Security Usability Tradeoffs: Protocols involving life questions typically require the user to answer multiple questions when authenticating. Increasing the number of questions presented to the user will generally increase security but decrease ease-of-use. One way to achieve a favorable balance of usability and security is to design a system with error-tolerance. For example, a user might be allowed to successfully authenticate if four out of five selected questions are answered correctly.
A Simple Protocol: A naïve protocol might be designed in a way which simply stores the plaintext answers on a server. During authentication, the claimant is presented with the five questions and enters up to five answers. The server performs a simple comparison and allows the user access whenever at least four of the answers are correct. Of course, storing the plaintext answers on the server is poor security practice. Taking inspiration from password protocols, one might suggest that the answers be hashed with a one-way hash function. However, this will not be a sufficient deterrent since an attacker in possession of the hash value can apply a dictionary attack, enumerating all likely answers to a fixed question.
Deriving a Key from Answers:
A better approach might be to derive a cryptographic key from a set of answers. Such a key can be used as part of an authentication protocol, or as a means of protecting locally-stored information, such as a credential store. For example, suppose that a1, a2, a3, a4, a5 are the answers to five questions. A key can then be created with a hash function H as follows KEY= H(a1 || a2|| a3|| a4|| a5), where || denotes concatenation. SHA256, for example, may be used to realize the hash function H. The fact that all five questions are concatenated makes a dictionary attack much more difficult. A measure of bit-security can be estimated for the key by adding up the bit securities (technically the minimum entropy) of the individual answers. Care must be taken to assure that the level of security is adequate even if the attacker discovers one or two of the answers by alternate means, and good security practice also suggests applying iterated hashing and salt. However, this approach just described does not yield the desired error tolerance functionality.
Adding Error Tolerance: One approach to adding error tolerance is to use the Fuzzy Vault construction described in Fuzzy Vault. This protocol derives a key by first hashing each answer to a fixed length (say 10 bits), and applying a technique from error-correcting codes to create a vault which hides a key. The vault can be thought of as a small piece of data which serves as the encryption of the key. Whenever the threshold number of correct answers are provided, the key may be recovered. This technique is efficient, and the vault is compact, even when the number of questions is large.
However, a drawback to the fuzzy vault construction is that the resulting bit-security is less than one might expect. One reason for this is that the error-correcting code first hashes the answers to a few bits (e.g. 10), thus limiting the possible bit security of each question, and also provides the attacker with a question-independent search space. A second reason that the effective bit security is reduced is due to the redundancy inherent in error-correcting codes.
Using Combinations of Answers: A more straightforward approach to achieving error tolerance involves enumerating the combinations of acceptable answers. This is best illustrated with a small example requiring that the user answer at least four out of five answers. In this case there are 5 different subsets of acceptable answers S1 = (a1, a2, a3, a4) ; S2 = (a1, a2, a3, a5); S3 = (a1, a2, a4, a5); S4 = (a1, a3, a4, a5); S5 = (a2, a3, a4, a5). For each such subset, a combination key is derived by hashing the concatenation of the answers in that subset. A master key, KEY, is encrypted under each combination key with an encryption function E. For example, the AES algorithm may be used to realize this encryption function. Thus, the there are multiple encryptions of KEY:
Ek1 (KEY) where k1= H(a1||a2||a3||a4)
Ek2 (KEY) where k1= H(a1||a2||a3||a5)
Ek3 (KEY) where k1= H(a1||a2||a4||a5)
Ek4 (KEY) where k1= H(a1||a3||a4||a5)
Ek5 (KEY) where k1= H(a2||a3||a4||a5)
These five encryption values are meaningless to an attacker not in possession of enough answers ai, and taken together, they also function as a vault. Whenever the user provides at least four out of five correct answers, one of the combination keys will be correctly obtained and the value of KEY can be retrieved. The security can be quantified in terms of the distribution of the weakest of the four questions. An attacker would have to perform a dictionary attack on four of the questions simultaneously. For the same threshold, the resulting bit security will be significantly higher than an approach based on error-correcting codes.
It should be noted that configuring this approach to use threshold parameters such as 7 out of 12 questions would result in impractical number combinations. In practice, however, such a system is unlikely to be configured in a way that would result in storage challenges; users prefer configurations such as "5 of 6" or "6 of 8" which have a small number of subsets of acceptable answers. This kind of combinatoric approach is used in RSA Security's IntelliAccessm technology in the RSA Sign-on Manager™ product. Users can benefit from the convenience of error tolerance while enjoying the maximal security that the life question answers can provide.
