ABSTRACT
Password authentication still constitutes the most widespread authentication concept on the Internet today, but the human incapability to memorize safe passwords has left this concept vulnerable to various attacks ever since. Affected enterprises such as Facebook now strive to mitigate such attacks by involving external cryptographic services that harden passwords. Everspaugh et al.~provided the first comprehensive formal treatment of such a service, and proposed the Pythia PRF-Service as a cryptographically secure solution (Usenix Security'15). Pythia relies on a novel cryptographic primitive called partially oblivious pseudorandom functions and its security is proven under a strong new interactive assumption in the random oracle model.
In this work, we prove that this strong assumption is inherently necessary for the Pythia construction, i.e., it cannot be weakened without invalidating the security of Pythia. More generally, it is impossible to reduce the security of Pythia to any non-interactive assumptions. Hence any efficient, scalable password hardening service that is secure under weaker assumptions necessarily requires a conceptually different construction. To this end, we propose a construction for password hardening services based on a novel cryptographic primitive called partially oblivious commitments, along with an efficient secure instantiation based on simple assumptions. The performance and storage evaluation of our prototype implementation shows that our protocol runs almost twice as fast as Pythia, while achieving a slightly relaxed security notion but relying on weaker assumptions.
- J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan, M. Green, and A. D. Rubin. Charm: a framework for rapidly prototyping cryptosystems. Journal of Cryptographic Engineering, 3(2):111--128, 2013.Google ScholarCross Ref
- F. Armknecht and J. Furukawa. On the minimum communication effort for secure group key exchange. In A. Biryukov, G. Gong, and D. R. Stinson, editors, SAC 2010, volume 6544 of LNCS, pages 320--337, Waterloo, Ontario, Canada, Aug. 12--13, 2011. Springer, Heidelberg, Germany. Google ScholarDigital Library
- A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu. Password-protected secret sharing. In Y. Chen, G. Danezis, and V. Shmatikov, editors, ACM CCS 11, pages 433--444, Chicago, Illinois, USA, Oct. 17--21, 2011. ACM Press. Google ScholarDigital Library
- G. Barthe, E. Fagerholm, D. Fiore, J. Mitchell, A. Scedrov, and B. Schmidt. Automated analysis of cryptographic assumptions in generic group models. In Advances in Cryptology--CRYPTO 2014, pages 95--112. Springer, 2014.Google ScholarCross Ref
- M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya. P-signatures and noninteractive anonymous credentials. In R. Canetti, editor, TCC 2008, volume 4948 of LNCS, pages 356--374, San Francisco, CA, USA, Mar. 19--21, 2008. Springer, Heidelberg, Germany. Google ScholarDigital Library
- T. Berson, D. Dean, M. Franklin, D. Smetters, and M. Spreitzer. Cryptography as a network service. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS). Citeseer, 2001.Google Scholar
- A. Biryukov, D. Dinu, D. Khovratovich, and S. Josefsson. The memory-hard Argon2 password hash and proof-of-work function. Internet-Draft draft-irtf-cfrg-argon2-00, Internet Engineering Task Force, 2016. Work in Progress.Google Scholar
- D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. In K. Nyberg, editor, EUROCRYPT'98, volume 1403 of LNCS, pages 59--71, Espoo, Finland, May 31 -- June 4, 1998. Springer, Heidelberg, Germany.Google Scholar
- D. Boneh and B. Waters. Constrained pseudorandom functions and their applications. In K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS, pages 280--300, Bengalore, India, Dec. 1--5, 2013. Springer, Heidelberg, Germany.Google Scholar
- E. Bresson, J. Monnerat, and D. Vergnaud. Separation results on the "one-more" computational problems. In T. Malkin, editor, CT-RSA 2008, volume 4964 of LNCS, pages 71--87, San Francisco, CA, USA, Apr. 7--11, 2008. Springer, Heidelberg, Germany. Google ScholarDigital Library
- D. R. L. Brown. Irreducibility to the one-more evaluation problems: More may be less, 2007. [email protected] 13850 received 23 Nov 2007, last revised 3 Dec 2007.Google Scholar
- H. Busch, S. Katzenbeisser, and P. Baecher. PUF-based authentication protocols - revisited. In H. Y. Youm and M. Yung, editors, WISA 09, volume 5932 of LNCS, pages 296--308, Busan, Korea, Aug. 25--27, 2009. Springer, Heidelberg, Germany. Google ScholarDigital Library
- J. Camenisch, S. Hohenberger, M. Kohlweiss, A. Lysyanskaya, and M. Meyerovich. How to win the clonewars: Efficient periodic n-times anonymous authentication. In A. Juels, R. N. Wright, and S. Vimercati, editors, ACM CCS 06, pages 201--210, Alexandria, Virginia, USA, Oct. 30 -- Nov. 3, 2006. ACM Press. Google ScholarDigital Library
- D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, CRYPTO'82, pages 199--203, Santa Barbara, CA, USA, 1982. Plenum Press, New York, USA.Google Scholar
- D. Chaum and T. P. Pedersen. Wallet databases with observers. In E. F. Brickell, editor, CRYPTO'92, volume 740 of LNCS, pages 89--105, Santa Barbara, CA, USA, Aug. 16--20, 1993. Springer, Heidelberg, Germany. Google ScholarDigital Library
- M. Di Raimondo and R. Gennaro. Provably secure threshold password-authenticated key exchange. In E. Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages 507--523, Warsaw, Poland, May 4--8, 2003. Springer, Heidelberg, Germany. Google ScholarDigital Library
- J. Engler, C. Karlof, E. Shi, and D. Song. Is it too late for pake? indicators, 5(9):17, 2009.Google Scholar
- A. Everspaugh. Pythia server (prototype) implementation. https://github.com/ace0/pythia, 2015.Google Scholar
- A. Everspaugh, R. Chaterjee, S. Scott, A. Juels, and T. Ristenpart. The pythia prf service. In 24th USENIX Security Symposium (USENIX Security 15), pages 547--562, Washington, D.C., 2015. USENIX Association. Google ScholarDigital Library
- A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. M. Odlyzko, editor, CRYPTO'86, volume 263 of LNCS, pages 186--194, Santa Barbara, CA, USA, Aug. 1987. Springer, Heidelberg, Germany. Google ScholarDigital Library
- M. Fischlin and D. Schröder. Security of blind signatures under aborts. In S. Jarecki and G. Tsudik, editors, PKC 2009, volume 5443 of LNCS, pages 297--316, Irvine, CA, USA, Mar. 18--20, 2009. Springer, Heidelberg, Germany. Google ScholarDigital Library
- M. Fischlin and D. Schröder. On the impossibility of three-move blind signature schemes. In H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 197--215, French Riviera, May 30 -- June 3, 2010. Springer, Heidelberg, Germany. Google ScholarDigital Library
- M. Fischlin and D. Schröder. Security of blind signatures under aborts and applications to adaptive oblivious transfer. J. Mathematical Cryptology, 5(2):169--204, 2012.Google ScholarCross Ref
- M. J. Freedman, Y. Ishai, B. Pinkas, and O. Reingold. Keyword search and oblivious pseudorandom functions. In J. Kilian, editor, TCC 2005, volume 3378 of LNCS, pages 303--324, Cambridge, MA, USA, Feb. 10--12, 2005. Springer, Heidelberg, Germany. Google ScholarDigital Library
- A. Herzberg and R. Margulies. Forcing johnny to login safely - long-term user study of forcing and training login mechanisms. In V. Atluri and C. Díaz, editors, ESORICS 2011, volume 6879 of LNCS, pages 452--471, Leuven, Belgium, Sept. 12--14, 2011. Springer, Heidelberg, Germany. Google ScholarDigital Library
- S. Jarecki, A. Kiayias, and H. Krawczyk. Round-optimal password-protected secret sharing and t-pake in the password-only model. In P. Sarkar and T. Iwata, editors, Advances in Cryptology -- ASIACRYPT 2014, volume 8874 of Lecture Notes in Computer Science, pages 233--253. Springer Berlin Heidelberg, 2014.Google ScholarCross Ref
- A. Juels, M. Luby, and R. Ostrovsky. Security of blind digital signatures (extended abstract). In B. S. Kaliski Jr., editor, CRYPTO'97, volume 1294 of LNCS, pages 150--164, Santa Barbara, CA, USA, Aug. 17--21, 1997. Springer, Heidelberg, Germany. Google ScholarDigital Library
- B. Kaliski. PKCS#5: Password-Based Cryptography Specification Version 2.0. RFC 2898, RFC Editor, September 2000. Google ScholarDigital Library
- A. Kiayias, S. Papadopoulos, N. Triandopoulos, and T. Zacharias. Delegatable pseudorandom functions and applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 669--684. ACM, 2013. Google ScholarDigital Library
- E. Kiltz, K. Pietrzak, D. Cash, A. Jain, and D. Venturi. Efficient authentication from hard learning problems. In K. G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, pages 7--26, Tallinn, Estonia, May 15--19, 2011. Springer, Heidelberg, Germany. Google ScholarDigital Library
- P. D. MacKenzie, T. Shrimpton, and M. Jakobsson. Threshold password-authenticated key exchange. In M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 385--400, Santa Barbara, CA, USA, Aug. 18--22, 2002. Springer, Heidelberg, Germany. Google ScholarDigital Library
- A. Muffet. Facebook: Password hashing and authentication. https://video.adm.ntnu.no/pres/54b660049af94, 2015. Video.Google Scholar
- M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th FOCS, pages 458--467, Miami Beach, Florida, Oct. 19--22, 1997. IEEE Computer Society Press. Google ScholarDigital Library
- T. Okamoto. Efficient blind and partially blind signatures without random oracles. In S. Halevi and T. Rabin, editors, TCC 2006, volume 3876 of LNCS, pages 80--99, New York, NY, USA, Mar. 4--7, 2006. Springer, Heidelberg, Germany. Google ScholarDigital Library
- P. Paillier and D. Vergnaud. Discrete-log-based signatures may not be equivalent to discrete log. In B. K. Roy, editor, ASIACRYPT 2005, volume 3788 of LNCS, pages 1--20, Chennai, India, Dec. 4--8, 2005. Springer, Heidelberg, Germany. Google ScholarDigital Library
- T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum, editor, CRYPTO'91, volume 576 of LNCS, pages 129--140, Santa Barbara, CA, USA, Aug. 11--15, 1992. Springer, Heidelberg, Germany. Google ScholarDigital Library
- D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361--396, 2000. Google ScholarDigital Library
- P. Robinson. Cryptography as a service. RSAConference Europe, 2013.Google Scholar
- R. Sakai, K. Ohgishi, and M. Kasahara. Cryptosystem based on pairing, 2000.Google Scholar
- D. Schröder and D. Unruh. Security of blind signatures revisited. In M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS, pages 662--679, Darmstadt, Germany, May 21--23, 2012. Springer, Heidelberg, Germany. Google ScholarDigital Library
- D. Wagner and I. Goldberg. Proofs of security for the Unix password hashing algorithm. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 560--572, Kyoto, Japan, Dec. 3--7, 2000. Springer, Heidelberg, Germany. Google ScholarDigital Library
- Wikipedia. List of data breaches -- wikipedia, the free encyclopedia, 2016. {Online; accessed 14-August-2016}.Google Scholar
Index Terms
- Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments
Recommendations
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityAnonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
Password-Based signatures
EuroPKI'11: Proceedings of the 8th European conference on Public Key Infrastructures, Services, and ApplicationsWe present a digital signature scheme where users sign by using a password instead of a long secret key. Our approach uses a signing server to prevent dictionary attacks. We present two efficient and secure schemes, both based on blind signatures. Our ...
Provably-secure electronic cash based on certificateless partially-blind signatures
We extend the partially-blind signature approach into certificateless public key cryptography to eliminate the key escrow problem that occurs with identities in public key cryptography. We also formalize conditions for security for certificateless ...
Comments