Simple Password-Hardened Encryption Services

Russell W. F. Lai1, Christoph Egger1, Manuel Reinert2, Sherman S. M. Chow3, Matteo Maffei4, and Dominique Schröder1 1Friedrich-Alexander University Erlangen-Nuremberg 2Saarland University 3Chinese University of Hong Kong 4TU Wien Overview Security Features Practicality • Eliminate offline (e.g., dictionary) attacks • Simple and easy to implement • Rate-limit online (e.g., password guessing) attacks • Easy to convert from existing systems • Obliviousness (Rate-Limiter learns nothing) • 250 logins per core per second • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS)

PCI DSS: Payment Card Industry Data Security Standard

One-Package Solution for Data Security – Password-Hardened Encryption

What it does? To protect sensitive client data ...... stored in a server with password (or biometric / two-factor / etc) authentication ...... even after the server is completely compromised...... with minimal help from an external rate-limiter.

Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 Practicality • Simple and easy to implement • Easy to convert from existing systems • 250 logins per core per second

One-Package Solution for Data Security – Password-Hardened Encryption

What it does? To protect sensitive client data ...... stored in a server with password (or biometric / two-factor / etc) authentication ...... even after the server is completely compromised...... with minimal help from an external rate-limiter.

Security Features • Eliminate offline (e.g., dictionary) attacks • Rate-limit online (e.g., password guessing) attacks • Obliviousness (Rate-Limiter learns nothing) • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS)

PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 One-Package Solution for Data Security – Password-Hardened Encryption

What it does? To protect sensitive client data ...... stored in a server with password (or biometric / two-factor / etc) authentication ...... even after the server is completely compromised...... with minimal help from an external rate-limiter.

Security Features Practicality • Eliminate offline (e.g., dictionary) attacks • Simple and easy to implement • Rate-limit online (e.g., password guessing) attacks • Easy to convert from existing systems • Obliviousness (Rate-Limiter learns nothing) • 250 logins per core per second • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS)

PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 Motivation if then

“Top Secret” ← Dec(skS , c)

Password Authenticated Data Retrieval

Server S Client C Username Alice Username Alice Hash h Password 123456 Salt aqZcSP Data Top Secret

Hi! I am “Alice”. My password is “123456”.

? h = Hash(123456, aqZcSP)

OK! Here is your data “Top Secret”!

Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24 Password Authenticated Encrypted Data Retrieval

Server S Client C Username Alice Username Alice Hash h Password 123456 Salt aqZcSP Encrypted Data c

Hi! I am “Alice”. My password is “123456”.

? if h = Hash(123456, aqZcSP) then

“Top Secret” ← Dec(skS , c) OK! Here is your data “Top Secret”!

Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24 Password-Hardening Facebook, PYTHIA [ECSJR@USENIX’15], [SFSB@CCS’16], PHOENIX [LESC@USENIX’17]

Password-Hardened Encryption [This Work]

Issues and Solutions

Offline Log in using Steal Hash Dictionary Stolen Database Attack Password

Obtain Client Data

Decrypt using Complete Stolen Server Compromise Key

Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Password-Hardened Encryption [This Work]

Issues and Solutions

Offline Log in using Steal Hash Dictionary Stolen Database Attack Password

Password-Hardening Obtain Client Facebook, PYTHIA [ECSJR@USENIX’15], Data [SFSB@CCS’16], PHOENIX [LESC@USENIX’17]

Decrypt using Complete Stolen Server Compromise Key

Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Issues and Solutions

Offline Log in using Steal Hash Dictionary Stolen Database Attack Password

Password-Hardening Obtain Client Facebook, PYTHIA [ECSJR@USENIX’15], Data [SFSB@CCS’16], PHOENIX [LESC@USENIX’17]

Decrypt using Complete Stolen Server Compromise Key

Password-Hardened Encryption [This Work]

Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Roadmap

PHOENIX Simplify [LESC@USENIX’17]

Upgrade: Simplified PHOENIX Encryption Functionality Stronger Soundness

Password Hardened Encryption

Simple Password-Hardened Encryption Services Russel W. F. Lai 6/24 Password-Hardening Ingredient: A Key-Homomorphic Pseudorandom Function (PRF)

Let G be a group of prime order q (written multiplicatively) where Decisional Diffie Hellman (DDH) is hard. ∗ Let H : {0, 1} → G be a random oracle. The function

∗ PRF : Zq × {0, 1} → G (key, message) 7→ H(message)key

is pseudorandom under the DDH assumption. PRF is key-homomorphic:

0 0 H(message)key+key = H(message)key · H(message)key

Simple Password-Hardened Encryption Services Russel W. F. Lai 8/24 Simplified PHOENIX [LESC@USENIX’17] – Registration

Client C Server S Rate-Limiter R

“Register”, “Alice”, “123456”

“Register” aqZcSP ←$ Salts

OjQZEe ←$ Salts

y, OjQZEe y ← H(OjQZEe)skR

h ← H(aqZcSP, 123456)skS · y Store (Alice, h, aqZcSP, OjQZEe)

Simple Password-Hardened Encryption Services Russel W. F. Lai 9/24 Simplified PHOENIX [LESC@USENIX’17] – Login

Client C Server S Rate-Limiter R

“Login”, “Alice”, “123456”

Retrieve (Alice, h, aqZcSP, OjQZEe)

y ← h/H(aqZcSP, 123456)skS “Validate”, y, OjQZEe

? Correct! Here is my proof! y = H(OjQZEe)skR

OK! Come in!

Simple Password-Hardened Encryption Services Russel W. F. Lai 10/24 Simplified PHOENIX [LESC@USENIX’17] – Key-Rotation

h = H(aqZcSP, 123456)skS · H(OjQZEe)skR

Server S Rate-Limiter R Key skS Key skR

h0 = hα · H(OjQZEe)β = H(aqZcSP, 123456)α·skS · H(OjQZEe)α·skR+β 0 0 = H(aqZcSP, 123456)skS · H(OjQZEe)skR Server S Rate-Limiter R 0 0 Key skS = α · skS Key skR = α · skR + β

Simple Password-Hardened Encryption Services Russel W. F. Lai 11/24 Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If “Check equality of pseudorandom function values” = True then Partially decrypt ciphertext.

Simplified PHOENIX [LESC@USENIX’17] – What the rate-limiter does?

• Equality Check Functionality: Check equality of pseudorandom function values. • Rate-limiting Policy: Rate-Limiter R Refuse to respond if “OjQZEe” appears too frequently. ? y = H(OjQZEe)skR

Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24 Simplified PHOENIX [LESC@USENIX’17] – What the rate-limiter does?

• Equality Check Functionality: Check equality of pseudorandom function values. • Rate-limiting Policy: Rate-Limiter R Refuse to respond if “OjQZEe” appears too frequently. ? y = H(OjQZEe)skR

Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If “Check equality of pseudorandom function values” = True then Partially decrypt ciphertext.

Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24 Password-Hardened Encryption Password-Hardened Encryption – Registration

Client C Server S Rate-Limiter R

“Register”, “Alice”, “123456”, “Top Secret”

“Register” aqZcSP ←$ Salts

K ←$ AES Keys OjQZEe ←$ Salts

skR y0 ← H0(OjQZEe)

y0, y1 skR y1 ← H1(OjQZEe)

skS h0 ← H0(aqZcSP, 123456) · y0 skS skS h1 ← H1(aqZcSP, 123456) · y1 · K c ← AES.Enc(K , Top Secret)

Store (Alice, (h0, h1, c), aqZcSP, OjQZEe)

Simple Password-Hardened Encryption Services Russel W. F. Lai 14/24 Password-Hardened Encryption – Login

Client C Server S Rate-Limiter R

“Login”, “Alice”, “123456”

Retrieve (Alice, (h0, h1, c), aqZcSP, OjQZEe)

skS “Validate”, y0, OjQZEe y0 ← h0/H0(aqZcSP, 123456)

skS skR z ← h1/H1(aqZcSP, 123456) if y0 = H0(OjQZEe) then

Correct! Here is y1 and my proof! skR y1 ← H1(OjQZEe)

1 sk K ← (z/y1) S

“Top Secret” “Top Secret” ← AES.Dec(K , c)

Simple Password-Hardened Encryption Services Russel W. F. Lai 15/24 Password-Hardened Encryption – Security Features

Against Compromised Server

• Eliminate Offline Attacks • Password Hashes are masked by R’s PRF • Compromised S must communicate with R • Rate-Limit Online Attacks (per Client) • R records the salt (e.g., OjQZEe) in each login request • R refuses to respond if a client (a salt) tries to log in too frequently

Simple Password-Hardened Encryption Services Russel W. F. Lai 16/24 Password-Hardened Encryption – Security Features

Against Compromised Rate-Limiter

• Obliviousness • Registration and login requests are completely independent of clients’ passwords and data • R learns nothing about clients’ passwords and data • Soundness • R must prove for both valid and invalid requests

Proactive Security

• Key-Rotation • e.g., periodically and when one party is (suspected to be) compromised • Due to the key-homomorphic PRF

Simple Password-Hardened Encryption Services Russel W. F. Lai 17/24 Performance Evaluation Setup

• 10 Core Intel Xeon E5-2640 CPU (both S and R) • Charm crypto prototyping library • Falcon Web Framework • HTTPS with keep-alive

Comparison (Rate-Limiter Throughput)

• ≈ 4x of PYTHIA [ECSJR@USENIX’15] • ≈ 1.5x of PHOENIX [LESC@USENIX’17] • (Those are password-hardening without encryption!)

Simple Password-Hardened Encryption Services Russel W. F. Lai 19/24 Performance Graphs

3,000 Encrypt Encrypt Decrypt-Success 2,500 Decrypt-Success 1,500 Decrypt-Fail Decrypt-Fail 2,000

1,000 1,500 req/s req/s

1,000 500 500

1-core 2-core 4-core 8-core 1-core 2-core 4-core 8-core

Figure: Server throughput in req/s Figure: Rate-Limiter throughput in req/s

Simple Password-Hardened Encryption Services Russel W. F. Lai 20/24 Conclusion

Simple Password-Hardened Encryption Services – One-Package Solution for Data Security Russell W. F. Lai Friedrich-Alexander University Erlangen-Nuremberg [email protected] Questions and Answers Why ...?

Why is it difficult to compromise both S and R?

• Compromising two parties require twice the effort. • We assume that R is built and maintained by security experts, so it is difficult to compromise.

Simple Password-Hardened Encryption Services Russel W. F. Lai 23/24 Why not ...?

Why not password-authenticated key-exchange (PAKE)? Different functionality. In PAKE, both parties know the password, and a fresh key is derived every time.

Why not password-protected secret-sharing (PPSS)?

• No existing scheme supports efficient key-rotation. • PPSS is too strong: The user in PPSS (the counterpart of the server in PHE) has no secret key.

Simple Password-Hardened Encryption Services Russel W. F. Lai 24/24