Perfectly Secure Password Protocols in the Bounded Retrieval Model

We introduce a formal model, which we call the Bounded Retrieval Model, for the design and analysis of cryptographic protocols remaining secure against intruders that can retrieve a limited amount of parties' private memory. The underlying model assumption on the intruders' behavior is supported by real-life physical and logical considerations, such as the inherent superiority of a party's local data bus over a remote intruder's bandwidth-limited channel, or the detectability of voluminous resource access by any local intruder. More specifically, we assume a fixed upper bound on the amount of a party's storage retrieved by the adversary. Our model could be considered a non-trivial variation of the well-studied Bounded Storage Model, which postulates a bound on the amount of storage available to an adversary attacking a given system. In this model we study perhaps the simplest among cryptographic tasks: user authentication via a password protocol. Specifically, we study the problem of constructing efficient password protocols that remain secure against offline dictionary attacks even when a large (but bounded) part of the storage of the server responsible for password verification is retrieved by an intruder through a remote or local connection. We show password protocols having satisfactory performance on both efficiency (in terms of the server's running time) and provable security (making the offline dictionary attack not significantly stronger than the online attack). We also study the tradeoffs between efficiency, quantitative and qualitative security in these protocols. All our schemes achieve perfect security (security against computationally-unbounded adversaries). Our main schemes achieve the interesting efficiency property of the server's lookup complexity being much smaller than the adversary's retrieval bound.

[1]  Giovanni Di Crescenzo,et al.  Towards a Theory of Intrusion Detection , 2005, ESORICS.

[2]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[3]  Michael Sipser,et al.  Expanders, Randomness, or Time versus Space , 1988, J. Comput. Syst. Sci..

[4]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[5]  Amit Sahai,et al.  On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.

[6]  Stefan Axelsson Research in Intrusion-Detection Systems: A Survey , 1998 .

[7]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[8]  David C. Feldmeier,et al.  UNIX Password Security - Ten Years Later , 1989, CRYPTO.

[9]  L. Fortnow Recent Developments in Explicit Constructions of Extractors , 2002 .

[10]  Amnon Ta-Shma,et al.  Non-interactive Timestamping in the Bounded-Storage Model , 2009, Journal of Cryptology.

[11]  A. Wigderson,et al.  ENTROPY WAVES, THE ZIG-ZAG GRAPH PRODUCT, AND NEW CONSTANT-DEGREE , 2004, math/0406038.

[12]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[13]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[14]  Chi-Jen Lu Encryption against Storage-Bounded Adversaries from On-Line Strong Extractors , 2003, Journal of Cryptology.

[15]  Noam Nisan,et al.  More deterministic simulation in logspace , 1993, STOC.

[16]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[17]  Bruce Schneier,et al.  Authenticating Secure Tokens Using Slow Memory Access , 1999, Smartcard.

[18]  Noam Nisan,et al.  Extracting Randomness: A Survey and New Constructions , 1999, J. Comput. Syst. Sci..

[19]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[20]  Avi Wigderson,et al.  Entropy waves, the zig-zag graph product, and new constant-degree expanders and extractors , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[21]  Steven M. Bellovin,et al.  Encrypted Key Exchange , 2006 .

[22]  Ueli Maurer Conditionally-perfect secrecy and a provably-secure randomized cipher , 2004, Journal of Cryptology.

[23]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[24]  Salil P. Vadhan,et al.  Constructing Locally Computable Extractors and Cryptosystems in the Bounded-Storage Model , 2003, Journal of Cryptology.

[25]  Ueli Maurer,et al.  Optimal Randomizer Efficiency in the Bounded-Storage Model , 2003, Journal of Cryptology.

[26]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[27]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).