Device-Enhanced Password Protocols with Optimal Online-Offline Protection

We introduce a setting that we call Device-Enhanced PAKE (DE-PAKE), where PAKE (password-authenticated key exchange) protocols are strengthened against online and offline attacks through the use of an auxiliary device that aids the user in the authentication process. We build such schemes and show that their security, properly formalized, achieves maximal-attainable resistance to online and offline attacks in both PKI and PKI-free settings. In particular, an online attacker must guess the user's password and also corrupt the user's auxiliary device to authenticate, while an attacker who corrupts the server cannot learn the users' passwords via an offline dictionary attack. Notably, our solutions do not require secure channels, and nothing (in an information-theoretic sense) is learned about the password by the device (or a malicious software running on the device) or over the device-client channel, even without any external protection of this channel. An attacker taking over the device still requires a full online attack to impersonate the user. Importantly, our DE-PAKE scheme can be deployed at the user end without the need to modify the server and without the server having to be aware that the user is using a DE-PAKE scheme. In particular, the schemes can work with standard servers running the usual password-over-TLS authentication. We use these protocols to implement a practical DE-PAKE system and we evaluate its performance. To improve usability the implemented system utilizes automated and user-transparent data channel between the mobile device and the client, falling back to localized communication if the device looses primary connectivity.

[1]  Nitesh Saxena,et al.  Password-protected secret sharing , 2011, CCS '11.

[2]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1998, CCS '98.

[3]  Jonathan Katz,et al.  Two-server password-only authenticated key exchange , 2005, J. Comput. Syst. Sci..

[4]  Aggelos Kiayias,et al.  Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model , 2014, ASIACRYPT.

[5]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[6]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[7]  Benny Pinkas,et al.  Keyword Search and Oblivious Pseudorandom Functions , 2005, TCC.

[8]  Franziskus Kiefer,et al.  Distributed Smooth Projective Hashing and Its Application to Two-Server Password Authenticated Key Exchange , 2014, ACNS.

[9]  Ari Juels,et al.  A New Two-Server Approach for Authentication with Short Secrets , 2003, USENIX Security Symposium.

[10]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[11]  Aggelos Kiayias,et al.  Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online) , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[12]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[13]  Alptekin Küpçü,et al.  Single password authentication , 2013, Comput. Networks.

[14]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[15]  Xiaomin Liu,et al.  Fast Secure Computation of Set Intersection , 2010, SCN.

[16]  Michael Szydlo,et al.  Proofs for Two-Server Password Authentication , 2005, CT-RSA.

[17]  Dan S. Wallach,et al.  Strengthening user authentication through opportunistic cryptographic identity assertions , 2012, CCS.

[18]  Hugo Krawczyk,et al.  SPHINX: A Password Store that Perfectly Hides Passwords from Itself , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[19]  Markus Jakobsson,et al.  Threshold Password-Authenticated Key Exchange , 2002, Journal of Cryptology.

[20]  Patrick Traynor,et al.  Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties , 2012, ESORICS.

[21]  David P. Jablon Password Authentication Using Multiple Servers , 2001, CT-RSA.

[22]  Nitesh Saxena,et al.  Exploring Mobile Proxies for Better Password Authentication , 2012, ICICS.

[23]  Xavier Boyen,et al.  Hidden credential retrieval from a reusable password , 2009, ASIACCS '09.

[24]  Paul C. van Oorschot,et al.  Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer , 2007, Financial Cryptography.

[25]  Thomas Ristenpart,et al.  The Pythia PRF Service , 2015, USENIX Security Symposium.

[26]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[27]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[28]  Franziskus Kiefer,et al.  Universally Composable Two-Server PAKE , 2016, ISC.

[29]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[30]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[31]  Craig Gentry,et al.  A Method for Making Password-Based Key Exchange Resilient to Server Compromise , 2006, CRYPTO.

[32]  Nitesh Saxena,et al.  Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices , 2014, NDSS.

[33]  Xiaomin Liu,et al.  Efficient Oblivious Pseudorandom Function with Applications to Adaptive OT and Secure Computation of Set Intersection , 2009, TCC.