research-article

Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments

Authors:
Jonas Schneider

Saarland Informatics Campus, Saarland, Germany

Saarland Informatics Campus, Saarland, Germany
View Profile

,
Nils Fleischhacker

Saarland Informatics Campus, Saarland, Germany

Saarland Informatics Campus, Saarland, Germany
View Profile

,
Dominique Schröder

Friedrich-Alexander-University, Erlangen-Nürnberg, Nürnberg, Germany

Friedrich-Alexander-University, Erlangen-Nürnberg, Nürnberg, Germany
View Profile

,
Michael Backes

Saarland Informatics Campus, Saarland, Germany

Saarland Informatics Campus, Saarland, Germany
View Profile

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016Pages 1192–1203https://doi.org/10.1145/2976749.2978375

Published:24 October 2016Publication History

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1192–1203

ABSTRACT

Password authentication still constitutes the most widespread authentication concept on the Internet today, but the human incapability to memorize safe passwords has left this concept vulnerable to various attacks ever since. Affected enterprises such as Facebook now strive to mitigate such attacks by involving external cryptographic services that harden passwords. Everspaugh et al.~provided the first comprehensive formal treatment of such a service, and proposed the Pythia PRF-Service as a cryptographically secure solution (Usenix Security'15). Pythia relies on a novel cryptographic primitive called partially oblivious pseudorandom functions and its security is proven under a strong new interactive assumption in the random oracle model.

In this work, we prove that this strong assumption is inherently necessary for the Pythia construction, i.e., it cannot be weakened without invalidating the security of Pythia. More generally, it is impossible to reduce the security of Pythia to any non-interactive assumptions. Hence any efficient, scalable password hardening service that is secure under weaker assumptions necessarily requires a conceptually different construction. To this end, we propose a construction for password hardening services based on a novel cryptographic primitive called partially oblivious commitments, along with an efficient secure instantiation based on simple assumptions. The performance and storage evaluation of our prototype implementation shows that our protocol runs almost twice as fast as Pythia, while achieving a slightly relaxed security notion but relying on weaker assumptions.

References

J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan, M. Green, and A. D. Rubin. Charm: a framework for rapidly prototyping cryptosystems. Journal of Cryptographic Engineering, 3(2):111--128, 2013.Google ScholarCross Ref
F. Armknecht and J. Furukawa. On the minimum communication effort for secure group key exchange. In A. Biryukov, G. Gong, and D. R. Stinson, editors, SAC 2010, volume 6544 of LNCS, pages 320--337, Waterloo, Ontario, Canada, Aug. 12--13, 2011. Springer, Heidelberg, Germany. Google ScholarDigital Library
A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu. Password-protected secret sharing. In Y. Chen, G. Danezis, and V. Shmatikov, editors, ACM CCS 11, pages 433--444, Chicago, Illinois, USA, Oct. 17--21, 2011. ACM Press. Google ScholarDigital Library
G. Barthe, E. Fagerholm, D. Fiore, J. Mitchell, A. Scedrov, and B. Schmidt. Automated analysis of cryptographic assumptions in generic group models. In Advances in Cryptology--CRYPTO 2014, pages 95--112. Springer, 2014.Google ScholarCross Ref
M. Belenkiy, M. Chase, M. Kohlweiss, and A. Lysyanskaya. P-signatures and noninteractive anonymous credentials. In R. Canetti, editor, TCC 2008, volume 4948 of LNCS, pages 356--374, San Francisco, CA, USA, Mar. 19--21, 2008. Springer, Heidelberg, Germany. Google ScholarDigital Library
T. Berson, D. Dean, M. Franklin, D. Smetters, and M. Spreitzer. Cryptography as a network service. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS). Citeseer, 2001.Google Scholar
A. Biryukov, D. Dinu, D. Khovratovich, and S. Josefsson. The memory-hard Argon2 password hash and proof-of-work function. Internet-Draft draft-irtf-cfrg-argon2-00, Internet Engineering Task Force, 2016. Work in Progress.Google Scholar
D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. In K. Nyberg, editor, EUROCRYPT'98, volume 1403 of LNCS, pages 59--71, Espoo, Finland, May 31 -- June 4, 1998. Springer, Heidelberg, Germany.Google Scholar
D. Boneh and B. Waters. Constrained pseudorandom functions and their applications. In K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part II, volume 8270 of LNCS, pages 280--300, Bengalore, India, Dec. 1--5, 2013. Springer, Heidelberg, Germany.Google Scholar
E. Bresson, J. Monnerat, and D. Vergnaud. Separation results on the "one-more" computational problems. In T. Malkin, editor, CT-RSA 2008, volume 4964 of LNCS, pages 71--87, San Francisco, CA, USA, Apr. 7--11, 2008. Springer, Heidelberg, Germany. Google ScholarDigital Library
D. R. L. Brown. Irreducibility to the one-more evaluation problems: More may be less, 2007. [email protected] 13850 received 23 Nov 2007, last revised 3 Dec 2007.Google Scholar
H. Busch, S. Katzenbeisser, and P. Baecher. PUF-based authentication protocols - revisited. In H. Y. Youm and M. Yung, editors, WISA 09, volume 5932 of LNCS, pages 296--308, Busan, Korea, Aug. 25--27, 2009. Springer, Heidelberg, Germany. Google ScholarDigital Library
J. Camenisch, S. Hohenberger, M. Kohlweiss, A. Lysyanskaya, and M. Meyerovich. How to win the clonewars: Efficient periodic n-times anonymous authentication. In A. Juels, R. N. Wright, and S. Vimercati, editors, ACM CCS 06, pages 201--210, Alexandria, Virginia, USA, Oct. 30 -- Nov. 3, 2006. ACM Press. Google ScholarDigital Library
D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, CRYPTO'82, pages 199--203, Santa Barbara, CA, USA, 1982. Plenum Press, New York, USA.Google Scholar
D. Chaum and T. P. Pedersen. Wallet databases with observers. In E. F. Brickell, editor, CRYPTO'92, volume 740 of LNCS, pages 89--105, Santa Barbara, CA, USA, Aug. 16--20, 1993. Springer, Heidelberg, Germany. Google ScholarDigital Library
M. Di Raimondo and R. Gennaro. Provably secure threshold password-authenticated key exchange. In E. Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages 507--523, Warsaw, Poland, May 4--8, 2003. Springer, Heidelberg, Germany. Google ScholarDigital Library
J. Engler, C. Karlof, E. Shi, and D. Song. Is it too late for pake? indicators, 5(9):17, 2009.Google Scholar
A. Everspaugh. Pythia server (prototype) implementation. https://github.com/ace0/pythia, 2015.Google Scholar
A. Everspaugh, R. Chaterjee, S. Scott, A. Juels, and T. Ristenpart. The pythia prf service. In 24th USENIX Security Symposium (USENIX Security 15), pages 547--562, Washington, D.C., 2015. USENIX Association. Google ScholarDigital Library
A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. M. Odlyzko, editor, CRYPTO'86, volume 263 of LNCS, pages 186--194, Santa Barbara, CA, USA, Aug. 1987. Springer, Heidelberg, Germany. Google ScholarDigital Library
M. Fischlin and D. Schröder. Security of blind signatures under aborts. In S. Jarecki and G. Tsudik, editors, PKC 2009, volume 5443 of LNCS, pages 297--316, Irvine, CA, USA, Mar. 18--20, 2009. Springer, Heidelberg, Germany. Google ScholarDigital Library
M. Fischlin and D. Schröder. On the impossibility of three-move blind signature schemes. In H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 197--215, French Riviera, May 30 -- June 3, 2010. Springer, Heidelberg, Germany. Google ScholarDigital Library
M. Fischlin and D. Schröder. Security of blind signatures under aborts and applications to adaptive oblivious transfer. J. Mathematical Cryptology, 5(2):169--204, 2012.Google ScholarCross Ref
M. J. Freedman, Y. Ishai, B. Pinkas, and O. Reingold. Keyword search and oblivious pseudorandom functions. In J. Kilian, editor, TCC 2005, volume 3378 of LNCS, pages 303--324, Cambridge, MA, USA, Feb. 10--12, 2005. Springer, Heidelberg, Germany. Google ScholarDigital Library
A. Herzberg and R. Margulies. Forcing johnny to login safely - long-term user study of forcing and training login mechanisms. In V. Atluri and C. Díaz, editors, ESORICS 2011, volume 6879 of LNCS, pages 452--471, Leuven, Belgium, Sept. 12--14, 2011. Springer, Heidelberg, Germany. Google ScholarDigital Library
S. Jarecki, A. Kiayias, and H. Krawczyk. Round-optimal password-protected secret sharing and t-pake in the password-only model. In P. Sarkar and T. Iwata, editors, Advances in Cryptology -- ASIACRYPT 2014, volume 8874 of Lecture Notes in Computer Science, pages 233--253. Springer Berlin Heidelberg, 2014.Google ScholarCross Ref
A. Juels, M. Luby, and R. Ostrovsky. Security of blind digital signatures (extended abstract). In B. S. Kaliski Jr., editor, CRYPTO'97, volume 1294 of LNCS, pages 150--164, Santa Barbara, CA, USA, Aug. 17--21, 1997. Springer, Heidelberg, Germany. Google ScholarDigital Library
B. Kaliski. PKCS#5: Password-Based Cryptography Specification Version 2.0. RFC 2898, RFC Editor, September 2000. Google ScholarDigital Library
A. Kiayias, S. Papadopoulos, N. Triandopoulos, and T. Zacharias. Delegatable pseudorandom functions and applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 669--684. ACM, 2013. Google ScholarDigital Library
E. Kiltz, K. Pietrzak, D. Cash, A. Jain, and D. Venturi. Efficient authentication from hard learning problems. In K. G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, pages 7--26, Tallinn, Estonia, May 15--19, 2011. Springer, Heidelberg, Germany. Google ScholarDigital Library
P. D. MacKenzie, T. Shrimpton, and M. Jakobsson. Threshold password-authenticated key exchange. In M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 385--400, Santa Barbara, CA, USA, Aug. 18--22, 2002. Springer, Heidelberg, Germany. Google ScholarDigital Library
A. Muffet. Facebook: Password hashing and authentication. https://video.adm.ntnu.no/pres/54b660049af94, 2015. Video.Google Scholar
M. Naor and O. Reingold. Number-theoretic constructions of efficient pseudo-random functions. In 38th FOCS, pages 458--467, Miami Beach, Florida, Oct. 19--22, 1997. IEEE Computer Society Press. Google ScholarDigital Library
T. Okamoto. Efficient blind and partially blind signatures without random oracles. In S. Halevi and T. Rabin, editors, TCC 2006, volume 3876 of LNCS, pages 80--99, New York, NY, USA, Mar. 4--7, 2006. Springer, Heidelberg, Germany. Google ScholarDigital Library
P. Paillier and D. Vergnaud. Discrete-log-based signatures may not be equivalent to discrete log. In B. K. Roy, editor, ASIACRYPT 2005, volume 3788 of LNCS, pages 1--20, Chennai, India, Dec. 4--8, 2005. Springer, Heidelberg, Germany. Google ScholarDigital Library
T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum, editor, CRYPTO'91, volume 576 of LNCS, pages 129--140, Santa Barbara, CA, USA, Aug. 11--15, 1992. Springer, Heidelberg, Germany. Google ScholarDigital Library
D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361--396, 2000. Google ScholarDigital Library
P. Robinson. Cryptography as a service. RSAConference Europe, 2013.Google Scholar
R. Sakai, K. Ohgishi, and M. Kasahara. Cryptosystem based on pairing, 2000.Google Scholar
D. Schröder and D. Unruh. Security of blind signatures revisited. In M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS, pages 662--679, Darmstadt, Germany, May 21--23, 2012. Springer, Heidelberg, Germany. Google ScholarDigital Library
D. Wagner and I. Goldberg. Proofs of security for the Unix password hashing algorithm. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 560--572, Kyoto, Japan, Dec. 3--7, 2000. Springer, Heidelberg, Germany. Google ScholarDigital Library
Wikipedia. List of data breaches -- wikipedia, the free encyclopedia, 2016. {Online; accessed 14-August-2016}.Google Scholar

Index Terms

Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments
1. Security and privacy

Recommendations

Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Anonymous authentication allows one to authenticate herself without revealing her identity, and becomes an important technique for constructing privacy-preserving Internet connections. Anonymous password authentication is highly desirable as it enables ...
Read More
Password-Based signatures
EuroPKI'11: Proceedings of the 8th European conference on Public Key Infrastructures, Services, and Applications

We present a digital signature scheme where users sign by using a password instead of a long secret key. Our approach uses a signing server to prevent dictionary attacks. We present two efficient and secure schemes, both based on blind signatures. Our ...
Read More
Provably-secure electronic cash based on certificateless partially-blind signatures

We extend the partially-blind signature approach into certificateless public key cryptography to eliminate the key escrow problem that occurs with identities in public key cryptography. We also formalize conditions for security for certificateless ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
blind signatures
commitments
cryptographic services
partially oblivious commitments
password
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '16 Paper Acceptance Rate137of831submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 18
  Total Citations
  View Citations
- 767
  Total Downloads
- Downloads (Last 12 months)21
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication

Password-Based signatures

Provably-secure electronic cash based on certificateless partially-blind signatures