Password-Based Credentials with Security Against Server Compromise

Abstract

Password-based credentials (PBCs), introduced by Zhang et al. (NDSS’20), provide an elegant solution to secure, yet convenient user authentication. Therein the user establishes a strong cryptographic access credential with the server. To avoid the assumption of secure storage on the user side, the user does not store the credential directly, but only a password-protected version of it. The ingenuity of PBCs is that the password-based credential cannot be offline attacked, offering essentially the same strong security as standard key-based authentication. This security relies on a secret key of the server that is needed to verify whether an authentication token derived from a password-based credential and password is correct. However, the work by Zhang et al. assumes that this server key never gets compromised, and their protocol loses all security in case of a breach. As such a passive leak of the server’s stored verification data is one of the main threats in user authentication, our work aims to strengthen PBC to remain secure even when the server’s key got compromised. We first show that the desired security against server compromise is impossible to achieve in the original framework. We then introduce a modified version of PBCs that circumvents our impossibility result and formally define a set of security properties, each being optimal for the respective corruption setting. Finally, we propose a surprisingly simple construction that provably achieves our stronger security guarantees, and is generically composed from basic building blocks.

Appendices

A The ZWY Framework

In order to improve the clarity and the consistency with our framework of \(\textsf{mkPBC}\) we made some minor changes to the syntax and security definitions of Zhang et al. [26]. We explain the changes and why this does not affect the technical result. Further, we highlight one of the shortcomings of the ZWY framework: It does not consider the registration of corrupt users.

Changes to the Syntax. We made the following minor changes to the syntax of ZWY [26]: (1) We do not explicitly describe the behaviour of the registration protocol if a party aborts. (2) We do not enforce the registration protocol to keep a registry Reg with \(uid\)’s but assume this happens on the application level.

Changes to the Security Experiments. The ZWY framework models password compromise through an oracle which reveals honest users’ passwords. Since in the weak and strong unforgeability definition, the win condition of the adversary is independent of his knowledge of \(pw\), we did not model this oracle but instead hand the adversary all user passwords directly.

Furthermore, the ZWY framework considers the forgery of a user who has not registered with the server a valid attack, while we removed this condition from the security experiment. We argue that this type of forgery is not a concern as it will be caught on the application level. This change was made to focus on attacks that are relevant to the security of the system.

No Registration Oracle. We note that the ZWY security model [26] has another weakness: it does not allow corrupt users to register, which allows to prove entirely insecure schemes secure (e.g. the server sends his secret key \(ssk\) to the user during registration). We stress that this is primarily an oversight in the security model, and can be easily fixed by granting the adversary such registration access. We do not see any issue in the concrete \(\textsf{skPBC}\) scheme proposed in [26] and conjecture that it can be proven secure in this adjusted security model.

B Comparison of \(\textsf{mkPBC}\) and \(\textsf{skPBC}\)

Given the simplicity of our construction, an immediate question is whether our multi-key setting is somehow weakening the overall security guarantees, when compared with the single-key ZWV version. We show that the opposite is true by showing how a secure \(\textsf{mkPBC}\) can be transformed into a secure \(\textsf{skPBC}\) scheme. Our transformation additionally requires symmetric authenticated encryption (AE) scheme, thus can only be seen as a relativized comparison.

Table 1. Overview of the different security properties and the security assumptions needed for the building blocks of our \(\textsf{PBC}_{\textsf{StE}}\) scheme. CROB stands for complete robustness and RI is randomness injectivity.

The high-level idea of the transformation is as follows: In order to transform the \(\textsf{mkPBC}\) to have only one key, the server outsources storage of the user-specific verification keys \(avk\) to the users. In the tranformation, the server in the \(\textsf{skPBC}\) scheme has a single long-term key \(ssk\) which is the secret key \(k_{\textsf{AE}}\) of an AE scheme. In the registration phase, the server and user run the \(\textsf{mkPBC}\) registration, but instead of letting the server store the obtained \(avk\) it returns its encryption \(c\leftarrow \mathsf {AE.Enc}(k_{\textsf{AE}}, (uid,avk))\) to the user. During authentication, the user passes c back to the server by appending it to the authentication token \(\tau \) which is computed via the \(\textsf{mkPBC}\) process. The server can decrypt c to obtain the verification key \(avk\) and verify the user’s token. For the security of the scheme, it is crucial that the user does not learn \(avk\) from c otherwise she could run offline attacks. Furthermore, it is important that users cannot pass the valid ciphertext of a different verification key \(avk'\) to the server as this would allow forgeries. Both, confidentiality and integrity, is achieved by using a secure authenticated encryption scheme.

In the full version, we prove that his transforms yields an online and weakly unforgeable \(\textsf{skPBC}\), if \(\textsf{mkPBC}\) is online and strongly unforgeable and AE is a secure authenticated encryption scheme.

C Formal Definitions

In this section, we give formal definitions for the correctness of a \(\textsf{mkPBC}\) scheme, and for the randomness injectivity of a signature scheme.

Definition 8

(Correctness of \(\textsf{mkPBC}\)). A \(\textsf{mkPBC}\) scheme is correct, if for all \( pp \leftarrow \textsf{Setup}(1^{\lambda })\), \((uid,pw)\in \mathcal {D}_{\textsf{uid}}\times \mathcal {D}_{\textsf{pw}}\), \(m\in \mathcal {M}\) it holds that: \(\textsf{Vf}(uid,avk,m,\) \(\textsf{Sign}(uid,ask,pw,m))=1\) where \((ask; avk)\leftarrow \langle \textsf{RegU}(uid,pw), \textsf{RegS}(uid)\rangle \).

Definition 9

(Randomness Injectivity). A signature scheme \(\varPi :=(\textsf{Setup},\) \(\textsf{KGen},\textsf{Sign},\textsf{Vf})\) is called randomness injective if for \( pp \leftarrow \textsf{Setup}(1^{\lambda })\) with \(\mathcal {R}_\lambda \in pp \), it holds that for every PPT \(\mathcal {A}\), the following probability is negligible in \(\lambda \):

$$\begin{aligned} Pr [&(r,r')\leftarrow \mathcal {A}( pp ): r,r'\in \mathcal {R}_\lambda \wedge r\ne r' \wedge (sk= sk' \vee pk= pk') \\ {} &\text {for } (pk,sk)\leftarrow \textsf{KGen}( pp ;r), (pk',sk')\leftarrow \textsf{KGen}( pp ;r') ] \end{aligned}$$

D Signatures with Complete Robustness

In this section, we show that DSA [16], Schnorr [21] and BLS [5] signatures achieve complete robustness and randomness injectivity.

Theorem 5

The DSA, Schnorr and BLS signature scheme all achieve randomness injectivity information-theoretically. DSA and Schnorr are CROB-secure assuming a collision-resistant hash function, and BLS is information-theoretically CROB-secure.

Proof

For the randomness injectivity, observe that DL-based signature schemes where it holds that \(pk=g^{sk}\) for \(sk\xleftarrow {r}\mathbb {Z}_q\) achieve randomness injectivity by setting \(\mathcal {R}_\lambda =\mathbb {Z}_q\) and \((g^r,r):=\textsf{KGen}( pp ;r)\).

Since the complete robustness only considers the verification algorithm we can ignore the key generation and signing algorithms. We argue about complete robustness for each of the signatures individually:

• DSA: In DSA, a signature \(\sigma :=(r,s)\) verifies for m under pk if \(F(g^{H(m)\cdot s^{-1}}\cdot pk^{r\cdot s^{-1}})=r\) for two hash functions F and H. Thus, \(\sigma \) verifies under a second public key \(pk'\) only if \(F(g^{H(m)\cdot s^{-1}}\cdot pk^{r\cdot s^{-1}})=F(g^{H(m)\cdot s^{-1}}\cdot (pk')^{r\cdot s^{-1}})\) which happens only with negligible probability if F is collision resistant.

• Schnorr: In Schnorr signatures, a signature \(\sigma =(r,s)\) verifies under pk for message m if \(H(g^s\cdot pk^{-r},m)=r\) for a hash function H. Thus, \(\sigma \) verifies under a second public key \(pk'\) only if \(H(g^s\cdot pk^{-r},m)=H(g^s\cdot (pk')^{-r},m)\) which happens only with negligible probability if the hash function H is collision resistant.

• BLS: In BLS signatures, a signature \(\sigma \) verifies under pk for message m if \(e(\sigma ,g)=e(H(m),pk)\). Thus, it verifies under a second public key \(pk'\) only if \(e(H(m),pk)=e(H(m),pk')\). But this means that \(pk=pk'\) and the signature only verifies under a single public key \(pk=pk'\).