Simple Password-Hardened Encryption Services Russell W. F. Lai1, Christoph Egger1, Manuel Reinert2, Sherman S. M. Chow3, Matteo Maffei4, and Dominique Schröder1 1Friedrich-Alexander University Erlangen-Nuremberg 2Saarland University 3Chinese University of Hong Kong 4TU Wien Overview Security Features Practicality • Eliminate offline (e.g., dictionary) attacks • Simple and easy to implement • Rate-limit online (e.g., password guessing) attacks • Easy to convert from existing systems • Obliviousness (Rate-Limiter learns nothing) • 250 logins per core per second • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS) PCI DSS: Payment Card Industry Data Security Standard One-Package Solution for Data Security – Password-Hardened Encryption What it does? To protect sensitive client data ... ... stored in a server with password (or biometric / two-factor / etc) authentication ... ... even after the server is completely compromised... ... with minimal help from an external rate-limiter. Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 Practicality • Simple and easy to implement • Easy to convert from existing systems • 250 logins per core per second One-Package Solution for Data Security – Password-Hardened Encryption What it does? To protect sensitive client data ... ... stored in a server with password (or biometric / two-factor / etc) authentication ... ... even after the server is completely compromised... ... with minimal help from an external rate-limiter. Security Features • Eliminate offline (e.g., dictionary) attacks • Rate-limit online (e.g., password guessing) attacks • Obliviousness (Rate-Limiter learns nothing) • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS) PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 One-Package Solution for Data Security – Password-Hardened Encryption What it does? To protect sensitive client data ... ... stored in a server with password (or biometric / two-factor / etc) authentication ... ... even after the server is completely compromised... ... with minimal help from an external rate-limiter. Security Features Practicality • Eliminate offline (e.g., dictionary) attacks • Simple and easy to implement • Rate-limit online (e.g., password guessing) attacks • Easy to convert from existing systems • Obliviousness (Rate-Limiter learns nothing) • 250 logins per core per second • Soundness (Rate-Limiter cannot cheat) • Support key-rotation (required in PCI DSS) PCI DSS: Payment Card Industry Data Security Standard Simple Password-Hardened Encryption Services Russel W. F. Lai 2/24 Motivation if then “Top Secret” Dec(skS ; c) Password Authenticated Data Retrieval Server S Client C Username Alice Username Alice Hash h Password 123456 Salt aqZcSP Data Top Secret Hi! I am “Alice”. My password is “123456”. ? h = Hash(123456; aqZcSP) OK! Here is your data “Top Secret”! Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24 Password Authenticated Encrypted Data Retrieval Server S Client C Username Alice Username Alice Hash h Password 123456 Salt aqZcSP Encrypted Data c Hi! I am “Alice”. My password is “123456”. ? if h = Hash(123456; aqZcSP) then “Top Secret” Dec(skS ; c) OK! Here is your data “Top Secret”! Simple Password-Hardened Encryption Services Russel W. F. Lai 4/24 Password-Hardening Facebook, PYTHIA [ECSJR@USENIX’15], [SFSB@CCS’16], PHOENIX [LESC@USENIX’17] Password-Hardened Encryption [This Work] Issues and Solutions Offline Log in using Steal Hash Dictionary Stolen Database Attack Password Obtain Client Data Decrypt using Complete Stolen Server Compromise Key Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Password-Hardened Encryption [This Work] Issues and Solutions Offline Log in using Steal Hash Dictionary Stolen Database Attack Password Password-Hardening Obtain Client Facebook, PYTHIA [ECSJR@USENIX’15], Data [SFSB@CCS’16], PHOENIX [LESC@USENIX’17] Decrypt using Complete Stolen Server Compromise Key Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Issues and Solutions Offline Log in using Steal Hash Dictionary Stolen Database Attack Password Password-Hardening Obtain Client Facebook, PYTHIA [ECSJR@USENIX’15], Data [SFSB@CCS’16], PHOENIX [LESC@USENIX’17] Decrypt using Complete Stolen Server Compromise Key Password-Hardened Encryption [This Work] Simple Password-Hardened Encryption Services Russel W. F. Lai 5/24 Roadmap PHOENIX Simplify [LESC@USENIX’17] Upgrade: Simplified PHOENIX Encryption Functionality Stronger Soundness Password Hardened Encryption Simple Password-Hardened Encryption Services Russel W. F. Lai 6/24 Password-Hardening Ingredient: A Key-Homomorphic Pseudorandom Function (PRF) Let G be a group of prime order q (written multiplicatively) where Decisional Diffie Hellman (DDH) is hard. ∗ Let H : f0; 1g ! G be a random oracle. The function ∗ PRF : Zq × f0; 1g ! G (key; message) 7! H(message)key is pseudorandom under the DDH assumption. PRF is key-homomorphic: 0 0 H(message)key+key = H(message)key · H(message)key Simple Password-Hardened Encryption Services Russel W. F. Lai 8/24 Simplified PHOENIX [LESC@USENIX’17] – Registration Client C Server S Rate-Limiter R “Register”, “Alice”, “123456” “Register” aqZcSP $ Salts OjQZEe $ Salts y; OjQZEe y H(OjQZEe)skR h H(aqZcSP; 123456)skS · y Store (Alice, h, aqZcSP, OjQZEe) Simple Password-Hardened Encryption Services Russel W. F. Lai 9/24 Simplified PHOENIX [LESC@USENIX’17] – Login Client C Server S Rate-Limiter R “Login”, “Alice”, “123456” Retrieve (Alice, h, aqZcSP, OjQZEe) sk “Validate”, y, OjQZEe y h=H(aqZcSP; 123456) S ? Correct! Here is my proof! y = H(OjQZEe)skR OK! Come in! Simple Password-Hardened Encryption Services Russel W. F. Lai 10/24 Simplified PHOENIX [LESC@USENIX’17] – Key-Rotation h = H(aqZcSP; 123456)skS · H(OjQZEe)skR Server S Rate-Limiter R Key skS Key skR h0 = ha · H(OjQZEe)b = H(aqZcSP; 123456)a·skS · H(OjQZEe)a·skR+b 0 0 = H(aqZcSP; 123456)skS · H(OjQZEe)skR Server S Rate-Limiter R 0 0 Key skS = a · skS Key skR = a · skR + b Simple Password-Hardened Encryption Services Russel W. F. Lai 11/24 Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If “Check equality of pseudorandom function values” = True then Partially decrypt ciphertext. Simplified PHOENIX [LESC@USENIX’17] – What the rate-limiter does? • Equality Check Functionality: Check equality of pseudorandom function values. • Rate-limiting Policy: Rate-Limiter R Refuse to respond if “OjQZEe” appears too frequently. ? y = H(OjQZEe)skR Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24 Simplified PHOENIX [LESC@USENIX’17] – What the rate-limiter does? • Equality Check Functionality: Check equality of pseudorandom function values. • Rate-limiting Policy: Rate-Limiter R Refuse to respond if “OjQZEe” appears too frequently. ? y = H(OjQZEe)skR Idea: Upgrade to Password-Hardened Encryption Conditional Decryption Functionality: If “Check equality of pseudorandom function values” = True then Partially decrypt ciphertext. Simple Password-Hardened Encryption Services Russel W. F. Lai 12/24 Password-Hardened Encryption Password-Hardened Encryption – Registration Client C Server S Rate-Limiter R “Register”, “Alice”, “123456”, “Top Secret” “Register” aqZcSP $ Salts K $ AES Keys OjQZEe $ Salts skR y0 H0(OjQZEe) y0; y1 skR y1 H1(OjQZEe) skS h0 H0(aqZcSP; 123456) · y0 skS skS h1 H1(aqZcSP; 123456) · y1 · K c AES:Enc(K ; Top Secret) Store (Alice, (h0; h1; c), aqZcSP, OjQZEe) Simple Password-Hardened Encryption Services Russel W. F. Lai 14/24 Password-Hardened Encryption – Login Client C Server S Rate-Limiter R “Login”, “Alice”, “123456” Retrieve (Alice, (h0; h1; c), aqZcSP, OjQZEe) skS “Validate”, y0, OjQZEe y0 h0=H0(aqZcSP; 123456) skS skR z h1=H1(aqZcSP; 123456) if y0 = H0(OjQZEe) then Correct! Here is y1 and my proof! skR y1 H1(OjQZEe) 1 sk K (z=y1) S “Top Secret” “Top Secret” AES:Dec(K ; c) Simple Password-Hardened Encryption Services Russel W. F. Lai 15/24 Password-Hardened Encryption – Security Features Against Compromised Server • Eliminate Offline Attacks • Password Hashes are masked by R’s PRF • Compromised S must communicate with R • Rate-Limit Online Attacks (per Client) • R records the salt (e.g., OjQZEe) in each login request • R refuses to respond if a client (a salt) tries to log in too frequently Simple Password-Hardened Encryption Services Russel W. F. Lai 16/24 Password-Hardened Encryption – Security Features Against Compromised Rate-Limiter • Obliviousness • Registration and login requests are completely independent of clients’ passwords and data • R learns nothing about clients’ passwords and data • Soundness • R must prove for both valid and invalid requests Proactive Security • Key-Rotation • e.g., periodically and when one party is (suspected to be) compromised • Due to the key-homomorphic PRF Simple Password-Hardened Encryption Services Russel W. F. Lai 17/24 Performance Evaluation Setup • 10 Core Intel Xeon E5-2640 CPU (both S and R) • Charm crypto prototyping library • Falcon Web Framework • HTTPS with keep-alive Comparison (Rate-Limiter Throughput) • ≈ 4x of PYTHIA [ECSJR@USENIX’15] • ≈ 1:5x of PHOENIX [LESC@USENIX’17] • (Those are password-hardening without encryption!) Simple Password-Hardened Encryption Services Russel W. F. Lai 19/24 Performance Graphs 3;000 Encrypt Encrypt Decrypt-Success 2;500 Decrypt-Success 1;500 Decrypt-Fail Decrypt-Fail 2;000 1;000 1;500 req/s req/s 1;000 500 500 1-core 2-core 4-core 8-core