Mnemonic Guard

personal verification technology

based on old memoryovercoming security-paradox

without risking privacy

Mnemonic Security, Inc.

http://www.mneme.co.jp

so easy to lose

　 15% of businessmen lost some mobile devices in 2001 in Japan according to Gartner Japan.

　　→　 Whether ubiquitous computing will come true as a dream or a nightmare hinges on whether or not there is a valid personal verification technology.

human factor

• Assume that terminals talk each other.　　→　 It is the terminal devices that matter.　　→　 Users are viewed as protein-made operation

robots.　　→　 Vulnerability of human beings is often out of sight.

• Assume that people talk each other via terminals.　　→　 It is people in the real life that matter.　　→　 Terminal devices are just tools held in people’s hands.　　→　 Vulnerability of human beings is always in focus.

×

significance of personal verification

Encrypted data must be made human-readable when

presented to the authorized individuals.

＝

>Personal verification is the keyto rejecting impersonators and

protecting data from stealth

Even the perfectly unbreakable

encryption is invalid in front of a successful

impersonator.

security of personal verification

Easy-to-remember passwords commonly used are too vulnerable. It is widely believed that the solutions should be

Place the passwords under stricter controlUse the unique human body as the passwordsReject those who do not have the specified tokensCombine the above

Taken for granted Who proved, and how ？

Paradox of Password

Make it longer, more inorganic, and change it more often.Then, security should improve!

cannot remember

write it down and carry it around or paste it

towards collapse of

security

Fatal collapse under mobile environment

With accounts increasing, even the brightest start to see collapse

IntentReject those who fail, say, three times.Then, security should improve!

Unforgettable data are the easiest for impersonators to find out

Rejection = Loss of business. Solution is to write down or use unforgettable personal data

towards collapse of

security

Intent

Paradox of BiometricsUse the unique features of human body as verification data.Then, security should improve!

towards worst collapse of

security

Intent

By nature false rejection cannot be eliminated.

Rejection = Loss of business. Rely on backup/recovery passwords provided in OR style

Forget biometrics!

Break passwords!

furthermore,Obliged to use the easiest-to-break data unless a memo is allowed to be carried around or pasted..

Passwords to be registered just in case

Valid where we do not have to rely on passwords , say, in our own place.

The human body cannot be replicated, but features of the body can be easily replicated despite its nature of privacy.

That the identification (who is this person?) is different to the verification (is this person who claims to be?) is too often overlooked.

Paradox of Tokens

Reject those who fail to produce the necessary tokens.Then, security should improve!

towards worst collapse of

security

Intent

Tokens left behind

＝ Loss of business

Endeavor not to leave it behind

Back to “Token left behind”

Use just-in-case passwords in OR style

Try to escape from this loop

Increase the chances of simultaneous loss or stealth of devices & tokens

Endeavor not to lose both devices & tokens at a time

Valid where we do not have to rely on passwords, say, in our own place.

Paradox of Combination

Combination in AND style: The problem of “Rejection = Loss of business”

　　 will only get deteriorated.

Combination will not help security improve, but help spread the false sense of security.

Combination in OR style: Security of the whole system will be determined by that of the weakest component, that is,

the just-in-case passwords in most cases. There are no third combination style other than AND and OR.

↓

Each solution may have its weakness. Combine them.

Then, security should improve!

Intent

Security Paradox

ironical phenomenon

that a good intention to improve security

ends up with paradoxical result; collapse

Paradox of Biometrics

Paradox of

Password

Paradox of Tokens

Paradox of Combinatio

n

what identity

　　 Identity of Token, Body and Personality– 　 What matters for business and information security?

　　 Identity of Token– 　　 Tokens tell nothing about in whose hands they are now.

　　 Identity of Body– 　　 Cases of multiple-personality with disintegrated memory

　　 Identity of Personality– 　　 Sustained and integral memory

　 It is the personality, not token or body, that matters for business.　 Verification of identity of personality cannot be replaced by

body or token identification.

establish identity of personality

Identity of the personality can be established only by verifying the memory shared by the individuals and the system.

Objective personal data unique to an individual, which can be written down in letters and numbers, can be easily gathered by impersonators.

Subjective emotion-influenced visual images memorized by an individual cannot, particularly when they have survived decades.

→ 　 Research the methods to verify the visual images. → Develop solutions to make the good use of long-term memory

→ Also, make every effort to mitigate the stress that people feel. 　

first step to overcome security paradox

merits and limitations of picture-based passwords

Merits of image-based verification

easier to retain since it is visually concrete

easier to revive, because of re-cognition of what is in sight,

not re-call of what is out of sight.

Limitations of simple image-based passwords 　　　 Still subject to oblivion, not freed of security paradox Not strong enough on a small screen

Mnemonic Guardovercome security paradox

The user should only select the registered symbols to complete the verification.

The sort of mistakes that the legitimate user can make will be tolerated and retrials will be encouraged.In case of a forced access, the user can select the emergency symbol as well as the verification symbols so that the system will know the emergency without the intimidator noticing the silent communication.

Photos of pet dogs we used to love decades ago are mixed with decoy dogs.

For those who loved those memorable dogs, there could be no failure in verification.

An impersonator, who has to try random choice, will be rejected as soon as they make the sort of mistakes that the legitimate user can hardly make. 　The device will be made not to work or the alarm system will be triggered.

Mnemonic Guardovercome security paradox

An example of the verification screen prepared for an 80-years old lady, who uses, as the verification data or the pass-symbols, 3 or 4 old photos taken 20 years ago of her grand-daughters.

On a small screen, each symbol, when pointed, could be enlarged for showing details.

Mnemonic Guard: simple operationfor reliable identity verification

For the legitimate user: 　 Easy and simple operation of selecting a few or several symbols registered as verification data.

The sort of mistakes that the legitimate user can make will be tolerated and the user can keep retrying without feeling stress.For an impersonator: 　 Mnemonic Guard software provides not just the user verification but also the impersonator verification. The impersonator will be rejected at a very early stage of the trial.

Also provided are functions of emergency signaling, child-lock/fail-proof, enlarge/shrink, optional input, etc, for the best possible usability.

The user can build or get built their own verification pictures from old photos or similarly emotion-influenced objects. There cannot be failure in verification by oblivion.

products

data leakage from mobile deviceson the market for Windows2000 and PocketPC

illegal access to domain controllers and web-servers

on the way to the market

illegal login into specific application softwareunder development

illegal physical access to data centers under planning 　 with monitor invisibility technology

projects

Mnemonic Security, Inc.

picture production business for the busy and elderly

alliance: VIO, Tokyo University, NILS government project with TAO

assured P2P communications platform to protect privacy with minimum risks on law and order

alliance: Fujitsu PST, Prof Hideki Imai of Tokyo University government project with IPA

user ・ system mutual verification systemalliance: Tokyo University, Fujitsu PST, VIOto be government project with TAO