknown, coercion).

• create locks from the item set. Locks contain encryption keys and lists of 'passwords'. You will have to go through authentication (an access sequence) to gain access to your data.

• import or create documents you wish to carry with you. They will be securely locked.

And that was it. Tedious as it is, this needs to be done only once (or, let's say, very rarely).

From Then On:
• import, create, open, view, delete documents or exchange data securely with others.

• secure and exclusive access is only an authentication (or two) away.

A Look at Numbers top

The numbers we use are so-called decimal numbers because they are part of the decimal number system whose base (or radix R) is the number 10. This means there are ten different values V (0...9) for each digit in a number.

Numbers can have an arbirary amount of digits. The position P of a digit determines its contribution to a number. The position is counted from right to left, starting with 0. For example, 1,234 has 4 digits. '4' is at position 0, '3' is at position 1 and so on.

The radix raised to the power of the position is the weight of the digit. This is expressed as R^P:
10^0 = 1 (a number raised to the power of 0 equals 1),
10^1 = 10 (a number raised to the power of 1 equals that number),
10^2 = 10 x 10 = 100,
10^3 = 10 x 10 x 10 = 1,000 and so on - to raise a number to a given power you multiply the number by itself that many times.

This way of writing numbers is called scientific notation and is especially convenient for very large or very small numbers.

To get the value of a number represented by a sequence of digits you add up the various V x R^P. In our example that would be 4 x 10^0 + 3 x 10^1 + 2 x 10^2 + 1 x 10^3 = 4 + 30 + 200 + 1,000 = 1,234. Very nice, very regular and easily extensible to extremely large numbers!

Different number systems use different radices, but you construct numbers in the exact same way. Any number in any number system can be expressed as a sum of various V x R^P.

Another number system has radix 2: the binary system. There, only two values are used, 0 and 1.

Joke: there are 10 kinds of people in the world - those who know binary numbers and those who don't! (If you don't get it, then please read this section again.)

How does this relate to security? Well, you may be aware that good passwords are long and contain upper and lower case letters and symbols - what this really means is that there should be a large enough number of different values which could be your password so it cannot be easily guessed, looked up in a dictionary or tried one by one.

Let's do away with the letters and the symbols and use only passwords made up of digits. If we use enough of them, our passwords will be just as secure.

For instance, the number 543,634,652,626,102,524 looks like a pretty good password. There certainly are a lot of different possible values, namely 10^18 (18 digits, each with ten possible values). A computer trying a brisk ten billion passwords per second would, on average, find the right one after going through half of all possible values - which would take about one and a half years - and leap years at that.

A rough measure of the security of a password is the number of possible values it can be. The higher that number, the longer it will take to find the password by trying all possibilities, and the less likely it is to get the correct password by guessing. Let's call this the security level of the password.

What if the computer gets ten times faster? Then we just increase the length of our password by one digit - which is a lot easier than making a computer ten times as fast. The math is definitely on our side.

Now let's make a list of 20, 50 or 100 of these long numeric passwords and make it so that when we want to access our information we will be asked for say, password 7 or password 23 in an unpredictable way. Each access will require one of the passwords on the list, but we (and more importantly: any attacker trying to gain access) won't know in advance which one on our list will be required. Even if we were observed entering password 7, it won't do any good since we next have to enter password 23! And we already established that trying every single possibility could be, uh, tedious.

I would like to point out that even this system - everyone carrying a list of pre-fabricated numbers - would be more secure than our current way of using passwords!

However, our list of passwords can be copied, lost or stolen, and memorizing it is not an option. But we're not done yet, and we're on a roll!

Imagine entering one of the above passwords digit by digit. Think of it as an access sequence made up of a series of entry screens. Each entry screen would display a numeric keypad and you would tap the required digit. The length of the sequence would be the length of the password. The keypad would display the values allowed by the radix of the number - 0..9 for radix 10, 0 and 1 for radix 2 and so on.

We would like to do three more things:
• make the entry screen tell us which password we're working with so we can pick the digit which is the correct solution for this particular entry screen.
• make it so that an observer won't be able to tell which solution we are entering.
• make it so we don't need to consult a list of passwords at all!

CerebraLock is a method to do that.

Item Sets top

An item set is a collection of tens to a couple of hundred items. An item can either be an image or a short line of text. Entry screens will be made up of groups of items and each entry screen will be similar to a letter in a conventional password. Items fall into three categories:

Known items (represented by symbol

) are items you are intimately familar with. When you see one of them, you will be immediately reminded of something: a person, a place, an event - anything in your past which evokes a strong recognition. Known items are things you will never forget.

Unknown items (symbol

) are items which have no special meaning to you. You may or may not recognize them, but you don't care much about them. For example, you may strongly and fondly remember your math teacher. His or her name or picture will make you immediately and primarily think of him or her. This would be a good candidate for a known item. Your history teacher on the other hand... you may remember him or her, but there is a distinctly different 'feel' to the memory.

Strong recognition and familiarity is for known items, weak or no recognition is for unknown items.

Coercion items (symbol

) are known items, but something makes them even more special. A good candidate would be someone or something you recognize strongly but have negative feelings about. Again, it's about the 'feel' of the memory.

This is the core concept of CerebraLock. Three categories of items. When presented with an item you have one of three distinct reactions to it:

strong recognition, a fond memory or association, a positive reaction.

weak or no recognition, indifference, a neutral or 'don't care' reaction.

strong recognition but unpleasant or negative (or extremely positive - it doesn't matter, as long as the reaction is different from the other two).

And, most importantly, since this is what makes your passwords secure:
only you - based on your individual circumstances, memories and life experience - can make this categorization.

CerebraLock comes with some practice files. Since I cannot come up with items with special meaning to you and only you, I have to simulate the categories.

The 'Patches' image set (an item set comprising images) consists of red, green and orange color patches. Green patches are the known items, meaning 'good', 'go ahead', 'OK'. Red items are the unknown items, meaning 'no', 'stop', 'wrong'. Orange items are the extra-special coercion items meaning 'attention', 'warning'.

The 'OddEven' text set (an item set comprising text) consists of odd and even numbers. Odd numbers are the known items, even numbers are the unknown items and 911 (the emergency number), is the special coercion item.

You may have noticed that the items in the example item sets don't quite follow all the rules laid down above; for example, a red patch seems more 'negative' than an orange one. But this does not matter! You will be the one creating item sets for your own use.

As long as you can reliably sort your items into three categories they can be anything at all.

Entry Screens (Compare Variant) top

Let's construct an entry screen (CerebraLock will do this for you; you only supply the raw material - the categorized item sets).

A compare variant entry screen is an image made up of at least two groups of known and unknown items. The solution of the screen is equivalent to a digit in our password. The number of groups is the radix for our password. We pick the group which is most familiar, that is, we pick the group which has the highest number of known items:

	Each of the vertical strips is a group. The left (1) has two known items, the right (2) has only one and so is 'less familiar'. The solution of this screen is therefore 1.

	The left group has none, the right group has one known item. This screen represents the digit 2.

	This is the coercion screen. Each access sequence has one. The orange item is the coercion item. Depending on the circumstances, you can treat this as a known item or an unknown item. So the solution to the screen is 1 or 2. This screen acts as a fork in the road. An observer will be unaware which path you choose!

The three screens are an example of an access sequence representing a 3 digit 'password'. The radix (number of groups) is 2, so there are 2 possible values for each screen. The solution to the access sequence (the password it represents) is 122. The coercion solution is 121.

This scheme is extremely flexible. To increase the security we can increase the number of groups and we can make the sequence as long as we wish. Once we have created an item set, it can be used to generate many different kinds of passwords.

And there is nothing to memorize, write down or look up - all these passwords are already stored in your brain.

Here is another example, this one from the included 'FemaleMale' image set. Female images are the known items, male images are unknown, grayscale images are coercion items. This image set is a bit more realistic, although the categories are still quite obvious. Remember, in your own image sets, you and only you should be able to tell which category an item belongs to. This time the groups are horizontal and there are three of them. Going (and counting) from top left to bottom right, can you determine the solution for each screen and hence the passwords?

The password is 1213, the coercion password is 1233. Please make sure you understand why.

Entry Screens (Match Variant) top

There is an alternate way to construct entry screens - the match variant. Whereas previously you compared groups of items, in this variant you match a pattern formed by known items against a list of symbols. The pattern is hidden in a grid of items and may start in any of several columns.

The match variant can be used only with image sets and is more difficult to use. Its great benefit is that you can choose a higher radix - up to 32 - which reduces the number of entry screens needed to achieve a desired security level. For example, to achieve a security level greater than 1 in a million with radix 4 you need 10 screens (since 4^10 = 1,048,576). With radix 32 you need only 4 screens: 32^4 = 1,048,576.

Use the variant you feel most comfortable with. The trade-off is - again - performing a simple task many times or a more complicated task fewer times.

The symbol formed by the known items (green patches) is

The symbol formed by the known items is

.
The orange patch is the coercion item. If you choose to include it, the solution becomes

The solutions become considerably less obvious with a more realistic item set, such as the 'FemaleMale' image set. Female images are the known items, male images are unknown, grayscale images are coercion items.

Can you identify the solutions to the next two screens?

Yup, the solutions are the same as in the 'Patches' example.

The screens may appear daunting, but your brain is quite good at identifying patterns. If you think this is difficult then consider how difficult it is for someone who doesn't know which items to look for!

Locks top

Encryption is the art and science of taking a piece of information - the plaintext - and converting it into indecipherable gibberish - the ciphertext. (And, of course, the opposite - but only if we are authorized to do so.) To get back the plaintext one needs an encryption key; in other words, the key is the password protecting the access to the data.

CerebraLock creates so-called locks. Locks contain the encryption keys to encrypt (lock) or decrypt (unlock) data. You can think of a lock as a physical padlock where only the person who created it has the key.

If you want to keep your own data secure, put it in a box and lock it with one of your locks.

If you want to securely send data to someone else, put it in a box, lock it with one of their locks, and then send it to them.

The locks also contain the access sequences representing your passwords. Each access sequence - only when solved correctly - produces the encryption key which you need to gain access to your data.

Summary top

We produced an item set with three different categories of items. Only we know which category an item belongs to.

We categorize the items and then CerebraLock generates a list of access sequences from the categorized item set. Each access sequence (password) of entry screens (digits) reveals the encryption key only when solved correctly.

We can now delete the item set (or at least the categories).

The secret - the item categories - remains only in our brains. Even the locks do not contain this information since it is used indirectly by comparing groups of items or identifying a pattern, not by identifying the items themselves.

Previous: Quick Start Next: Security Features

		Copyright ©2014 bitSplit™ Enterprises. All rights reserved. Sunday, April 13, 2014