Securing password recovery through dispersion

Passwords form the Achilles heel of most uses of modern cryptography. Key recovery is necessary to provide continuous access to documents and other electronic assets in spite of possible loss of a password. Key escrow services provide key recovery for the owner, but need to be trusted. Additionally, a user might want to divulge passwords in case of his/her death or incapacitation, but not before. We present here a scheme that uses dispersion to provide trusted escrow services. Our scheme uses secret sharing to disperse password recovery information over several escrow services that authenticate based on a weak password. To protect against dictionary attacks, each authentication attempt takes a noticeable, but tolerable time (e.g. minutes). We achieve this by having the share of the secret be the solution of a puzzle that is solved by brute force in time depending on the number of processors employed. This additionally prevents escrow agencies from optimizing their part in recovering a password by pre-computing and storing their share in a more accessible and hence vulnerable format.

[1]  Sushil Jajodia,et al.  Recoverable Encryption through Noised Secret over a Large Cloud , 2012, Globe.

[2]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[3]  Eric R. Verheul,et al.  Binding ElGamal: A Fraud-Detectable Alternative to Key-Escrow Proposals , 1997, EUROCRYPT.

[4]  Greg Childers Factorization of a 1061-bit number by the Special Number Field Sieve , 2012, IACR Cryptol. ePrint Arch..

[5]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[6]  Rosario Gennaro,et al.  Theory and practice of verifiable secret sharing , 1996 .

[7]  Ilya Popovyan,et al.  Efficient Parallelization of Lanczos Type Algorithms , 2011, IACR Cryptol. ePrint Arch..

[8]  Darrell D. E. Long,et al.  Clasas: A Key-Store for the Cloud , 2010, 2010 IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems.

[9]  Sushil Jajodia,et al.  Privacy of data outsourced to a cloud for selected readers through client-side encryption , 2011, WPES '11.

[10]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[11]  Piotr Bródka,et al.  International Conference on Computational Aspects of Social Networks , 2009, Computational Aspects of Social Networks.

[12]  Kaoru Kurosawa,et al.  Optimum Secret Sharing Scheme Secure against Cheating , 1996, EUROCRYPT.

[13]  Martin Tompa,et al.  How to share a secret with cheaters , 1988, Journal of Cryptology.

[14]  R. J. McEliece,et al.  On sharing secrets and Reed-Solomon codes , 1981, CACM.

[15]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[16]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[17]  Craig A. N. Soules,et al.  Survivable storage systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[18]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[19]  Satoshi Obana Almost Optimum t-Cheater Identifiable Secret Sharing Schemes , 2011, EUROCRYPT.

[20]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[21]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[22]  Dorothy E. Denning,et al.  Key Escrow Encryption Policies and Technologies , 1996 .

[23]  Sushil Jajodia,et al.  LH*RE: A Scalable Distributed Data Structure with Recoverable Encryption , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[24]  Sushil Jajodia,et al.  LH*RE with Cached Encryption Keys: A Scalable Distributed Data Structure with Recoverable Encryption , 2008 .

[25]  Mihir Bellare,et al.  Verifiable partial key escrow , 1997, CCS '97.

[26]  Sushil Jajodia,et al.  Recoverable Encryption through a Noised Secret over a Large Cloud , 2013, Trans. Large Scale Data Knowl. Centered Syst..

[27]  Peter G. Neumann,et al.  The risks of key recovery, key escrow, and trusted third-party encryption , 1997, World Wide Web J..