AuthStore: Password-based Authentication and Encrypted Data Storage in Untrusted Environments Clemens Zeidler Muhammad Rizwan Asghar The University of Auckland The University of Auckland Auckland 1142, New Zealand Auckland 1142, New Zealand [email protected] [email protected] Abstract—Passwords are widely used for client to server For example, BoxCryptor1 supports a set of cloud storage authentication as well as for encrypting data stored in untrusted providers as a storage back end. If the same password is environments, such as cloud storage. Both, authentication and used for BoxCryptor and for the storage providers a malicious encrypted cloud storage, are usually discussed in isolation. In this work, we propose AuthStore, a flexible authentication framework storage provider can decrypt the stored data. Furthermore, 2 that allows users to securely reuse passwords for authentication encrypted storage providers, such as BoxCryptor or Mega , as well as for encrypted cloud storage at a single or multiple let users authenticate on their web page with the encryption service providers. Users can configure how secure passwords are password. This makes it possible for them to learn the plain protected using password stretching techniques. We present a password straight from their login page [10]. compact password-authenticated key exchange protocol (Com- pactPAKE) that integrates the retrieval of password stretching A solution is that a user can choose two different passwords: parameters. A parameter attack is described and we show how one for authentication and one for data encryption [17]. existing solutions suffer from this attack. Furthermore, we However, this solution suffers from usability concerns as it introduce a password manager that supports CompactPAKE. requires users to memorise two different passwords. Identity Index Terms—Password-based Authentication, Privacy- and access delegation solutions, such as OpenID Connect3 or preserving Cloud Storage, Authentication Protocol, Password 4 Manager, Single Password OAuth , avoid the use of passwords by using a trusted identity or authorisation server. However, this approach only shifts the problem since an attacker who gains access to the authorisation I. INTRODUCTION server or the server itself may learn the user password. For authentication as well as for protecting digital assets, In this paper, we present a novel framework called passwords are a simple, usable, and commonly used solu- AuthStore. AuthStore supports secure password-based authen- tion [1], [2], [3], [4], [5]. The ubiquitously use of passwords tication and ensures that the user password is not revealed to encourages the reuse of passwords for multiple services [6], the service provider. The user password is secured from offline [7], [8]. However, this has important security and privacy dictionary attacks [18] by using key stretching techniques [19]. implications since a leaked password gives an attacker access By storing all key stretching parameters directly at the service to multiple services, e.g., to impersonate a user or to decrypt provider our solution does not require any extra server and password-protected confidential user data. only username and password are required for a successful Service providers often fail to store user passwords securely, authentication. The user is in full control of how secure e.g., passwords are stored in plain text or weakly protected [9]. the password is protected and stored at the service provider. In general, it is unclear for users if and how service providers Furthermore, for service providers that offer data storage, keep user passwords confidentially and, even worse, a service AuthStore integrates secure password-based data encryption. arXiv:1805.05033v1 [cs.CR] 14 May 2018 provider may itself be malicious and use a user password to Our design makes it possible to securely reuse a single impersonate a user at other service providers. For instance, a password for both authentication and privacy-preserving data web service provider can readout the user passwords straight storage at multiple service providers. from the login page by recording keystrokes [10] and so gain There are many password-based authentication proto- knowledge of all passwords entered by the user. cols [20], [21], [22] but none of them assume the exchange Passwords are not only used for authentication but also to of key stretching parameters. We introduce a parameter attack encrypt data that can then be stored in potentially untrusted that a service provider can perform during the user authenti- environments [4], [5]. Here, it is important to remark that cation with the goal to void the key stretching mechanism in password-based authentication protocols should not leak the order to make offline dictionary attacks easier. We show how password to ensure that storage providers are unable to recover data that is encrypted with the same password [11], [12]. 1www.boxcryptor.com Unfortunately, the discussion of a secure password-based 2mega.nz authentication schemes is often neglected [13], [14], [4], [5], 3openid.net/connect [15], [16], which can compromise secure data encryption. 4oauth.net existing solutions, which assume strengthen passwords in the Data Storage. If a service provider supports data storage, a authentication protocol, suffer from parameter attacks. user must be able to securely reuse the authentication password We present the CompactPAKE protocol that includes the to protect data without the risk that the service provider can exchange of key stretching parameters and is resistant against access the data. parameter attacks. CompactPAKE is based on a proven secure Password-Authenticated Key Exchange (PAKE) protocol but III. SYSTEM MODEL requires only four message passes between a user client and a In our system model, we have two main entities, i.e., the service provider [22], [23]. CompactPAKE is an asymmetric user and the service provider. A user owns one or more authentication protocol, which means an attacker who com- user accounts at one or more service providers. The user promises the service provider is not able to impersonate the communicates with a service provider through a trusted client user. software. A user can authenticate at a service provider using In a case study, we present a flexible AuthStore-based her username and user password. The service provider is password manager that allows the secure storage of credentials responsible to manage a set of user accounts and stores all in the cloud [24], [25]. This makes our solution not only necessary parameters that are needed for the user authentica- useful for service providers that use CompactPAKE but also tion. Optionally, the service provider can offer data storage to for securely storing credentials for conventional password authenticated users. The user is responsible to protect the data, protocols. We show how our password manager can speed up e.g., encrypt data, through the client. registration and authentication at service providers that sup- port CompactPAKE. Furthermore, even without the password Threat Model. We assume that the service provider might manager users are able to authenticate at service providers that be malicious. The service provider may try to learn the user’s uses CompactPAKE. clear text password in order to decrypt data that is encrypted Our contributions can be summarised as follows: with the same password or to impersonate the user at a 1) We propose AuthStore, a framework for secure single different service provider. password authentication and password-protected, privacy- In our approach, we use key stretching to protect the preserving cloud storage at a single or multiple service user password [19]. We assume that the user chooses a user providers. password with reasonable strength [26], [2], [27], [28] and 2) We present CompactPAKE, an asymmetric PAKE proto- strong key stretching parameters so that it becomes practically col with key stretching parameter retrieval that is secure infeasible for an attacker to recover the user password using against parameter attacks and only uses four message an offline dictionary attack. passes between a client and a service provider. External attackers may learn or guess the username and 3) A password manager that uses AuthStore to securely try to impersonate the user. The attacker may try to perform store arbitrary credentials in the cloud and that makes an online attack, guessing the user password. The attacker registration and authentication at service providers that may perform a Man-in-the-Middle (MitM) attack to monitor support CompactPAKE faster and easier. the authentication protocol. Moreover, the attacker may gain II. SYSTEM REQUIREMENTS access to the service provider in which case the attacker is treated the same as the service provider. In the following, we define some core system requirements: Simplicity. The only information required by a user to authen- Our Approach. In this work, we propose a framework ticate and to register at a service provider is her username and for password-based authentication and data encryption where password. No other mechanism or service, such as a trusted service providers are not necessarily trusted. In order to key server, is required by the user. strengthen the user password, we use a Key Derivation Function (KDF) to derive a strong base key. In general, a Secure Password Storage. The user must be able to configure KDF takes a set of parameters that determine how strong a how much an authentication password is strengthened before derived key is protected from dictionary attacks. The KDF it is stored at a service provider, i.e., the user is in control parameters can be chosen by the user to control the trade-off of how strong a password is secured from offline dictionary between authentication time (KDF evaluation at the client) and attacks. password protection against possible attacks. Secure Authentication. The used authentication protocol We use a simple but flexible method to derive an arbitrary must ensure that no information about the password is leaked number of user keys from a base key. User keys can then be to any party, i.e., dictionary attacks are impossible.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-