Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research – Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven
ROADMAP ▪ Password-Based Authentication How to make password checking systems even better ▪ Password-Authenticated Secret Sharing How to make cryptography accessible to end users 2
Password-Based Authentication ▪ Most prominent form of user authentication – convenient! No key, software, … Usern rname Ha Hash Alice wb3822Ujsd4 username Servic ice Bob b5kMsa8dsbn pwd ’ Prov ovid ider Carol 77peCu52Kry h’ = h ? stores only (salted) password hashes ℎ = 𝐼𝑏𝑡ℎ(𝑞𝑥𝑒) Password rules: upper and lower case letters and numbers at least 16 characters in length vs. 4-digit PIN for ATM cards never reuse your password on another site why the difference? change your passwords periodically the ATM will retain the card after 3 failed attempts! 3
Password-Based Authentication ▪ If service provider is trusted & throttles after too many failed attempts → short passwords are sufficient! ▪ But But main threat to password security Usern rname Ha Hash Alice wb3822Ujsd4 is server compromise Servic ice Bob b5kMsa8dsbn Prov ovid ider Carol 77peCu52Kry h’ = h ? stores only (salted) password hashes ℎ = 𝐼𝑏𝑡ℎ(𝑞𝑥𝑒) ▪ The more complicated our passwords are, the more guesses the adversary need NIST: 16-character passwords have 30 bits of entropy ~ 1 billion possibilities vs. $150 GPUs can test ~ 300 billions/second 4
Passwords inherently insecure? No! We’re just using them incorrectly … 5
Password-Based Authentication Done Right ▪ Offline attacks are inherent in single-server setting ▪ Solution: split password verification over multiple servers Bac ackend Server 1 username, Bac ackend Password cor orrect? Servic ice pwd' Server 2 Prov ovid ider Usern rname Ha Hash Alice wb3822Ujsd4 Bob b5kMsa8dsbn Bac ackend Carol 77peCu52Kry Server n 6
Pythia: OPRF Service ▪ Replace 𝐼𝑏𝑡ℎ by a secure PRF , 𝑞𝑥𝑒 ▪ Store at remote server & evaluate PRF obliviously OPRF username, Bac ackend Servic ice pwd' Protocol Server Prov ovid ider Usern rname Ha Hash Alice wb3822Ujsd4 Bob b5kMsa8dsbn Carol 77peCu52Kry [ECSJR’15] Everspaugh, Chatterjee, Scott, Juels, Ristenpart. The Pythia PRF Service. USENIX 2015. 7
Distributed Password Verification | High-Level Idea ▪ Replace 𝐼𝑏𝑡ℎ by a secure PRF , 𝑞𝑥𝑒 ▪ Split secret key into n shares , 𝑞𝑥𝑒 computed distributed: ▪ ℎ = PRF ▪ Servers don’t learn anything about 𝑞𝑥𝑒 or ℎ Bac ackend Server 1 Jointly compute username, Bac ackend Servic ice pwd' Server 2 Prov ovid ider PRF , 𝑞𝑥𝑒 Usern rname Hash Ha Alice wb3822Ujsd4 Bob b5kMsa8dsbn Bac ackend Carol 77peCu52Kry Server n [CLN’15] Camenisch, Lehmann, Neven. Optimal Distributed Password Verification. CCS 2015. 8
Distributed Password Verification | Security ▪ Secret key has high-entropy, i.e., cannot be guessed → Adversary needs backend servers (or full key) to verify password guesses → Backend servers will stop verification if activity is suspicious Bac ackend Server 1 Jointly compute Bac ackend Servic ice Server 2 Prov ovid ider PRF , 𝑞𝑥𝑒 Usern rname Ha Hash Alice wb3822Ujsd4 Bob b5kMsa8dsbn Bac ackend Carol 77peCu52Kry Server n 9
Distributed Password Verification | Proactive Security ▪ Secret key gets re-shared periodically → All previous key shares get useless → Adversary must break into all all servers at the same time ▪ As long as one server is not corrupted Bac ackend → Passwords are secure Server 1 Servers re-share Bac ackend Servic ice Server 2 secret key Prov ovid ider Usern rname Ha Hash Alice wb3822Ujsd4 Bob b5kMsa8dsbn Bac ackend Carol 77peCu52Kry Server n 10
DPV Protocol Optimal Distributed Password Verification. ACM CCS’15. Camenisch, Lehmann, Neven.
Distributed Password Verification | Protocol ▪ Replace 𝐼𝑏𝑡ℎ by a secure PRF 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 k = random element in Zq , 𝑞𝑥𝑒 ▪ Split secret key into n shares Cyclic group of prime order q 𝑙 = 𝑙 1 + 𝑙 2 + … + 𝑙 𝑜 𝑛𝑝𝑒 𝑟 Bac ackend 𝑙 1 Server 1 Jointly compute username, Bac ackend Servic ice pwd' Server 2 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 𝑙 2 Prov ovid ider PRF , 𝑞𝑥𝑒 Bac ackend 𝑙 𝑜 Server n Naor, Pinkas, Reingold. Distributed Pseudorandom Functions and KDCs . Eurocrypt '99 12
Distributed Password Verification | Protocol ▪ Replace 𝐼𝑏𝑡ℎ by a secure 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 ▪ Split secret key into n shares 𝑙 = 𝑙 1 + 𝑙 2 + … + 𝑙 𝑜 𝑛𝑝𝑒 𝑟 Bac ackend 𝑙 1 Server 1 𝑉 Bac ackend 𝑣𝑗𝑒, 𝑞𝑥𝑒 uid, pwd Servic ice Server 2 2 = 𝑉 𝑙 2 𝑙 2 Prov ovid ider 𝑊 𝑉 = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 = 𝑉 𝑙 1 +𝑙 2 + …+𝑙 𝑜 𝑊 = ∏𝑊 𝑗 Bac ackend = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 𝑙 𝑜 Server n Naor, Pinkas, Reingold. Distributed Pseudorandom Functions and KDCs . Eurocrypt '99 13
Distributed Password Verification | Protocol ▪ Replace 𝐼𝑏𝑡ℎ by a secure 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 ▪ Split secret key into n shares 𝑙 = 𝑙 1 + 𝑙 2 + … + 𝑙 𝑜 𝑛𝑝𝑒 𝑟 Bac ackend 𝑙 1 Server 1 𝑉 Bac ackend 𝑣𝑗𝑒, 𝑞𝑥𝑒 uid, pwd Servic ice Server 2 2 = 𝑉 𝑙 2 𝑙 2 Prov ovid ider 𝑊 random 𝑂 in 𝑎 𝑟 𝑉 = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑂 1/𝑂 = 𝑉 𝑙 1 +𝑙 2 + …+𝑙 𝑜 𝑊 = ∏𝑊 𝑗 Bac ackend = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 𝑙 𝑜 Server n ℎ = 𝐼′(𝑣𝑗𝑒, 𝑞𝑥𝑒, 𝑊) 14
Distributed Password Verification | Protocol ▪ Replace 𝐼𝑏𝑡ℎ by a secure 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 ▪ Split secret key into n shares 𝑙 = 𝑙 1 + 𝑙 2 + … + 𝑙 𝑜 𝑛𝑝𝑒 𝑟 Bac ackend 𝑙 1 Server 1 + b blinding ding for adapti tive e security ty 𝑉 Bac ackend 𝑣𝑗𝑒, 𝑞𝑥𝑒 uid, pwd Servic ice Server 2 2 = 𝑉 𝑙 2 𝑙 2 Prov ovid ider 𝑊 random 𝑂 in 𝑎 𝑟 𝑉 = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑂 1/𝑂 = 𝑉 𝑙 1 +𝑙 2 + …+𝑙 𝑜 𝑊 = ∏𝑊 𝑗 Bac ackend = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 𝑙 𝑜 Server n ℎ = 𝐼′(𝑣𝑗𝑒, 𝑞𝑥𝑒, 𝑊) 15
Distributed Password Verification | Protocol ▪ Proactive security & re-sharing of keys: Bac ackend Agree on pseudorandom shares of zero: 𝑙′ 1 = 𝑙 1 + 𝜀 1 Server 1 𝜀 1 + 𝜀 2 + . . . + 𝜀 𝑜 = 0 𝑛𝑝𝑒 𝑟 𝑙 = 𝑙′ 1 + 𝑙′ 2 + … + 𝑙′ 𝑜 𝑛𝑝𝑒 𝑟 𝑉 Bac ackend uid, pwd Servic ice 𝑙′ 2 = 𝑙 2 + 𝜀 2 ▪ No updates of “hash table” needed! Server 2 2 = 𝑉 𝑙 2 Prov ovid ider 𝑊 𝑠𝑏𝑜𝑒𝑝𝑛 𝑂 𝑗𝑜 𝑎 𝑟 + no non-inter terac acti tive e protocol l for computing 𝜀 𝑗 𝑉 = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑂 (leveraging trusted setup & “secure” backup) 1/𝑂 = 𝑉 𝑙 1 +𝑙 2 + …+𝑙 𝑜 𝑊 = ∏𝑊 𝑗 Bac ackend 𝑙′ 𝑜 = 𝑙 𝑜 + 𝜀 𝑜 = 𝐼 𝑣𝑗𝑒, 𝑞𝑥𝑒 𝑙 Server n 16
Distributed Password Verification = Distributed OPRF (Oblivious PRF) compute 𝑧 = PRF 𝑙, 𝑦 in a blind & distributed manner Bac ackend Server 1 Servers blindly compute Bac ackend Server 2 𝑧 = PRF 𝑙, 𝑦 𝐺𝑣𝑜𝑑 , 𝑞𝑥𝑒 Bac ackend Server n 17
ҧ ҧ Distributed Password Verification = Distributed OPRF (Oblivious PRF) compute 𝑧 = PRF 𝑙, 𝑦 in a blind & distributed manner 𝑙 = KGen 𝜐 Bac ackend 𝑙 1 𝑙 1 + 𝑙 2 + … + 𝑙 𝑜 = Share(𝑙, 𝑜) Server 1 𝑦 Bac ackend 𝑙 2 Server 2 𝑦 = Blind(𝑦) 𝑧 2 = pPRF 𝑙 2 , ҧ 𝑦 𝑧 = Comb ത ത 𝑧 1 , ത 𝑧 2 , … , ത 𝑧 𝑜 𝑧 = Unblind(ത 𝑧) Bac ackend 𝑙 𝑜 s. t. 𝑧 = PRF 𝑙, 𝑦 Server n 18
Distributed Password Verification | Security & Efficiency ▪ Efficient & round-optimal protocol ▪ 1 round of communication ▪ Login: one exponentiation per server (two for SP) ▪ Non-interactive key refresh ▪ Prototype implementation & evaluation (Ergon) ▪ 3 backend servers, each 16 x 2.9Ghz core: 285 logins/second DMZ VMs Internet ▪ Provable security in very strong security model ▪ Adaptive & active adversaries, UC Framework ▪ One-More Gap DH (OMGDH), Random Oracle backup state ▪ Password protection back where it belongs: on the server ! Refresh 19
ROADMAP ▪ Password-Based Authentication How to make password checking systems even better ▪ Password-Authenticated Secret Sharing How to make cryptography accessible to end users 20
Recommend
More recommend
