Design and Analysis of Password-based Authentication Systems By Sweta Mishra Under the Supervision of Dr. Donghoon Chang Dr. Somitra Kumar Sanadhya Indraprastha Institute of Information Technology Delhi October, 2017 c Sweta Mishra, 2017. II Design and Analysis of Password-based Authentication Systems By Sweta Mishra Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy to the Indraprastha Institute of Information Technology Delhi October, 2017 Certificate This is to certify that the thesis titled - \Design and Analysis of Password-based Authentication Systems" being submitted by Sweta Mishra to Indraprastha Institute of Information Technology, Delhi, for the award of the degree of Doctor of Philosophy, is an original research work carried out by her under our supervision. In our opinion, the thesis has reached the standards fulfilling the requirements of the regulations relating to the degree. The results contained in this thesis have not been submitted in part or full to any other university or institute for the award of any degree/diploma. Dr. Donghoon Chang Dr. Somitra Kumar Sanadhya October, 2017 October, 2017 Department of Computer Science Department of Computer Science IIIT Delhi IIT Ropar New Delhi, 110020 Punjab, 140001 IV Acknowledgments First and foremost, I would like to express my sincere gratitude to my advisor Dr. Donghoon Chang, for his continuous support, for his patience, motivation, emotional support, and invaluable guidance. His enthusiasm for research and optimistic attitude have always inspired and motivated me. His extensive knowledge and experience have been the biggest help and resource for my research. I am extremely fortunate and very appreciative for all he has done for me. I also express my sincere gratitude to my co-advisor, Dr. Somitra Kumar Sanadhya, who has helped me immensely throughout my Ph.D. life. I also appreciate very much the fact that he agreed to be my advisor when I emailed him asking about the possibility after joining the PhD programme at IIIT Delhi. His kind words at that time gave me the necessary encouragement to proceed. My research would not have been possible without his assistance. I am grateful to Dr. Anuradha Sharma, for the inspiring and fruitful discussions I had with her while taking the important decision to pursue Ph.D. from IIIT Delhi. I would also like to thank all my dear friends from IIIT-Delhi, especially, Mohona, Monalisa, Megha, Monika, Amani and Sumesh for their valuable friendship and providing pleasant academic atmosphere. They had major contribution to make my PhD life at IIIT-Delhi easy going and memorable. I am grateful to all of my collaborators, especially the two undergraduate students, Akshima and Aarushi Goel for their sincerity at work. I would also like to forward my gratitude to Tata Consultancy Services (TCS), India for awarding me the prestigious TCS fellowship for my full Ph.D. period. I also express my regards to all of those who supported me in any respect during the completion of my research. On a personal note, I wish to express my deepest gratitude to my parents for their immense support, care, love, encouragement and unshakable belief in me from my childhood. Special thanks to my father who is my inspiration and strength to explore the world of academic research. I am also grateful to my cousin, Ashutosh, for being my unconditional support and being so understanding. Without the support of my parents, my siblings and my cousin this dissertation would not have got completed. V List of Publications The author names are in the alphabetical order. 1. Donghoon Chang, Arpan Jati, Sweta Mishra and Somitra Kumar Sanadhya. Rig: A Simple, Secure and Flexible Design for Password Hashing, Information Security and Cryptology - 10th International Conference, Beijing, China, December 13-15, 2014, Revised Selected Papers, volume 8957 of Lecture Notes in Computer Science, pages 361{381. Springer, 2014. Note: Complete version of the paper is uploaded on IACR Cryptology ePrint Archive, 2015:009, 2015. http://eprint.iacr.org/2015/009. 2. Donghoon Chang and Arpan Jati and Sweta Mishra and Somitra Kumar Sanadhya. Cryptographic Module Based Approach for Password Hashing Schemes. Technology and Practice of Passwords - International Conference on Passwords, PASSWORDS'14, Trondheim, Norway, December 8-10, 2014, Revised Selected Papers, Volume 9393 of Lecture Notes in Computer Science, Pages 39{57. Springer, 2014. 3. Donghoon Chang, Arpan Jati, Sweta Mishra, and Somitra Kumar Sanad- hya. Time memory tradeoff analysis of graphs in password hashing construc- tions. In Preproceedings of PASSWORDS'14, pages 256{266, 2014. available at http://passwords14.item.ntnu.no/Preproceedings Passwords14.pdf. List of Journal Submissions 1. Donghoon Chang, Arpan Jati, Sweta Mishra and Somitra Kumar Sanadhya. Crypt- analytic Time-Memory Tradeoff for Password Hashing Schemes. Submitted to Inter- national Journal of Information Security, 2016. [Under submission]. 2. Akshima, Donghoon Chang, Aarushi Goel, Sweta Mishra and Somitra Kumar Sanad- hya. Generation of Secure and Reliable Honeywords. Submitted to Transactions on Dependable and Secure Computing, 2017. [Under submission]. 3. Donghoon Chang, Sweta Mishra, Somitra Kumar Sanadhya and Ajit Pratap Singh. On Making U2F Protocol Leakage-Resilient via Re-keying. Submitted to ACM Trans- actions on Information and System Security, 2017. [Under submission]. List of Technical Reports 1. Donghoon Chang and Arpan Jati and Sweta Mishra and Somitra Kumar Sanadhya. Performance Analysis of Some Password Hashing Schemes. IACR Cryptology ePrint Archive, 2015:139, 2015. http://eprint.iacr.org/2015/139. VI Abstract Passwords are the most widely deployed means of human-computer authentication since the early 1960s. The use of passwords, which are usually low in entropy, is delicate in cryptography because of the possibility of launching an offline dictionary attack. It is ever challenging to design a password-based cryptosystem that is secure against this attack. Password-based cryptosystems broadly cover two areas - 1) Password-based au- thentication, e.g., password hashing schemes and 2) Password-based encryption specif- ically used in password-based authenticated key exchange (PAKE) protocols. This thesis is devoted to the secure design of password hashing algorithm and the analysis of existing password-based authentication systems. The frequent reporting of password database leakage in real-world highlights the vulnerabilities existing in the current password based constructions. In order to allevi- ate these problems and to encourage strong password protection techniques, a Password Hashing Competition (PHC) was held from 2013 to 2015. Following the announced criteria, we propose a password hashing scheme Rig that fulfills all the required goals. We also present a cryptanalytic technique for password hashing. Further, we focus on the improvement of a password database breach detection technique and on the analysis of Universal 2nd Factor protocol. This report tries to list and summarize all the important results published in the field of password hashing in recent years and understand the extent of research over password-based authentication schemes. Our significant results are listed below. 1. Following the design requirements for a secure password hashing scheme as men- tioned at the PHC [16], we present our design Rig which satisfies all required criteria. It is a memory hard and best performing algorithm under cache-timing attack resistant category. As part of the results, we present the construction explaining the design rationale and the proof of its collision resistance. We also provide the performance and security analysis. 2. In practice, most cryptographic designs are implemented inside a Cryptographic module, as suggested by National Institute of Standards and Technology (NIST) in a standard, FIPS 140. A cryptographic module has a limited memory and this makes it challenging to implement a password hashing scheme (PHS) inside it. We provide a cryptographic module based approach for password hashing. It helps to enhance the security of the existing password-based authentication framework. We also discuss the feasibility of the approach considering the submissions of PHC. 3. The increasing threat of password leakage from compromised password hashes demands a resource consuming algorithm to prevent the precomputation of the password hashes. A class of password hashing designs which ensure that any reduction in the memory leads to exponential increase in their runtime are called Memory hard designs. Time Memory Tradeoff (TMTO) technique is an effective cryptanalytic approach for such password hashing schemes (PHS). However, it is generally difficult to evaluate the \memory hardness" of a given PHS design. We present a simple technique to analyze TMTO for any password hashing schemes which can be represented as a directed acyclic graph. VII 4. Password database breach is a common practice among hackers; however, it is difficult to detect such breaches if not somehow disclosed by the attacker. A paper by Juels et al. provides a method for detecting password database breach known as `Honeyword'. Very less research has been reported in this direction. Realiz- ing the importance, we analyse the limitations of existing honeyword generation techniques. We propose a new attack model and also present new and practical honeyword generation techniques. 5. A secure password hashing construction can prevent offline dictionary