Phoenix: Rebirth of a Cryptographic Password-Hardening Service
|
|
- Herbert Lawrence
- 5 years ago
- Views:
Transcription
1 Phoenix: Rebirth of a Cryptographic Password-Hardening Service Russell W.F. Lai 1,2 Christoph Egger 1 Dominique Schro der 1 Sherman S.M. Chow 2 1 Friedrich-Alexander-Universita t Erlangen-Nu rnberg University of Hong Kong 2 Chinese August 17, 2017
2 Scheme Design 2 of 26
3 Password Authentication - before 1976 User Username Alice Password Database Username Alice Password pw I am Alice. My password is of 26
4 Password Authentication - before 1976 User Username Alice Password Database Username Alice Password pw I am Alice. My password is Validation Algorithm pw? = of 26
5 Password Authentication - before 1976 User Username Alice Password Database Username Alice Password pw I am Alice. My password is Validation Algorithm pw? = OK! 3 of 26
6 Password Authentication - after 1976 User Username Alice Password I am Alice. My password is Database Username Alice Hash h Salt aqzcsp 3 of 26 OK! Validation Algorithm h? = H(123456, aqzcsp)
7 Problem I - Weak Passwords Worst Passwords of 2016 by TeamsID 4% of users use as password 25% of users use the top 25 worst passwords Users are stubborn Choose stronger passwords Use crypto 4 of 26
8 Problem II - Stolen Passwords Data breaches in (Wikipedia) 5 of 26
9 Problem II - Stolen Passwords Cost of Data Breach (IBM Study) Average Cost per Data Breach: $3.62 million Average Cost per Stolen Record $141 Data breaches in (Wikipedia) 5 of 26
10 Problem II - Stolen Passwords Cost of Data Breach (IBM Study) Average Cost per Data Breach: $3.62 million Average Cost per Stolen Record $141 Service providers have incentives to change! Data breaches in (Wikipedia) 5 of 26
11 Password Hardening Services (Facebook, Pythia) Alice OK! Database Username Alice Ciphertext c 6 of 26
12 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) 6 of 26
13 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Seamless to end user (Alice) 6 of 26
14 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Messages from client are independent of passwords! Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password 6 of 26
15 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password Hiding: (Compromised) client cannot verify password by itself eliminate offline attacks 6 of 26
16 Password Hardening Services (Facebook, Pythia)?? Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password Hiding: (Compromised) client cannot verify password by itself eliminate offline attacks 6 of 26
17 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password Hiding: (Compromised) client cannot verify password by itself eliminate offline attacks Rate-Limiting (per Username): (Compromised) client cannot submit too many requests mitigate online attacks 6 of 26
18 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, qwerty), S(skS, Alice) val Crypto Server (Server) Key Features Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password Hiding: (Compromised) client cannot verify password by itself eliminate offline attacks Rate-Limiting (per Username): (Compromised) client cannot submit too many requests mitigate online attacks 6 of 26
19 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, asdfgh), S(skS, Alice) val Crypto Server (Server) Key Features Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password Hiding: (Compromised) client cannot verify password by itself eliminate offline attacks Rate-Limiting (per Username): (Compromised) client cannot submit too many requests mitigate online attacks 6 of 26
20 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c Too many requests! Crypto Server (Server) Key Features Seamless to end user (Alice) Obliviousness: (Malicious) server does not learn password Hiding: (Compromised) client cannot verify password by itself eliminate offline attacks Rate-Limiting (per Username): (Compromised) client cannot submit too many requests mitigate online attacks 6 of 26
21 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Key-Rotation Update both keys if either party is compromised Bring the entire system to a fresh state Update ciphertexts without knowing passwords (seamless to end user) 6 of 26
22 Password Hardening Services (Facebook, Pythia) Alice Verification Algorithm Protocol Alice OK! Database (Client) Username Alice Ciphertext c C(skC, c, Alice, ), S(skS, Alice) val Crypto Server (Server) Key Features Key-Rotation Update both keys if either party is compromised Bring the entire system to a fresh state Update ciphertexts without knowing passwords (seamless to end user) 6 of 26
23 The Crypto Server Crypto Server Key generation independent of client Can be set up by any third party company / organization One server can serve multiple clients 7 of 26
24 The Crypto Server Crypto Server Key generation independent of client Can be set up by any third party company / organization One server can serve multiple clients Only stores: One secret key per client One counter per end user for rate-limiting (deleted after the current time interval) 7 of 26
25 The Crypto Server Crypto Server Key generation independent of client Can be set up by any third party company / organization One server can serve multiple clients Only stores: One secret key per client One counter per end user for rate-limiting (deleted after the current time interval) Can be split into multiple servers (future work) 7 of 26
26 False Friends (Similar but different notions) Common Feature To distribute the task of verifying passwords to multiple servers 8 of 26
27 False Friends (Similar but different notions) Common Feature To distribute the task of verifying passwords to multiple servers Distributed Password Verification (CCS 15) Camenisch, Lehmann, and Neven Joint key generation between client and server Rate-limiting at client only 8 of 26
28 False Friends (Similar but different notions) Common Feature To distribute the task of verifying passwords to multiple servers Distributed Password Verification (CCS 15) Camenisch, Lehmann, and Neven Joint key generation between client and server Rate-limiting at client only Password-Authenticated Key Exchange (PAKE) / Password-Protected Secret Sharing (PPSS) Crypto servers need to store a secret share per end user No / inefficient key rotations 8 of 26
29 Literature on Password Hardening (PH) Partially-Oblivious Pseudorandom Functions (PO-PRF) (USENIX 15) Everspaugh, Chatterjee, Scott, Juels, and Ristenpart Formalized PO-PRF Construction (Pythia) based on pairing 9 of 26
30 Literature on Password Hardening (PH) Partially-Oblivious Pseudorandom Functions (PO-PRF) (USENIX 15) Everspaugh, Chatterjee, Scott, Juels, and Ristenpart Formalized PO-PRF Construction (Pythia) based on pairing Partially-Oblivious Commitments (PO-Com) (CCS 16) Schneider, Fleischhacker, Schröder, and Backes Formalized PO-Com Security definitions too weak for PH (not covering online attacks) Construction without pairing 2 faster than Pythia when used for PH 9 of 26
31 This Work Finally, formalized PH Revisit and strengthen model of Schneider et al. 10 of 26
32 This Work Finally, formalized PH Revisit and strengthen model of Schneider et al. Formalized key-rotation 10 of 26
33 This Work Finally, formalized PH Revisit and strengthen model of Schneider et al. Formalized key-rotation Devastating online attacks against scheme of Schneider et al. Attack 1: Enable offline-dictionary attack after one validation request Attack 2: Extract password after one validation request The attacks defeat the purpose of external crypto server The attacks are outside of their security model 10 of 26
34 This Work Finally, formalized PH Revisit and strengthen model of Schneider et al. Formalized key-rotation Devastating online attacks against scheme of Schneider et al. Attack 1: Enable offline-dictionary attack after one validation request Attack 2: Extract password after one validation request The attacks defeat the purpose of external crypto server The attacks are outside of their security model Extremely simple construction (still without pairing) Simple enough for real-world use easy to understand and implement Proven secure under strengthened security model 1.5 faster than scheme of Schneider et al. 3 faster than Pythia 10 of 26
35 From Salted Hash to Phoenix (Intuitive Description) Database (Client) Username un Hash H(un, pw, n C) Client Nonce n C 11 of 26
36 From Salted Hash to Phoenix (Intuitive Description) Database (Client) Username un PRF Value PRF sk(un, pw, n C) Client Nonce n C 11 of 26
37 From Salted Hash to Phoenix (Intuitive Description) Database (Client) Username un PRF Product PRF Value sks (un, n S) PRF skc (un, pw, n C) Client Nonce n C Server Nonce n S Enrollment Protocol Username un PRF Value PRF sks (un, n S) Server Nonce n S Crypto Server (Server) 11 of 26
38 From Salted Hash to Phoenix (Intuitive Description) Database (Client) Username un ( ) PRFsk Ciphertext Enc pk S, S (un, ns) PRFsk C (un, pw, nc) Client Nonce nc Server Nonce ns Enrollment Protocol Username un PRF Value PRFsk S (un, ns) Server Nonce ns Crypto Server (Server) 11 of 26
39 From Salted Hash to Phoenix (Intuitive Description) Database (Client) Username un ( ) PRFsk Ciphertext Enc pk S, S (un, ns) PRFsk C (un, pw, nc) Client Nonce nc Server Nonce ns Homomorphic Encryption Enc(pk, m m ) Enc(pk, m) Enc(pk, m ) Enrollment Protocol Username un PRF Value HS(un, ns) k S Server Nonce ns Crypto Server (Server) Key-Homomorphic PRF PRF sk sk (m) = PRF sk (m) PRF sk (m) 11 of 26
40 From Salted Hash to Phoenix (Intuitive Description) Database (Client) Username un (g r, h r HS(un, ns) ks HC(un, pw, nc) k C ) Client Nonce nc Server Nonce ns e.g., ElGamal (and variants) sk = s, pk = h = g s c = (g r, h r m) Enrollment Protocol Username un PRF Value Server Nonce ns Crypto Server (Server) e.g., Naor-Pinkas-Reingold sk = k y = H(m) k (g r+r, h r+r m m ) = (g r, h r m) (g r, h r m ) H(m) k+k = H(m) k H(m) k 11 of 26
41 Phoenix Validation (Intuitive Description) Database (Client) Username un Ciphertext (g r, h r H S(un, n S) ks H C(un, pw, n C) kc ) Client Nonce n C Server Nonce n S Crypto Server (Server) 12 of 26
42 Phoenix Validation (Intuitive Description) Database (Client) Username un Ciphertext (g r, h r H S(un, n S) ks H C(un, pw, n C) kc ) Client Nonce n C Server Nonce n S Crypto Server (Server) Validation Protocol h r H S(un, n S) ks = hr H S(un, n S) ks H C(un, pw, n C) kc H C(un, pw, n C) kc 12 of 26
43 Phoenix Validation (Intuitive Description) Database (Client) Username un Ciphertext (g r, h r H S(un, n S) ks H C(un, pw, n C) kc ) Client Nonce n C Server Nonce n S Crypto Server (Server) Validation Protocol h r H S(un, n S) ks = hr H S(un, n S) ks H C(un, pw, n C) kc H C(un, pw, n C) kc (g r, h r HS(un, ns) ks ), un, ns 12 of 26
44 Phoenix Validation (Intuitive Description) Database (Client) Username un Ciphertext (g r, h r H S(un, n S) ks H C(un, pw, n C) kc ) Client Nonce n C Server Nonce n S Crypto Server (Server) Validation Protocol h r H S(un, n S) ks = hr H S(un, n S) ks H C(un, pw, n C) kc H C(un, pw, n C) kc (g r, h r HS(un, ns) ks ), un, ns Is un requested too many times? Is the ciphertext valid? 12 of 26
45 Phoenix Validation (Intuitive Description) Database (Client) Username un Ciphertext (g r, h r H S(un, n S) ks H C(un, pw, n C) kc ) Client Nonce n C Server Nonce n S Crypto Server (Server) Validation Protocol h r H S(un, n S) ks = hr H S(un, n S) ks H C(un, pw, n C) kc H C(un, pw, n C) kc (g r, h r HS(un, ns) ks ), un, ns Prove(The ciphertext is valid!) Is un requested too many times? Is the ciphertext valid? 12 of 26
46 Why it works? Obliviousness: Nothing about the password is sent to the server (g r, h r H S (un, n S ) k S ), un, n S 13 of 26
47 Why it works? Obliviousness: Nothing about the password is sent to the server (g r, h r H S (un, n S ) k S ), un, n S Hiding: PRF values of the passwords are encrypted to the server Client cannot decrypt by itself Validity check binds (un, n S ) with H S (un, n S ) k S in c Online attacks require guessing pw to remove H C (pw, n C ) k C from c 13 of 26
48 Phoenix Key-Rotation (Intuitive Description) Database (Client) Crypto Server (Server) g s r H S (un, n S ) ks H C (un, pw, n C ) k C 14 of 26
49 Phoenix Key-Rotation (Intuitive Description) Database (Client) Crypto Server (Server) g s r H S (un, n S ) ks H C (un, pw, n C ) k C ˆα g α s r H S (un, n S ) α ks H C (un, pw, n C ) α k C (g r ) β H S(un, n S) γ g (α s+β) r H S (un, n S ) α k S+γ H C (un, pw, n C ) α k C = g s r H S (un, n S ) k S HC (un, pw, n C ) k C 14 of 26
50 Christoph Egger Evaluation and Deployment 15 of 26
51 Christoph Egger Evaluation In Comparison Current password hashing recommendations suggest up to one second single-core computing time Context We have all three (python based) implementations running on Amazon AWS single-core instances Questions How long does the user have to wait for password verification Do we need many servers to support Password-Hardening What are the practical implications 16 of 26
52 Christoph Egger Evaluation How long must the end user wait for to log in? 17 of 26
53 Christoph Egger Evaluation How long must the end user wait for to log in? 8 ms! (+ round trip time) Frankfurt Ireland HTTP HTTPS HTTPS HTTP HTTPS HTTPS keep-alive keep-alive RTT (64 bytes) Pythia enroll/validate Schneider et al. enroll Schneider et al. validate Phoenix enroll Phoenix validate Latency in millisecond (ms) 17 of 26
54 Christoph Egger Evaluation How many requests can the server entertain in one second? 18 of 26
55 Christoph Egger Evaluation How many requests can the server entertain in one second? Over 370! HTTPS HTTPS keep-alive parameter 2, Pythia enroll/validate Schneider et al. enroll Schneider et al. validate Phoenix enroll 1, Phoenix validate Requests per second 18 of 26
56 Christoph Egger Practical Deployment Hybrid Scheme Can we make use of memory-hard functions like Argon2 or scrypt? 19 of 26
57 Christoph Egger Practical Deployment Hybrid Scheme Can we make use of memory-hard functions like Argon2 or scrypt? Use a memory-hard function instead of a traditional hash function for the PRF Even if the attacker has compromised both Client and Server, she has to use the memory-hard function for dictionary attacks Naor-Pinkas-Reingold sk = k PRF value H(x) k 19 of 26
58 Christoph Egger Practical Deployment Hybrid Scheme Can we make use of memory-hard functions like Argon2 or scrypt? Use a memory-hard function instead of a traditional hash function for the PRF Even if the attacker has compromised both Client and Server, she has to use the memory-hard function for dictionary attacks Naor-Pinkas-Reingold sk = k PRF value Sha256(x) k 19 of 26
59 Christoph Egger Practical Deployment Hybrid Scheme Can we make use of memory-hard functions like Argon2 or scrypt? Use a memory-hard function instead of a traditional hash function for the PRF Even if the attacker has compromised both Client and Server, she has to use the memory-hard function for dictionary attacks Naor-Pinkas-Reingold sk = k PRF value Argon2(x) k 19 of 26
60 Christoph Egger Practical Deployment Availability What happens when the Crypto Server is unavailable? 20 of 26
61 Christoph Egger Practical Deployment Availability What happens when the Crypto Server is unavailable? Server only holds key-pair per Client and Rate-Limiting information Several Crypto Servers can host the key-pair for availability but keys are then located on several machines sk 20 of 26
62 Christoph Egger Practical Deployment Availability What happens when the Crypto Server is unavailable? Server only holds key-pair per Client and Rate-Limiting information Several Crypto Servers can host the key-pair for availability but keys are then located on several machines sk sk 20 of 26
63 Christoph Egger Practical Deployment Availability What happens when the Crypto Server is unavailable? Server only holds key-pair per Client and Rate-Limiting information Several Crypto Servers can host the key-pair for availability but keys are then located on several machines sk sk 20 of 26
64 Christoph Egger DDoS and Rate-Limiting There are two scenarios where Rate-Limiting might be triggered: Client has been compromised It is acceptable when users fail to log in Alice of 26
65 Christoph Egger DDoS and Rate-Limiting There are two scenarios where Rate-Limiting might be triggered: Client has been compromised It is acceptable when users fail to log in Alice of 26
66 Christoph Egger DDoS and Rate-Limiting There are two scenarios where Rate-Limiting might be triggered: External Attacker Honest users should only be slightly inconvenienced Crypto Server has little information to distinguish users Client is honest and can therefore help Alice of 26
67 Christoph Egger DDoS and Rate-Limiting There are two scenarios where Rate-Limiting might be triggered: External Attacker Honest users should only be slightly inconvenienced Crypto Server has little information to distinguish users Client is honest and can therefore help Alice Alice password 21 of 26
68 Christoph Egger Rate-Limiting external clients Warn the Client about upcoming Rate-Limiting: once a soft limit is exceeded there is a limited number of additional tries available the client needs to make sure only the honest user gets to use these Client then takes extra measures, for example Send an / SMS /... with an one-time code to the user Add Puzzles to the login screen 22 of 26
69 Christoph Egger Rate-Limiting external clients Alice password 23 of 26
70 Christoph Egger Rate-Limiting external clients Alice of 26
71 Christoph Egger Rate-Limiting external clients Alice querty 23 of 26
72 Christoph Egger Rate-Limiting external clients Alice asdfgh 23 of 26
73 Christoph Egger Rate-Limiting external clients Slow down! 23 of 26
74 Christoph Egger Rate-Limiting external clients SMS: Token=SECRET 23 of 26
75 Christoph Egger Rate-Limiting external clients Alice of 26
76 Christoph Egger Rate-Limiting external clients Missing Token 23 of 26
77 Christoph Egger Rate-Limiting external clients Alice password SECRET 23 of 26
78 Christoph Egger Upgrade Path Both, salted hash and Phoenix need a database field to store data Algorithm-ID often already stored alongside the salt and hash Upgrade users once they log in Username Password Data Alice 12:PeADRGbk:gaG4s[...]2BwM=... Bob 12:q79JVDSo:IIRBz[...]/9L4=... Carol 5:3V+ToDHL:FCozKw/gxP/9YZ+Pdr7pcg== of 26
79 Christoph Egger Upgrade Path Both, salted hash and Phoenix need a database field to store data Algorithm-ID often already stored alongside the salt and hash Upgrade users once they log in Username Password Data Alice 12:PeADRGbk:gaG4s[...]2BwM=... Bob 13:MxTfsL[...]phh+8i3DU==... Carol 5:3V+ToDHL:FCozKw/gxP/9YZ+Pdr7pcg== of 26
80 Christoph Egger Concluding Remark Summary Strengthened model of password-hardening Formal treatment to key-rotation Devastating attack to an existing scheme Phoenix: The most efficient scheme to date 25 of 26
81 Christoph Egger Concluding Remark Summary Strengthened model of password-hardening Formal treatment to key-rotation Devastating attack to an existing scheme Phoenix: The most efficient scheme to date On Going Projects Extended functionality Derive key upon successful validation Anonymize end user while retaining rate-limiting Deployment by start-up company 25 of 26
82 Christoph Egger FAU Nuremberg Chinese U. Hong Kong Christoph Egger FAU Nuremberg Dominique Schröder FAU Nuremberg Sherman S. M. Chow Chinese U. Hong Kong 26 of 26
Simple Password-Hardened Encryption Services
Simple Password-Hardened Encryption Services Russell W. F. Lai 1, Christoph Egger 1, Manuel Reinert 2, Sherman S. M. Chow 3, Matteo Maffei 4, and Dominique Schröder 1 1 Friedrich-Alexander University Erlangen-Nuremberg
More informationPhoenix: Rebirth of a Cryptographic Password-Hardening Service
Phoenix: Rebirth of a Cryptographic Password-Hardening Service Russell W. F. Lai, Friedrich-Alexander-University Erlangen-Nürnberg, Chinese University of Hong Kong; Christoph Egger and Dominique Schröder,
More informationMaking Password Checking Systems Better
Making Password Checking Systems Better Tom Ristenpart Covering joint work with: Anish Athayle, Devdatta Akawhe, Joseph Bonneau, Rahul Chatterjee, Anusha Chowdhury, Yevgeniy Dodis, Adam Everspaugh, Ari
More informationCourse Business. Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday
Course Business Homework due today Final Exam Review on Monday, April 24 th Practice Final Exam Solutions Released Monday Final Exam on Monday, May 1 st (in this classroom) Adib will proctor I am traveling
More informationSimple Password-Hardened Encryption Services
Simple Password-Hardened Encryption Services Russell W. F. Lai 1, Christoph Egger 1, Manuel Reinert 2, Sherman S. M. Chow 3, Matteo Maffei 4, and Dominique Schröder 1 1 Friedrich-Alexander University Erlangen-Nuremberg
More informationPYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER
PYTHIA SERVICE WHITEPAPER BY VIRGIL SECURITY WHITE PAPER May 21, 2018 CONTENTS Introduction 2 How does Pythia solve these problems? 3 Are there any other solutions? 4 What is Pythia? 4 How does it work?
More informationCOMPOSABLE AND ROBUST OUTSOURCED STORAGE
SESSION ID: CRYP-R14 COMPOSABLE AND ROBUST OUTSOURCED STORAGE Christian Badertscher and Ueli Maurer ETH Zurich, Switzerland Motivation Server/Database Clients Write Read block 2 Outsourced Storage: Security
More informationID protocols. Overview. Dan Boneh
ID protocols Overview The Setup sk Alg. G vk vk either public or secret User P (prover) Server V (verifier) no key exchange yes/no Applications: physical world Physical locks: (friend-or-foe) Wireless
More informationMaking Password Checking Systems Be7er
Making Password Checking Systems Be7er Tom Ristenpart Covering joint work with: Anish Athayle, Devda
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationCS 161 Computer Security
Popa & Weaver Fall 2016 CS 161 Computer Security 10/4 Passwords 1 Passwords are widely used for authentication, especially on the web. What practices should be used to make passwords as secure as possible?
More informationOne-Time-Password-Authenticated Key Exchange
One-Time-Password-Authenticated Key Exchange Kenneth G. Paterson 1 and Douglas Stebila 2 1 Information Security Group Royal Holloway, University of London, Egham, Surrey, UK 2 Information Security Institute
More informationTest 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationTest 2 Review. (b) Give one significant advantage of a nonce over a timestamp.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationBitcoin, Security for Cloud & Big Data
Bitcoin, Security for Cloud & Big Data CS 161: Computer Security Prof. David Wagner April 18, 2013 Bitcoin Public, distributed, peer-to-peer, hash-chained audit log of all transactions ( block chain ).
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Identification Identification Identification To identify yourself, you need something the adversary doesn t have Typical factors:
More informationOverview. Terminology. Password Storage
Class: CSG254 Network Security Team: Enigma (team 2) Kevin Kingsbury Tejas Parikh Tony Ryan Shenghan Zhang Assignment: PS3 Secure IM system Overview Our system uses a server to store the passwords, and
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationCRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION
#RSAC SESSION ID: CRYP-W04 CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION Adam Shull Recent Ph.D. Graduate Indiana University Access revocation on the cloud #RSAC sk sk Enc Pub Sym pk k
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationPrivacy-Preserving & User-Auditable Pseudonym Systems. Jan Camenisch, Anja Lehmann IBM Research Zurich
Privacy-Preserving & User-Auditable Pseudonym Systems Jan Camenisch, Anja Lehmann IBM Research Zurich Motivation: How to maintain related yet distributed data? examples: social security system, ehealth
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationCIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm
CIS 4360 Introduction to Computer Security Fall 2010 WITH ANSWERS in bold Name:.................................... Number:............ First Midterm Instructions This is a closed-book examination. Maximum
More informationRound-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model
Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model Stanislaw Jarecki 1, Aggelos Kiayias 2, and Hugo Krawczyk 3 1 University of California Irvine, stasio@ics.uci.edu 2
More informationPrivacy in an Electronic World A Lost Cause?
InfoSec 2015 Summer School on Information Security Bilbao Privacy in an Electronic World A Lost Cause? Dr. Jan Camenisch Cryptography & Privacy Principal Research Staff Member Member, IBM Academy of Technology
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationSAS-Based Group Authentication and Key Agreement Protocols
SAS-Based Group Authentication and Key Agreement Protocols Sven Laur 1,2 and Sylvain Pasini 3 2 University of Tartu 1 Helsinki University of Technology 3 Ecole Polytechnique Fédérale de Lausanne User-aided
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationReturn Code Schemes for Electronic Voting Systems
Return Code Schemes for Electronic Voting Systems Shahram Khazaei Douglas Wikström Sharif University of Technology, Iran KTH Royal Institute of Technology, Sweden E-Vote-ID 2017 Presented by: Johannes
More informationPass, No Record: An Android Password Manager
Pass, No Record: An Android Password Manager Alex Konradi, Samuel Yeom December 4, 2015 Abstract Pass, No Record is an Android password manager that allows users to securely retrieve passwords from a server
More informationWindows authentication methods and pitfalls
Windows authentication methods and pitfalls hashes and protocols vulnerabilities attacks 1996-2013 - P. Veríssimo All rights reserved. Reproduction only by permission 1 EXAMPLE: Windows authentication
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Security Handshake Pitfalls Login only Mutual
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationLecture 8: Cryptography in the presence of local/public randomness
Randomness in Cryptography Febuary 25, 2013 Lecture 8: Cryptography in the presence of local/public randomness Lecturer: Yevgeniy Dodis Scribe: Hamidreza Jahanjou So far we have only considered weak randomness
More informationThe Pythia PRF Service
The Pythia PRF Service Adam Everspaugh and Rahul Chaterjee, University of Wisconsin Madison; Samuel Scott, University of London; Ari Juels and Thomas Ristenpart, Cornell Tech https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/everspaugh
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationINSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:
A INSE 6110 Midterm Fall 2016 Duration: 80 minutes LAST NAME FIRST NAME ID NUMBER QUESTION 1 2 3 4 Total GRADE Notes: 1) Calculator (non-programming) allowed, nothing else permitted 2) Each page contains
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationLecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes
What is Encryption Parties involved: Alice: The Sender Bob: The Receiver Eve: The Eavesdropper Aim of Encryption Alice wants to send a message to Bob The message should remain hidden from Eve What distinguishes
More informationThe Challenges of Distributing Distributed Cryptography. Ari Juels Chief Scientist, RSA
The Challenges of Distributing Distributed Cryptography Ari Juels Chief Scientist, RSA What is this new and mysterious technology? Hint: It s 20+ years old. R. Ostrovsky and M. Yung. How to withstand
More informationPractical Secure Two-Party Computation and Applications
Practical Secure Two-Party Computation and Applications Lecture 2: Private Set Intersection Estonian Winter School in Computer Science 2016 Overview of this lecture Private Set Intersection Special Purpose
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationStrong Password Protocols
Strong Password Protocols Strong Password Protocols Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationUser Authentication Protocols
User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of
More informationPrivacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems. Anja Lehmann IBM Research Zurich
Privacy-Enhancing Technologies: Anonymous Credentials and Pseudonym Systems Anja Lehmann IBM Research Zurich ROADMAP Anonymous Credentials privacy-preserving (user) authentication Pseudonym Systems privacy-preserving
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationAuthenticating People and Machines over Insecure Networks
Authenticating People and Machines over Insecure Networks EECE 571B Computer Security Konstantin Beznosov authenticating people objective Alice The Internet Bob Password= sesame Password= sesame! authenticate
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationA PROPOSED AUTHENTICATION SCHEME USING THE CONCEPT OF MINDMETRICS
A PROPOSED AUTHENTICATION SCHEME USING THE CONCEPT OF MINDMETRICS Nitin Shinde 1, Lalit Shejwal 2, Uditkumar Gupta 3, Priyanka Pawar 4 1, 2, 3, 4 Department of Computer Engineering, Sinhgad Institute of
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationForschungsrichtungen in der IT-Sicherheit
Forschungsrichtungen in der IT-Sicherheit Dr. Jan Camenisch Principle Researcher; Member, IBM Academy of Technology IBM Research Zurich jca@zurich.ibm.com @JanCamenisch ibm.biz/jancamenisch Facts 33% of
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationMike Reiter. University of North Carolina at Chapel Hill. Proliferation of mobile devices. Proliferation of security-relevant apps using these
1 Capture-Resilient Cryptographic Devices Mike Reiter University of North Carolina at Chapel Hill Relevant Trends 2 Proliferation of mobile devices Proliferation of networking Proliferation of security-relevant
More informationEncrypted Data Deduplication in Cloud Storage
Encrypted Data Deduplication in Cloud Storage Chun- I Fan, Shi- Yuan Huang, Wen- Che Hsu Department of Computer Science and Engineering Na>onal Sun Yat- sen University Kaohsiung, Taiwan AsiaJCIS 2015 Outline
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationTracing Insider Attacks in the Context of Predicate Encryption Schemes
Tracing Insider Attacks in the Context of Predicate Encryption Schemes Jonathan Katz and Dominique Schröder University of Maryland Email: {jkatz,schroder}@cs.umd.edu Abstract In a predicate encryption
More informationSecuring Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh
Securing Distributed Computation via Trusted Quorums Yan Michalevsky, Valeria Nikolaenko, Dan Boneh Setting Distributed computation over data contributed by users Communication through a central party
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More information2018: Problem Set 1
crypt@b-it 2018 Problem Set 1 Mike Rosulek crypt@b-it 2018: Problem Set 1 1. Sometimes it is not clear whether certain behavior is an attack against a protocol. To decide whether something is an attack
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 9: Authentication Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Definition of entity authentication Solutions password-based
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationRSA DISTRIBUTED CREDENTIAL PROTECTION
RSA DISTRIBUTED CREDENTIAL PROTECTION There is a security weakness lurking in many of today s best designed systems a primary point of compromise. Think about your own IT operations. Chances are that by
More informationCS 161 Computer Security. Week of September 11, 2017: Cryptography I
Weaver Fall 2017 CS 161 Computer Security Discussion 3 Week of September 11, 2017: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric key
More informationCSC 5930/9010 Modern Cryptography: Public-Key Infrastructure
CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure Professor Henry Carter Fall 2018 Recap Digital signatures provide message authenticity and integrity in the public-key setting As well as public
More informationDirections in Security Research
Directions in Security Research Jan Camenisch IBM Research Zurich jca@zurich.ibm.com @JanCamenisch ibm.biz/jancamenisch Facts 33% of cyber crimes, including identity theft, take less time than to make
More informationDevice-Enhanced Password Protocols with Optimal Online-Offline Protection
Device-Enhanced Password Protocols with Optimal Online-Offline Protection Stanislaw Jarecki Hugo Krawczyk Maliheh Shirvanian Nitesh Saxena March 29, 2017 Abstract We introduce a setting that we call Device-Enhanced
More informationIntroduction to Cryptography, Helger Lipmaa
T-79.159 Cryptography and Data Security Introduction to Cryptography Helger Lipmaa Laboratory for Theoretical Computer Science Helsinki University of Technology helger@tcs.hut.fi http://www.tcs.hut.fi/
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCSC 774 Network Security
CSC 774 Network Security Topic 2. Review of Cryptographic Techniques CSC 774 Dr. Peng Ning 1 Outline Encryption/Decryption Digital signatures Hash functions Pseudo random functions Key exchange/agreement/distribution
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More information