Simple Password-Hardened Encryption Services

Size: px

Start display at page:

Download "Simple Password-Hardened Encryption Services"

Ada Vanessa Rogers
5 years ago
Views:

1 Simple Password-Hardened Encryption Services Russell W. F. Lai 1, Christoph Egger 1, Manuel Reinert 2, Sherman S. M. Chow 3, Matteo Maffei 4, and Dominique Schröder 1 1 Friedrich-Alexander University Erlangen-Nuremberg 2 Saarland University 3 Chinese University of Hong Kong 4 TU Wien

2 Overview

3 One-Package Solution for Data Security Password-Hardened Encryption What it does? To protect sensitive client data stored in a server with password (or biometric / two-factor / etc) authentication even after the server is completely compromised with minimal help from an external rate-limiter. Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24

4 One-Package Solution for Data Security Password-Hardened Encryption What it does? To protect sensitive client data stored in a server with password (or biometric / two-factor / etc) authentication even after the server is completely compromised with minimal help from an external rate-limiter. Security Features Eliminate offline (e.g., dictionary) attacks Rate-limit online (e.g., password guessing) attacks Obliviousness (Rate-Limiter learns nothing) Soundness (Rate-Limiter cannot cheat) Support key-rotation (required in PCI DSS) PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24

5 One-Package Solution for Data Security Password-Hardened Encryption What it does? To protect sensitive client data stored in a server with password (or biometric / two-factor / etc) authentication even after the server is completely compromised with minimal help from an external rate-limiter. Security Features Eliminate offline (e.g., dictionary) attacks Rate-limit online (e.g., password guessing) attacks Obliviousness (Rate-Limiter learns nothing) Soundness (Rate-Limiter cannot cheat) Support key-rotation (required in PCI DSS) Practicality Simple and easy to implement Easy to convert from existing systems 250 logins per core per second PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24

6 Motivation

7 Password Authenticated Data Retrieval Client C Username Alice Password Server S Username Alice Hash h Salt aqzcsp Data Top Secret Hi! I am Alice. My password is h? = Hash(123456, aqzcsp) OK! Here is your data Top Secret! Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24

8 Password Authenticated Encrypted Data Retrieval Client C Username Alice Password Server S Username Alice Hash h Salt aqzcsp Encrypted Data c Hi! I am Alice. My password is if h? = Hash(123456, aqzcsp) then Top Secret Dec(sk S, c) OK! Here is your data Top Secret! Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24

9 Issues and Solutions Steal Hash Database Offline Dictionary Attack Log in using Stolen Password Obtain Client Data Complete Compromise Decrypt using Stolen Server Key Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24

10 Issues and Solutions Steal Hash Database Offline Dictionary Attack Log in using Stolen Password Password-Hardening Facebook, PYTHIA 15], 16], PHOENIX 17] Obtain Client Data Complete Compromise Decrypt using Stolen Server Key Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24

11 Issues and Solutions Steal Hash Database Offline Dictionary Attack Log in using Stolen Password Password-Hardening Facebook, PYTHIA 15], 16], PHOENIX 17] Obtain Client Data Complete Compromise Decrypt using Stolen Server Key Password-Hardened Encryption [This Work] Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24

12 Roadmap PHOENIX 17] Simplify Simplified PHOENIX Upgrade: Encryption Functionality Stronger Soundness Password Hardened Encryption Simple Password-Hardened Encryption Services Russel W. F. Lai 6/24

13 Password-Hardening

14 Ingredient: A Key-Homomorphic Pseudorandom Function (PRF) Let G be a group of prime order q (written multiplicatively) where Decisional Diffie Hellman (DDH) is hard. Let H : {0, 1} G be a random oracle. The function PRF : Z q {0, 1} G (key, message) H(message) key is pseudorandom under the DDH assumption. PRF is key-homomorphic: H(message) key+key = H(message) key H(message) key Simple Password-Hardened Encryption Services Russel W. F. Lai 8/24

15 Simplified PHOENIX 17] Registration Client C Server S Rate-Limiter R Register, Alice, aqzcsp $ Salts Register OjQZEe $ Salts y, OjQZEe y H(OjQZEe) sk R h H(aqZcSP, ) sks y Store (Alice, h, aqzcsp, OjQZEe) Simple Password-Hardened Encryption Services Russel W. F. Lai 9/24

16 Simplified PHOENIX 17] Login Client C Server S Rate-Limiter R Login, Alice, Retrieve (Alice, h, aqzcsp, OjQZEe) y h/h(aqzcsp, ) sk S Validate, y, OjQZEe Correct! Here is my proof! y? = H(OjQZEe) sk R OK! Come in! Simple Password-Hardened Encryption Services Russel W. F. Lai 10/24

17 Simplified PHOENIX 17] Key-Rotation h = H(aqZcSP, ) sks H(OjQZEe) sk R Server S Key sk S Rate-Limiter R Key sk R Server S Key sk S = α sk S h = h α H(OjQZEe) β = H(aqZcSP, ) α sk S H(OjQZEe) α sk R+β = H(aqZcSP, ) sk S H(OjQZEe) sk R Rate-Limiter R Key sk R = α sk R + β Simple Password-Hardened Encryption Services Russel W. F. Lai 11/24

18 Simplified PHOENIX 17] What the rate-limiter does? Equality Check Functionality: Check equality of pseudorandom function values. Rate-limiting Policy: Refuse to respond if OjQZEe appears too frequently. Rate-Limiter R y? = H(OjQZEe) sk R Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24

19 Simplified PHOENIX 17] What the rate-limiter does? Equality Check Functionality: Check equality of pseudorandom function values. Rate-limiting Policy: Refuse to respond if OjQZEe appears too frequently. Rate-Limiter R y? = H(OjQZEe) sk R Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If Check equality of pseudorandom function values = True then Partially decrypt ciphertext. Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24

20 Password-Hardened Encryption

21 Password-Hardened Encryption Registration Client C Server S Rate-Limiter R Register, Alice, , Top Secret aqzcsp $ Salts Register K $ AES Keys OjQZEe $ Salts y 0 H 0 (OjQZEe) sk R y 0, y 1 y1 H 1 (OjQZEe) sk R h 0 H 0 (aqzcsp, ) sks y 0 h 1 H 1 (aqzcsp, ) sks y 1 K sk S c AES.Enc(K, Top Secret) Store (Alice, (h 0, h 1, c), aqzcsp, OjQZEe) Simple Password-Hardened Encryption Services Russel W. F. Lai 14/24

22 Password-Hardened Encryption Login Client C Server S Rate-Limiter R Login, Alice, Retrieve (Alice, (h 0, h 1, c), aqzcsp, OjQZEe) y 0 h 0 /H 0 (aqzcsp, ) sk S Validate, y 0, OjQZEe z h 1 /H 1 (aqzcsp, ) sk S if y 0 = H 0 (OjQZEe) skr then Correct! Here is y 1 and my proof! y 1 H 1 (OjQZEe) sk R K (z/y 1 ) 1 sk S Top Secret Top Secret AES.Dec(K, c) Simple Password-Hardened Encryption Services Russel W. F. Lai 15/24

23 Password-Hardened Encryption Security Features Against Compromised Server Eliminate Offline Attacks Password Hashes are masked by R s PRF Compromised S must communicate with R Rate-Limit Online Attacks (per Client) R records the salt (e.g., OjQZEe) in each login request R refuses to respond if a client (a salt) tries to log in too frequently Simple Password-Hardened Encryption Services Russel W. F. Lai 16/24

24 Password-Hardened Encryption Security Features Against Compromised Rate-Limiter Obliviousness Registration and login requests are completely independent of clients passwords and data R learns nothing about clients passwords and data Soundness R must prove for both valid and invalid requests Proactive Security Key-Rotation e.g., periodically and when one party is (suspected to be) compromised Due to the key-homomorphic PRF Simple Password-Hardened Encryption Services Russel W. F. Lai 17/24

25 Performance Evaluation

26 Setup 10 Core Intel Xeon E CPU (both S and R) Charm crypto prototyping library Falcon Web Framework HTTPS with keep-alive Comparison (Rate-Limiter Throughput) 4x of PYTHIA [ECSJR@USENIX 15] 1.5x of PHOENIX [LESC@USENIX 17] (Those are password-hardening without encryption!) Simple Password-Hardened Encryption Services Russel W. F. Lai 19/24

27 Performance Graphs 1,500 Encrypt Decrypt-Success Decrypt-Fail 3,000 2,500 2,000 Encrypt Decrypt-Success Decrypt-Fail req/s 1,000 req/s 1, , core 2-core 4-core 8-core 1-core 2-core 4-core 8-core Figure: Server throughput in req/s Figure: Rate-Limiter throughput in req/s Simple Password-Hardened Encryption Services Russel W. F. Lai 20/24

28 Conclusion Simple Password-Hardened Encryption Services One-Package Solution for Data Security Russell W. F. Lai Friedrich-Alexander University Erlangen-Nuremberg

29 Questions and Answers

30 Why...? Why is it difficult to compromise both S and R? Compromising two parties require twice the effort. We assume that R is built and maintained by security experts, so it is difficult to compromise. Simple Password-Hardened Encryption Services Russel W. F. Lai 23/24

31 Why not...? Why not password-authenticated key-exchange (PAKE)? Different functionality. In PAKE, both parties know the password, and a fresh key is derived every time. Why not password-protected secret-sharing (PPSS)? No existing scheme supports efficient key-rotation. PPSS is too strong: The user in PPSS (the counterpart of the server in PHE) has no secret key. Simple Password-Hardened Encryption Services Russel W. F. Lai 24/24

Phoenix: Rebirth of a Cryptographic Password-Hardening Service

Phoenix: Rebirth of a Cryptographic Password-Hardening Service Russell W.F. Lai 1,2 Christoph Egger 1 Dominique Schro der 1 Sherman S.M. Chow 2 1 Friedrich-Alexander-Universita t Erlangen-Nu rnberg University