Simple Password-Hardened Encryption Services
Russell W. F. Lai1, Christoph Egger1, Manuel Reinert2, Sherman S. M. Chow3, Matteo Maffei4, and Dominique Schröder1 1Friedrich-Alexander University Erlangen-Nuremberg 2Saarland University 3Chinese University of Hong Kong 4TU Wien Overview Security Features Practicality • Eliminate offline (e.g., dictionary) attacks • Simple and easy to implement • Rate-limit online (e.g., password guessing) attacks • Easy to convert from existing systems • Obliviousness (Rate-Limiter learns nothing) • 250 logins per core per second • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS)
PCI DSS: Payment Card Industry Data Security Standard
One-Package Solution for Data Security – Password-Hardened Encryption
What it does? To protect sensitive client data ...... stored in a server with password (or biometric / two-factor / etc) authentication ...... even after the server is completely compromised...... with minimal help from an external rate-limiter.
Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 Practicality • Simple and easy to implement • Easy to convert from existing systems • 250 logins per core per second
One-Package Solution for Data Security – Password-Hardened Encryption
What it does? To protect sensitive client data ...... stored in a server with password (or biometric / two-factor / etc) authentication ...... even after the server is completely compromised...... with minimal help from an external rate-limiter.
Security Features • Eliminate offline (e.g., dictionary) attacks • Rate-limit online (e.g., password guessing) attacks • Obliviousness (Rate-Limiter learns nothing) • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS)
PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 One-Package Solution for Data Security – Password-Hardened Encryption
What it does? To protect sensitive client data ...... stored in a server with password (or biometric / two-factor / etc) authentication ...... even after the server is completely compromised...... with minimal help from an external rate-limiter.
Security Features Practicality • Eliminate offline (e.g., dictionary) attacks • Simple and easy to implement • Rate-limit online (e.g., password guessing) attacks • Easy to convert from existing systems • Obliviousness (Rate-Limiter learns nothing) • 250 logins per core per second • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS)
PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 Motivation if then
“Top Secret” ← Dec(skS , c)
Password Authenticated Data Retrieval
Server S Client C Username Alice Username Alice Hash h Password 123456 Salt aqZcSP Data Top Secret
Hi! I am “Alice”. My password is “123456”.
? h = Hash(123456, aqZcSP)
OK! Here is your data “Top Secret”!
Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24 Password Authenticated Encrypted Data Retrieval
Server S Client C Username Alice Username Alice Hash h Password 123456 Salt aqZcSP Encrypted Data c
Hi! I am “Alice”. My password is “123456”.
? if h = Hash(123456, aqZcSP) then
“Top Secret” ← Dec(skS , c) OK! Here is your data “Top Secret”!
Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24 Password-Hardening Facebook, PYTHIA [ECSJR@USENIX’15], [SFSB@CCS’16], PHOENIX [LESC@USENIX’17]
Password-Hardened Encryption [This Work]
Issues and Solutions
Offline Log in using Steal Hash Dictionary Stolen Database Attack Password
Obtain Client Data
Decrypt using Complete Stolen Server Compromise Key
Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Password-Hardened Encryption [This Work]
Issues and Solutions
Offline Log in using Steal Hash Dictionary Stolen Database Attack Password
Password-Hardening Obtain Client Facebook, PYTHIA [ECSJR@USENIX’15], Data [SFSB@CCS’16], PHOENIX [LESC@USENIX’17]
Decrypt using Complete Stolen Server Compromise Key
Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Issues and Solutions
Offline Log in using Steal Hash Dictionary Stolen Database Attack Password
Password-Hardening Obtain Client Facebook, PYTHIA [ECSJR@USENIX’15], Data [SFSB@CCS’16], PHOENIX [LESC@USENIX’17]
Decrypt using Complete Stolen Server Compromise Key
Password-Hardened Encryption [This Work]
Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Roadmap
PHOENIX Simplify [LESC@USENIX’17]
Upgrade: Simplified PHOENIX Encryption Functionality Stronger Soundness
Password Hardened Encryption
Simple Password-Hardened Encryption Services Russel W. F. Lai 6/24 Password-Hardening Ingredient: A Key-Homomorphic Pseudorandom Function (PRF)
Let G be a group of prime order q (written multiplicatively) where Decisional Diffie Hellman (DDH) is hard. ∗ Let H : {0, 1} → G be a random oracle. The function
∗ PRF : Zq × {0, 1} → G (key, message) 7→ H(message)key
is pseudorandom under the DDH assumption. PRF is key-homomorphic:
0 0 H(message)key+key = H(message)key · H(message)key
Simple Password-Hardened Encryption Services Russel W. F. Lai 8/24 Simplified PHOENIX [LESC@USENIX’17] – Registration
Client C Server S Rate-Limiter R
“Register”, “Alice”, “123456”
“Register” aqZcSP ←$ Salts
OjQZEe ←$ Salts
y, OjQZEe y ← H(OjQZEe)skR
h ← H(aqZcSP, 123456)skS · y Store (Alice, h, aqZcSP, OjQZEe)
Simple Password-Hardened Encryption Services Russel W. F. Lai 9/24 Simplified PHOENIX [LESC@USENIX’17] – Login
Client C Server S Rate-Limiter R
“Login”, “Alice”, “123456”
Retrieve (Alice, h, aqZcSP, OjQZEe)
y ← h/H(aqZcSP, 123456)skS “Validate”, y, OjQZEe
? Correct! Here is my proof! y = H(OjQZEe)skR
OK! Come in!
Simple Password-Hardened Encryption Services Russel W. F. Lai 10/24 Simplified PHOENIX [LESC@USENIX’17] – Key-Rotation
h = H(aqZcSP, 123456)skS · H(OjQZEe)skR
Server S Rate-Limiter R Key skS Key skR
h0 = hα · H(OjQZEe)β = H(aqZcSP, 123456)α·skS · H(OjQZEe)α·skR+β 0 0 = H(aqZcSP, 123456)skS · H(OjQZEe)skR Server S Rate-Limiter R 0 0 Key skS = α · skS Key skR = α · skR + β
Simple Password-Hardened Encryption Services Russel W. F. Lai 11/24 Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If “Check equality of pseudorandom function values” = True then Partially decrypt ciphertext.
Simplified PHOENIX [LESC@USENIX’17] – What the rate-limiter does?
• Equality Check Functionality: Check equality of pseudorandom function values. • Rate-limiting Policy: Rate-Limiter R Refuse to respond if “OjQZEe” appears too frequently. ? y = H(OjQZEe)skR
Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24 Simplified PHOENIX [LESC@USENIX’17] – What the rate-limiter does?
• Equality Check Functionality: Check equality of pseudorandom function values. • Rate-limiting Policy: Rate-Limiter R Refuse to respond if “OjQZEe” appears too frequently. ? y = H(OjQZEe)skR
Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If “Check equality of pseudorandom function values” = True then Partially decrypt ciphertext.
Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24 Password-Hardened Encryption Password-Hardened Encryption – Registration
Client C Server S Rate-Limiter R
“Register”, “Alice”, “123456”, “Top Secret”
“Register” aqZcSP ←$ Salts
K ←$ AES Keys OjQZEe ←$ Salts
skR y0 ← H0(OjQZEe)
y0, y1 skR y1 ← H1(OjQZEe)
skS h0 ← H0(aqZcSP, 123456) · y0 skS skS h1 ← H1(aqZcSP, 123456) · y1 · K c ← AES.Enc(K , Top Secret)
Store (Alice, (h0, h1, c), aqZcSP, OjQZEe)
Simple Password-Hardened Encryption Services Russel W. F. Lai 14/24 Password-Hardened Encryption – Login
Client C Server S Rate-Limiter R
“Login”, “Alice”, “123456”
Retrieve (Alice, (h0, h1, c), aqZcSP, OjQZEe)
skS “Validate”, y0, OjQZEe y0 ← h0/H0(aqZcSP, 123456)
skS skR z ← h1/H1(aqZcSP, 123456) if y0 = H0(OjQZEe) then
Correct! Here is y1 and my proof! skR y1 ← H1(OjQZEe)
1 sk K ← (z/y1) S
“Top Secret” “Top Secret” ← AES.Dec(K , c)
Simple Password-Hardened Encryption Services Russel W. F. Lai 15/24 Password-Hardened Encryption – Security Features
Against Compromised Server
• Eliminate Offline Attacks • Password Hashes are masked by R’s PRF • Compromised S must communicate with R • Rate-Limit Online Attacks (per Client) • R records the salt (e.g., OjQZEe) in each login request • R refuses to respond if a client (a salt) tries to log in too frequently
Simple Password-Hardened Encryption Services Russel W. F. Lai 16/24 Password-Hardened Encryption – Security Features
Against Compromised Rate-Limiter
• Obliviousness • Registration and login requests are completely independent of clients’ passwords and data • R learns nothing about clients’ passwords and data • Soundness • R must prove for both valid and invalid requests
Proactive Security
• Key-Rotation • e.g., periodically and when one party is (suspected to be) compromised • Due to the key-homomorphic PRF
Simple Password-Hardened Encryption Services Russel W. F. Lai 17/24 Performance Evaluation Setup
• 10 Core Intel Xeon E5-2640 CPU (both S and R) • Charm crypto prototyping library • Falcon Web Framework • HTTPS with keep-alive
Comparison (Rate-Limiter Throughput)
• ≈ 4x of PYTHIA [ECSJR@USENIX’15] • ≈ 1.5x of PHOENIX [LESC@USENIX’17] • (Those are password-hardening without encryption!)
Simple Password-Hardened Encryption Services Russel W. F. Lai 19/24 Performance Graphs
3,000 Encrypt Encrypt Decrypt-Success 2,500 Decrypt-Success 1,500 Decrypt-Fail Decrypt-Fail 2,000
1,000 1,500 req/s req/s
1,000 500 500
1-core 2-core 4-core 8-core 1-core 2-core 4-core 8-core
Figure: Server throughput in req/s Figure: Rate-Limiter throughput in req/s
Simple Password-Hardened Encryption Services Russel W. F. Lai 20/24 Conclusion
Simple Password-Hardened Encryption Services – One-Package Solution for Data Security Russell W. F. Lai Friedrich-Alexander University Erlangen-Nuremberg [email protected] Questions and Answers Why ...?
Why is it difficult to compromise both S and R?
• Compromising two parties require twice the effort. • We assume that R is built and maintained by security experts, so it is difficult to compromise.
Simple Password-Hardened Encryption Services Russel W. F. Lai 23/24 Why not ...?
Why not password-authenticated key-exchange (PAKE)? Different functionality. In PAKE, both parties know the password, and a fresh key is derived every time.
Why not password-protected secret-sharing (PPSS)?
• No existing scheme supports efficient key-rotation. • PPSS is too strong: The user in PPSS (the counterpart of the server in PHE) has no secret key.
Simple Password-Hardened Encryption Services Russel W. F. Lai 24/24