Instrumented Interconnecteds Intelligent

By Chris Sciacca

Dr. Gregory Neven, IBM Research

Dr. Gregory Neven, Cryptographer, IBM Research – Zurich

If you believe the press, you may think that passwords are antiquated. And who could blame you? With major breaches being reported at popular websites such as LinkedIn, Adobe, Yahoo!, and Twitter, passwords may sound like a vestige of past security solutions.

Well, not so fast. IBM scientists have developed a three-pronged approach that can secure all of your passwords for social media, email, cloud files or shopping websites, with one practically, hack-proof password.

And this password is secured by something they like to refer to as the “Memento Protocol.” In the 2000 film “Memento” by Christopher Nolan, the protagonist suffers from short-term memory loss. Throughout the film he meets several so-called friends, but due to his condition he never really knows if they are trustworthy or if they are trying to steal something from him.

“This scenario got us thinking because it leads to an interesting cryptographic problem — can a user securely recover his/her secrets using one password from a set of servers which cannot be trusted or even if they are the wrong servers?,” said Dr. Gregory Neven, a cryptographer at IBM Research. “We were also motivated by helping users who lose all of their devices — they too should still be able to retrieve their secret information using one password.”

YouTube Preview Image

In their newly published paper, “Memento: How to Reconstruct your Secrets from a Single Password in a Hostile Environment,” IBM scientists and Dr. Anna Lysyanskaya from Brown University propose a new security protocol in which no single server stores your full password, instead it’s distributed in a cloud. Therefore the attacker would have to hack more than a threshold of the servers simultaneously to gain access.

One of the most common techniques to steal passwords is known as the dictionary attack, which attempts to defeat a security tool by trying million of possibilities, including all of the words in a dictionary.

Anja Lehmann, Researcher, IBM Research - Zurich

Dr. Anja Lehmann, Researcher, IBM Research – Zurich

IBM security scientist Dr. Jan Camenisch said, “Our protocol has a throttling mechanism to block brute force or dictionary attacks. In addition, we require at least two servers with two keys to unveil the password, this way if one is corrupted the secrets remain safe — obviously the more servers the better. Our last line of defense is a protection technique which keeps your password secure even if you are tricked into typing it into a corrupted website caused by a phishing attack.”

For example, suppose you set up your password account on three different servers that you trust and are unlikely to collude against you or to be hacked all at the same time, for example,, and

Dr.  Jan Camenisch, Scientist, IBM R- Zurich

Dr. Jan Camenisch, Scientist, IBM Research – Zurich

Next, suppose you are tricked in a phishing attack and you mistakenly log into, or and enter your password. You are cooked right? Wrong. With the Memento Protocol even in this situation the servers cannot figure out your password, or impersonate you because in a sense they never actually knew your password from the start.Dr. Camenisch adds, “Unless all of the servers are breached or you physically give someone your password this protocol is tough to beat.”

The scientists see an endless number of applications for the protocol spanning all web services including cloud data storage, social networking, online shopping, medical/DNA analysis websites and insurance.

Chris Sciacca, Communications Manager, IBM Research - Zurich

Chris Sciacca, Communications Manager, IBM Research – Zurich

“It’s clear that people can no longer be expected to remember the dozens of passwords they require at home and in the workplace,” said Dr. Lehmann. “With our protocol when the user wants to retrieve their secret they should only require one username and password and at the same time feel confident that even if something is occurring unknowingly in the background the data remains secure.”

If only the lead character in Memento had it so easy. The Memento Protocol is being presented by Dr. Lehmann on 20 August at the International Cryptology Conference (CRYPTO) in Santa Barbara, California.

Bookmark and Share

Previous post

Next post

September 19, 2014
6:57 am

Another observation which might be made because of this report is one that Squaretrade probably does not have any problems with –
laptops aren’t as reliable as other consumer electronics.
Boasting exceptional technological up gradation, the laptops offered by this prestigious brand
are class apart and meet the needs of business cum leisure users.
Tablets or laptops for college From this designer is made in the
intent of giving the consumer enhanced comfort
and freedom their college clothes gave.

The above faults can all be repaired by way of a competent
laptop repair company. Although internet file sharing is increasing how easy it is usually to access your stuff from everywhere, the best way
to keep your files handy is with a USB flash drive.

Posted by:
September 19, 2014
6:49 am

Duplex light modules using super bright LEDs can provide you with high intensity output and variable beam angles to suit
a variety of requirements. Looking for any mobile phone that combines the potency of push email
using the looks and lightweight usability of a
regular mobile. Rzr led light bar mounts Soon, he previously it,
and he brought it prior to shark’s jeweled eye.

In spite of as being a bit embarrassed to get entering the location labeled “Infantil” in Spanish, we found it worth looking at, as there have been some very worthwhile
things. Moreover, light emitted by LEDs isn’t harsh about the eyes as is the case with incandescent or fluorescent lights.

Posted by:
September 13, 2014
11:56 pm

You would also be wise to integrate your CCTV systems using your other systems around your property.
CCTV42 keep approximately date with every one of the latest CCTV developments
to ensure they will offer a array of cameras that will give you
ab muscles best in security. Cctv dvr hard drive You may for instance desire to place your CCTV cameras in places
where they is going to be seen.

CCTV, close circuit television, is now the popular choice of the people to evaluate and secure their houses and business.

DVR is useful because it comes using a set of timers that lets you choose what shows you want recorded at what times.

Posted by:
September 13, 2014
3:18 pm

do you refrigerate red wine vinegar after opening

Posted by: Info
September 12, 2014
1:07 am

Second step The next step would be to find the PSP games you need copied and insert it inside your CD or DVD drive.
You can start by reading the reviews posted by gamers who share your
preferences. Ibuypower valkyrie amazon But do be sure to
take advantage of the jaw drops that you just’ll get as
you walk into your regular LAN party location together with your new,
screaming-fast gaming laptop computer.

Go over a short walk together, or possibly a bike-ride to consider his mind off the overall game for awhile.
Article Source: Researching this short article I found
Games Tester Moneysites to become a really useful site.

Posted by: here
September 4, 2014
1:42 am

Wonderful web site. A lot of useful information here. I’m sending it to some pals ans also sharing in delicious.
And naturally, thanks for your effort!

Posted by: pussyfoot moments travel
August 29, 2014
11:39 pm

Wow that was unusual. I just wrote an very long
comment but after I clicked submit my comment
didn’t appear. Grrrr… well I’m not writing all that over again.
Regardless, just wanted to say great blog!

Posted by: dui attorney fees
August 25, 2014
12:11 pm

Thanks for your comment @Rustam Abzaletdinov. You are correct the principle of distributed password verification is not new, it actually goes back to 2000 by Ford and Kaliski. The novelty of the work presented here is that the password remains secure even when authenticating to a set of malicious servers, while the secret can be retrieved as long as more than a threshold t servers are honest for any t<n.

Posted by: IBMResearch
August 21, 2014
11:52 pm

Dianne and her team did it 15 years ago at Bank of America and it was patented as Telescopic Security MAtrix folks;)

Posted by: Rustam Abzaletdinov
4 Trackbacks
September 11, 2014
9:30 am

[…] article originally appeared on August 20, 2014 on IBM’s Smarter Planet Blog and was republished with […]

Posted by: On the Horizon: A Single Password Served Through the Cloud | Longitudes
August 26, 2014
11:40 pm


A Smarter Planet Blog « Instrumented. Interconnected. Intelligent. A Smarter Planet Blog

Posted by: Vfwpost6827.Org
August 21, 2014
11:16 pm

[…] On the Horizon: A Single Password Served Through the Cloud […]

Posted by: Big Brains, Small Films: Protecting Passwords in the Cloud. | IBMJobs
August 21, 2014
5:43 pm

[…] Click here to view the embedded video. […]

Posted by: On the Horizon: A Single Password Served Through the Cloud - Technology.Info
Post a Comment