Enlarge /. No board game, no security tool.
Modern cybersecurity, performed with properly paranoid best practices, requires meeting some stringent requirements: Carry a two-factor physical key to connect to a new computer and authenticate. However, if you lose or break this tiny piece of plastic, you could be locked out of your accounts. Use different, completely invaluable passwords for each website without repeating or writing them down. And even if you decide to use a password manager, as you should, you will have to remember a long master password for years, otherwise you run the risk of losing access to the other passwords.
Or, you can reduce all of that complexity to a single throw of 25 dice in a plastic box. This week, Stuart Schechter, a computer scientist at the University of California at Berkeley, is launching DiceKeys, a simple kit for physically generating a single super-secure key that could serve as the foundation for creating all the important passwords in your life for years or even decades come. Using little more than a plastic device that looks a bit like a boggle set and an accompanying web app to scan the resulting die roll, DiceKeys creates a highly random, mathematically indeterminate key. You can then use this key to derive master passwords for password managers, as a starting value for the creation of a U2F key for two-factor authentication or even as a secret key for wallets with cryptocurrency. Perhaps most importantly, the dice box serves as a permanent offline key to regenerate the master password, crypto key or U2F token if it is lost, forgotten or damaged.
"You just roll the dice," says Schechter, who presented DiceKeys last week at the Usenix Symposium on usable data protection and security and is now offering pre-orders for the kits for Crowd Supply for $ 25, which are expected to ship next January become. "Instead of having to enter a big secret when you want to do something that requires a very strong password, you can just scan it in."
In fact, Schechter intends that most DiceKeys users only roll their set once at a time. After shaking the keys in a pocket, the user tosses them into their plastic box and closes the lid to lock it permanently. The user then scans the dice box with the DiceKeys app – currently a web app hosted on DiceKeys.app – which accesses their laptop, phone or iPad camera. This app generates a cryptographic key based on the cubes and checks the barcode-like symbols on the faces to ensure that the characters and the orientation of the cubes are interpreted correctly. Although the current version of the DiceKeys app is hosted on the web, Schechter says it is designed so that no data leaves the user's device.
The intro video for DiceKeys
Thanks to the different numbers and letters on each key surface, as well as the orientation of the cubes, the resulting arrangement has around 196 entropy bits, according to Schechter, which means there are 2196 different ways the cubes could be positioned. Schechter estimates that there are about as many possibilities as there are atoms in four or five thousand solar systems. "With modern technology, you can't build a computer big enough to guess that number without squeezing into gravity," he says.
After scanning the dice, the app offers to use the key it generated to derive an ultra-long, purely random passphrase that can be cut out and pasted into a password manager as the main password. The DiceKeys app does not save the key it creates while scanning the cubes, master password or anything else. What is crucial, however, is that the key and password can be regenerated on command by scanning the cube box again.
Schechter is also creating a separate app that integrates with DiceKeys so that users can write a DiceKeys generated key into their U2F two-factor authentication token. Currently the app only works with the open source SoloKey U2F token. However, Schechter hopes to expand it to make it compatible with more commonly used U2F tokens before DiceKeys ships. Using the same API that enables this integration into its U2F token app, cryptocurrency wallet developers can also integrate their wallets with DiceKeys so that DiceKeys can use a compatible wallet app to generate the cryptographic key that also protects your crypto coins.
The cryptographic hashing scheme that DiceKeys uses to generate its passwords and keys prevents people like an unauthorized password manager or crypto wallet from working backwards to infer the user's underlying DiceKeys key. DiceKeys is designed to enable the user to generate and, if necessary, regenerate passwords and keys for many applications without compromising the security of others.
Schechter also argues that the plastic cube box is relatively future-proof. It's more durable and harder to lose than a piece of paper with a password written on it. It's "child-safe," he says, and is designed to withstand falls from the tallest of people. (Schechter says he's also working on a refractory steel version.) And while the world may have deviated from standards like Bluetooth and USB-C in decades, the DiceKeys license allows the open source community to maintain them. at best, it could continue to work indefinitely.
Schechter describes DiceKeys as still in the alpha test and its security is not perfect for the time being. For example, if you host the DiceKeys app on the web, it is vulnerable to hackers who may hijack the server it is running on to give themselves copies of the keys and passwords it generates. But Schechter says he's building iOS and Android versions of the app, which he'll hopefully have ready before DiceKeys ships to customers – a major security improvement, says Dan Boneh, a noted Stanford professor of cryptography who works for Schechter's Usenix Saw the lecture. "An app can be reverse engineered to ensure it does what you expect it to do. Chances are, some security organizations would do this and report their results to the rest of us," wrote Boneh in an email to WIRED. "You can't do that in the cloud."
Otherwise, Boneh argues that DiceKeys are "a great way to guide users into correct behavior". It is designed to make it much easier for users to use a password manager. For example, this is a generally recommended security practice because password managers allow users to generate strong, unique passwords for all of their various accounts.
Despite the fact that DiceKeys will likely have the greatest appeal to the crypto and security community, Schechter sees it as a tool for people looking to adopt password managers and U2F tokens, but from the prospect of a master password too forgot, intimidated, or lost a U2F token. "This is supposed to help people overcome these problems. It's for everyday users," says Schechter. "It was definitely designed to make security more accessible to people because they can understand it. It's a few letters and numbers in a box."
This story first appeared on Wired.com.