Coercion attacks that compel an authorized user to reveal his or her secret authentication credentials can give attackers access to restricted systems. The PIs are developing a new approach to preventing coercion attacks using the concept of implicit learning from cognitive psychology. Implicit learning refers to learning of patterns without any conscious knowledge of the learned pattern. Using a carefully crafted keyboard-based computer game the PIs plant a secret password in the participant's brain without the participant having any conscious knowledge of the trained password. This planted secret can be used for authentication, but participants cannot be coerced into revealing their secret since they have no conscious knowledge of it.
This project explores three directions for using implicit learning in computer security. First, the PIs are developing implicit learning tasks designed to be used in challenge-response authentication. Second, the PIs are experimenting with methods to demonstrate implicit knowledge by measuring electrical activity along the scalp using off the shelf EEG devices. Third, the PIs are conducting user experiments to demonstrate that participants are able to properly authenticate, but cannot consciously recognize the trained secret. This project is a collaboration between computer security researchers and cognitive psychologists. Ultimately, the project aims to understand how the brain represents implicit knowledge. This in turn will lead to new coercion resistant security mechanisms for high-security applications.
