AuthStore: Password-based Authentication and Encrypted Data Storage in Untrusted Environments

05/14/2018
by   Clemens Zeidler, et al.
The University of Auckland
0

Passwords are widely used for client to server authentication as well as for encrypting data stored in untrusted environments, such as cloud storage. Both, authentication and encrypted cloud storage, are usually discussed in isolation. In this work, we propose AuthStore, a flexible authentication framework that allows users to securely reuse passwords for authentication as well as for encrypted cloud storage at a single or multiple service providers. Users can configure how secure passwords are protected using password stretching techniques. We present a compact password-authenticated key exchange protocol (CompactPAKE) that integrates the retrieval of password stretching parameters. A parameter attack is described and we show how existing solutions suffer from this attack. Furthermore, we introduce a password manager that supports CompactPAKE.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

06/04/2018

Secure and Efficient Skyline Queries on Encrypted Data

Outsourcing data and computation to cloud server provides a cost-effecti...
04/29/2022

Semi-Assisted Signal Authentication based on Galileo ACAS

A GNSS signal authentication concept named semi-assisted authentication ...
11/22/2017

Cloud-Based Secure Authentication (CSA) Protocol Suite for Defense against DoS Attacks

Cloud-based services have become part of our day-to-day software solutio...
02/02/2019

Data Exfiltration via Multipurpose RFID Cards and Countermeasures

Radio-frequency identification(RFID) technology is widely applied in dai...
05/21/2020

Authentication and Key Management Automation in Decentralized Secure Email and Messaging via Low-Entropy Secrets

We revisit the problem of entity authentication in decentralized end-to-...
10/27/2020

2FE: Two-Factor Encryption for Cloud Storage

Encrypted cloud storage services are steadily increasing in popularity, ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

For authentication as well as for protecting digital assets, passwords are a simple, usable, and commonly used solution [1, 2, 3, 4, 5]. The ubiquitously use of passwords encourages the reuse of passwords for multiple services [6, 7, 8]. However, this has important security and privacy implications since a leaked password gives an attacker access to multiple services, e.g., to impersonate a user or to decrypt password-protected confidential user data.

Service providers often fail to store user passwords securely, e.g., passwords are stored in plain text or weakly protected [9]. In general, it is unclear for users if and how service providers keep user passwords confidentially and, even worse, a service provider may itself be malicious and use a user password to impersonate a user at other service providers. For instance, a web service provider can readout the user passwords straight from the login page by recording keystrokes [10] and so gain knowledge of all passwords entered by the user.

Passwords are not only used for authentication but also to encrypt data that can then be stored in potentially untrusted environments [4, 5]. Here, it is important to remark that password-based authentication protocols should not leak the password to ensure that storage providers are unable to recover data that is encrypted with the same password [11, 12]. Unfortunately, the discussion of a secure password-based authentication schemes is often neglected [13, 14, 4, 5, 15, 16], which can compromise secure data encryption.

For example, BoxCryptor111www.boxcryptor.com supports a set of cloud storage providers as a storage back end. If the same password is used for BoxCryptor and for the storage providers a malicious storage provider can decrypt the stored data. Furthermore, encrypted storage providers, such as BoxCryptor or Mega222mega.nz, let users authenticate on their web page with the encryption password. This makes it possible for them to learn the plain password straight from their login page [10].

A solution is that a user can choose two different passwords: one for authentication and one for data encryption [17]. However, this solution suffers from usability concerns as it requires users to memorise two different passwords. Identity and access delegation solutions, such as OpenID Connect333openid.net/connect or OAuth444oauth.net, avoid the use of passwords by using a trusted identity or authorisation server. However, this approach only shifts the problem since an attacker who gains access to the authorisation server or the server itself may learn the user password.

In this paper, we present a novel framework called AuthStore. AuthStore supports secure password-based authentication and ensures that the user password is not revealed to the service provider. The user password is secured from offline dictionary attacks [18] by using key stretching techniques [19]. By storing all key stretching parameters directly at the service provider our solution does not require any extra server and only username and password are required for a successful authentication. The user is in full control of how secure the password is protected and stored at the service provider. Furthermore, for service providers that offer data storage, AuthStore integrates secure password-based data encryption. Our design makes it possible to securely reuse a single password for both authentication and privacy-preserving data storage at multiple service providers.

There are many password-based authentication protocols [20, 21, 22] but none of them assume the exchange of key stretching parameters. We introduce a parameter attack that a service provider can perform during the user authentication with the goal to void the key stretching mechanism in order to make offline dictionary attacks easier. We show how existing solutions, which assume strengthen passwords in the authentication protocol, suffer from parameter attacks.

We present the CompactPAKE protocol that includes the exchange of key stretching parameters and is resistant against parameter attacks. CompactPAKE is based on a proven secure Password-Authenticated Key Exchange (PAKE) protocol but requires only four message passes between a user client and a service provider [22, 23]. CompactPAKE is an asymmetric authentication protocol, which means an attacker who compromises the service provider is not able to impersonate the user.

In a case study, we present a flexible AuthStore-based password manager that allows the secure storage of credentials in the cloud [24, 25]. This makes our solution not only useful for service providers that use CompactPAKE but also for securely storing credentials for conventional password protocols. We show how our password manager can speed up registration and authentication at service providers that support CompactPAKE. Furthermore, even without the password manager users are able to authenticate at service providers that uses CompactPAKE.

Our contributions can be summarised as follows:

  1. [noitemsep]

  2. We propose AuthStore, a framework for secure single password authentication and password-protected, privacy-preserving cloud storage at a single or multiple service providers.

  3. We present CompactPAKE, an asymmetric PAKE protocol with key stretching parameter retrieval that is secure against parameter attacks and only uses four message passes between a client and a service provider.

  4. A password manager that uses AuthStore to securely store arbitrary credentials in the cloud and that makes registration and authentication at service providers that support CompactPAKE faster and easier.

Ii System Requirements

In the following, we define some core system requirements:

Simplicity

The only information required by a user to authenticate and to register at a service provider is her username and password. No other mechanism or service, such as a trusted key server, is required by the user.

Secure Password Storage

The user must be able to configure how much an authentication password is strengthened before it is stored at a service provider, i.e., the user is in control of how strong a password is secured from offline dictionary attacks.

Secure Authentication

The used authentication protocol must ensure that no information about the password is leaked to any party, i.e., dictionary attacks are impossible. This includes that a service provider should not be able to learn any information about the entered password, e.g., a mistakenly entered password used at a different service provider.

An attacker who compromises a service provider must not be able to impersonate the user using the stored authentication data.

Data Storage

If a service provider supports data storage, a user must be able to securely reuse the authentication password to protect data without the risk that the service provider can access the data.

Iii System Model

In our system model, we have two main entities, i.e., the user and the service provider. A user owns one or more user accounts at one or more service providers. The user communicates with a service provider through a trusted client software. A user can authenticate at a service provider using her username and user password. The service provider is responsible to manage a set of user accounts and stores all necessary parameters that are needed for the user authentication. Optionally, the service provider can offer data storage to authenticated users. The user is responsible to protect the data, e.g., encrypt data, through the client.

Threat Model

We assume that the service provider might be malicious. The service provider may try to learn the user’s clear text password in order to decrypt data that is encrypted with the same password or to impersonate the user at a different service provider.

In our approach, we use key stretching to protect the user password [19]. We assume that the user chooses a user password with reasonable strength [26, 2, 27, 28] and strong key stretching parameters so that it becomes practically infeasible for an attacker to recover the user password using an offline dictionary attack.

External attackers may learn or guess the username and try to impersonate the user. The attacker may try to perform an online attack, guessing the user password. The attacker may perform a Man-in-the-Middle (MitM) attack to monitor the authentication protocol. Moreover, the attacker may gain access to the service provider in which case the attacker is treated the same as the service provider.

Our Approach

In this work, we propose a framework for password-based authentication and data encryption where service providers are not necessarily trusted. In order to strengthen the user password, we use a Key Derivation Function (KDF) to derive a strong base key. In general, a KDF takes a set of parameters that determine how strong a derived key is protected from dictionary attacks. The KDF parameters can be chosen by the user to control the trade-off between authentication time (KDF evaluation at the client) and password protection against possible attacks.

We use a simple but flexible method to derive an arbitrary number of user keys from a base key. User keys can then be used for authentication, data encryption, or other purposes. This also means that a base key can safely be reused for multiple purposes, even across multiple service providers. As a result, the client can cache computationally expensive KDF evaluations and then quickly derive user keys from the cached values. All required parameters to derive a user key are stored at the service provider.

The choice of a suitable authentication protocol is crucial when using key stretching techniques. More specifically, even if the password is strengthened, the key has to be treated as a weak key in the authentication protocol (see more discussion in Section IV-G). In our approach, we use an asymmetric Password Authenticated Key Exchange (PAKE) protocol [22] that has the required properties. First, neither service providers nor external attackers can learn any information about the password used by the user. The service provider only learns whether the user has provided the correct password or not. This also means that the service provider cannot learn about erroneously entered passwords. Second, a MitM attacker cannot use the intercepted information for an offline dictionary attack but is constrained to mount an online attack. Third, if authentication data is stolen, it is insufficient to impersonate the user.

To support secure data storage we derive a user key and use this key to further protect arbitrary data encryption keys. This provides the required bridge from secure authentication to secure cloud storage. Since cloud storage can be highly domain specific, we refer to existing work for concrete solutions [3, 4, 5].

Iv Solution Details

In the following, we describe how a user can generate a strong base key using key stretching (Section IV-A). From this base key, a set of user keys can be generated (Section IV-B). User keys are then used for authentication (Section IV-C) and for secure data storage (Section IV-D). Moreover, we explain how authentication credentials can be updated (Section IV-E and how an account is reset (Section IV-F). We then analyse the security of our solution (Section IV-G).

Iv-a Password Strengthening

To strengthen the user password, a KDF is used [29, 30, 31, 19]. In general, a KDF takes the password , a salt value, and some cost parameters as input and returns a derive key . The cost parameters determine how expensive it is to evaluate a KDF. For example, PDKDF2 uses an iteration count [29] while more recent KDFs such as Argon2 [31] allow users to specify memory requirements to hamper the use of fast GPUs and specialised hardware. In the following, we refer to salt and cost parameters as , which leads to the general definition of a KDF:

where is the derived base key.

Fig. 1: Using a KDF, the user derives a base key from the user password. From the base key, an arbitrary number of user keys can be derived. These user keys can be used for authentication and data encryption .

Iv-B User Key Generation

To derive an arbitrary number of strong user keys from a single password using a single KDF evaluation, we use the following simple mechanism (see Figure 1). As a basis for a user key , a base key is required. For each user key, a random salt value is generated and is derived as follows:

with a cryptographic one-way hash function and the user key parameters .

Iv-C Registration and Authentication

For the purpose of authentication at a service provider, the user derives a user key from the user password. For brevity reason, it is referred to as: . We use an asymmetric PAKE protocol for authentication [22]. For this protocol, the user requires the authentication key and the service provider requires some verification value to verify the users’ knowledge of . In general, can be a set of values. In Section V, we describe a compact variant of an asymmetric PAKE protocol and describe in detail how the verification value is derived from .

For the registration of a user account, the user chooses the user key parameters , derives (by first deriving ), and uploads and to the service provider. To authenticate, the user requests from the service provider and derives the login key , which is then used to authenticate using the PAKE protocol. At a successful authentication, the PAKE protocol produces a mutual secure session key which can be used to protect further communication between client and service provider [23]. In the following, we assume a secure connection after authentication.

Iv-D Secure Data Storage

If the AuthStore service provider offers data storage, the user may ensure data confidentiality by employing encryption techniques [3, 4, 5]. We show a simple but flexible approach of how data can be protected using the same password as used for authentication.

For the encryption, the user generates some user key parameters and derives a new user key . To minimise the computational cost, the base key parameters that are used to derive the authentication key can be reused, i.e., the base key has already been derived for the authentication.

Instead of encrypting data directly with , we propose a more flexible key chain approach555gitlab.com/groups/cryptsetup. This approach has the advantage that multiple passwords can be supported and passwords can be changed without the need to re-encrypt the data [5]. Here, a random symmetric encryption key is generated and used for data encryption. is then encrypted with . We call the set of the encrypted key and the data parameters . The encrypted data and can securely be stored at a service provider.

Iv-E Password Change and Key Update

To change the user password, a user chooses new user key parameters and derives from the new password. At a successful authentication with the old password, and are updated at the service provider. The same approach can be used to just update the user key parameters. This might be desirable if more secure KDF parameters should be used while reusing the existing password.

If encrypted data is stored at the service provider, a new encryption key is generated, is re-encrypted with , and is updated at the service provider.

Iv-F Account Reset

In case the user forgets her username or password used at a certain service provider, traditional recovery methods can be applied. For example, the user can request an account reset through a trusted third party channel such as an ordinary email account. In response, the service provider generates a temporary random authentication key and the matching verification value and sends the key to the user. The user uses this authentication key to authenticate using the normal protocol. Here the authentication key derivation step is ignored since the authentication key is already known to the user. After a successful authentication, the user chooses a new password, as described above.

Recovering data that is protected with the lost user password would require techniques such as secret sharing [32] or a local key backup. However, this is incompatible with our simplicity requirement.

Iv-G Security Analysis

In this section, we analyse the security of AuthStore. Moreover, we describe a novel parameter attack that targets authentication schemes that include password stretching.

Key Derivation

In our approach, we use a cryptographic one-way function to derive multiple user keys from a single base key. This means just a leaked user key cannot be used to learn information about the base key or other user keys. However, if the matching is as well known, an attacker can perform an offline dictionary attack.

Offline Dictionary Attack

Offline dictionary attacks can always be performed by the service provider, i.e., the service provider can fully simulate the authentication protocol. Our approach fully relies on the assumption that the user password is reasonably strong [26, 2, 27, 28, 33] so that it can sufficiently be strengthened using a KDF [19]. Because of the used PAKE protocol, an external attacker can only mount an offline dictionary attack if either the service provider actively leaks and or the attacker is able to compromise the service provider.

Password Update and Parameter Ageing

At any point, the user may want to change to a more secure password or use more secure base key parameters. The user has to be aware that there is no way to force the service provider to discard old and values. Thus, a malicious service provider may choose the weakest available user key parameters for a dictionary attack.

Fig. 2: The CompactPAKE protocol.

User key parameters, which deemed to be secure at the time of account creation may “age” over time and become insecure with the emergence of more powerful hardware. This means accounts can become vulnerable over time. Data encrypted with an encryption key that is based on an outdated base key should be re-encrypted. However, as before, a malicious service provider can still mount an attack on an older version of the encrypted data that is encrypted using weaker user key parameters. For this reason, data that should be stored long-term should be encrypted using a high-entropy password [26, 2, 27, 28, 33].

Parameter Attack

In a parameter attack, the service provider reports tempered, weak, authentication parameters when requested by the user. In this way, the user is tricked to authenticate with a weak authentication key . The attack is applicable if the service provider is able to learn information about during the authentication protocol. In this case, the service provider may perform a dictionary attack on .

For example, the Secure Remote Password (SRP) protocol [20] is vulnerable to parameter attack when used in our scenario. In this protocol, the client sends a value to the service provider. Here, is a one-way hash function and parameters known to the service provider. When, due to the parameter attack, is a low-entropy key, this equation can be solved by the service provider using a dictionary attack. Similarly, the Schnorr protocol [21] requires a high entropy secret. A parameter attack can be avoided by protocols designed for low entropy authentication keys [23, 22].

This makes approaches that use key stretching to derive a strong authentication key while not requiring an authentication protocol that assumes a weak authentication key vulnerable. For example, the password manager Passpet uses SRP [1] while Van Laer at al. [12] are using the Schnorr protocol.

V Compact PAKE Protocol

An asymmetric PAKE protocol usually requires the exchange of six messages between the client and the service provider [22, 34]. To derive the login key , the user first has to request the authentication parameters from the service provider which adds two additional messages to the PAKE protocol. In the following, we propose CompactPAKE, a PAKE protocol that only requires four messages including the retrieval of . Our approach is based on existing proven secure building blocks, i.e., the symmetric PAKE protocol EKE2 [23] and a simple authentication scheme used for the B-Speke protocol [34].

Registration

For the registration, the user generates an authentication key from some chosen authentication parameters . The user chooses a cyclic group generator and calculates , which is used as the verification value . The user deploys and the authentication parameters at the service provider.

Authentication

CompactPAKE closely resembles the symmetric EKE2 protocol [23], where the user is the verifier and the service provider is the prover. The protocol (Figure 2) works as follows.

  1. [noitemsep]

  2. The user requests the authentication parameters .

  3. The service provider generates the random values and and sends back the service provider id , , and (with an encryption function).

  4. The user derives , calculates , generates a random value and the session key is calculated. The user responses to the service provider with and .

  5. The service provider derives the session key and uses to decrypt . If is not equal the protocol is terminated. Otherwise, the user is authenticated and the service provider responds with .

  6. The user verifies that the user’s version of matches the received value from the service provider. If the values do not match, the protocol is terminated.

Correctness

Concerning user authentication, only Step 4 differs from EKE2 [23]. This step is correct since .

Security Analysis

There are two main differences to the EKE2 protocol [23]. First, because the user starts with the parameter request, the EKE2 part is started by the service provider rather by the user. Second, the user is authenticated with an asymmetric approach. In the following, we analyse the differences in detail.

In Step 1, the user solely requests the login parameters . In Step 2 the service provider sends , which is identical to the first step of EKE2. Furthermore, the service provider sends and the random challenge , which both do not reveal any sensitive information to an attacker.

In Step 3, the user sends , which is again the same as in EKE2. However, differently to EKE2, the user sends . From EKE2, it is known that the session key can only be calculated correctly by both parties if both parties know . This means the service provider learns the correct only if is known. Since , the service provider does not learn any new information other than the fact that the user not only knows but also . Step 4 is again identical to EKE2.

Vi Password Manager

To provide a complete authentication solution and to demonstrate the flexibility of AuthStore, we present a password manager that can securely store arbitrary credentials (e.g., web login passwords) at any AuthStore provider.

Password managers have been widely discussed [16, 32, 1, 35, 36] for which reason we focus on the management of CompactPAKE user keys and how this can speed up the registration and authentication at AuthStore service providers.

Vi-a Design

The design of the proposed password manager is as follows. To securely store key material the password manager uses password protected encrypted storage as described in Section IV-D.

The encrypted password manager as well as encryption parameters (Section IV-D) are kept and managed locally but can be synchronised to an AuthStore service provider, i.e., the encrypted password manager and are stored at the AuthStore service provider.

Using this approach users can login to the AuthStore service provider and access the password manager with the same password (see Figure 3).

Fig. 3: A single password is used to access to the encrypted password manager and for authentication with an AuthStore service provider. The service provider can not leverage the authentication process to gain access to the stored data.

Vi-B Implementation

We implemented our prototype as a browser extension to allow secure web authentication. Note that an implementation that is loaded with a web page cannot be trusted since the service provider can manipulate the provided code [10]. Thus, a trusted client-side implementation is necessary.

Our implementation can be used to store general web login passwords as well as service provider user keys. Furthermore, the browser extension offers support to authenticate at arbitrary AuthStore service providers. This can be used to remove the hard task from web developer to implement web authentication pages securely [2], i.e., our browser extension can be leveraged for user authentication. The source code of our implementation can be accessed on666gitlab.com/czeidler/authstore.

Vi-C Discussion

In the following we discuss the advantages of the proposed password manager.

Avoiding expensive key derivation

The derivation of a user key from a password can, depending on the chosen base key parameters, take a considerable time. One way to mitigate this problem is to reuse base keys for multiple service providers. However, a more general solution is to store user keys in the proposed password manager. Thus, user keys derived from different base keys can be cached in the password manager.

Note, that no base keys should be stored in the password manager. This prevents that even when the content of the password manager is inadvertently exposed to an attacker, other user keys which are not stored in the password manager stay secure. Furthermore, the base key can continued to be used for future user keys.

Password-less registration

The password manager can simplify the user registration at new AuthStore service providers by removing the need for letting users choose a new authentication password but only requiring users to enter a new username. For this to work, the password manager uses existing base key parameters and automatically derive a new authentication key. Reusing previously derived base keys can avoid the expensive KDF evaluation, e.g., by using the base key parameters used to unlock the password manager. By proposing a previously used username to the user, the registration can be further simplified and becomes as easy as clicking a “Register” button.

Resilient against lose of the password manager

Another advantage of our approach is that reliable storage of the password manager is not a hard requirement, i.e., the user remains able to authenticate at AuthStore service providers even without the password manager. This is especially useful if the user does not own a cloud storage account at a service provider and only stores the password manager locally. While the password manager makes authentication more efficient, the user only needs to remember her username and password to authenticate at a service provider using CompactPAKE, i.e., no other information from the password manager is needed. This obviously fails when the set of passwords becomes too large to remember. However, CompactPAKE makes single password usage secure and the ability to easily change a password (Section IV-E) makes a single password scenario possible.

Vii Related Work

Another group of authentication protocols leverage the use of external devices, such as mobile phones [37, 38], or uses a credential server [11].

Scheme Simplicity Secure Password Storage Secure Authentication Data Storage
Password hashing [10] (dictionary attacks) -
Strengthen password hashing [35] (fixed parameters) -
HPAKE [39, 40] -
Secret sharing [32] (setup requires n servers) -
Decoy passwords [41, 42] (see [43]) - (not discussed) -
Physical devices [44, 45, 46, 47] (requires physical device) ✓(relies on physical device)
Pvault [16]
Cloud-based Password Manager [15]
Passpet [1] (parameter attack)
AuthStore
TABLE I: Comparative analysis of different shcemes.

There is a lot of work on password-based authentication protocols. While Wu et al. assume a strong password [20], more recent protocols such as PAKE protocols can work with weak passwords in order to prevent attackers to perform dictionary attacks on the exchanged information [48, 23, 22]. Asymmetric versions of PAKE protocols prevent an attacker to impersonate a user when compromising a service provider [49, 34, 22]. The proposed CompactPAKE protocol is closely related to EKE2 [23] but is more compact, includes user key parameter retrieval, and asymmetric authentication [22].

BetterAuth uses a PAKE scheme for authentication but it does not cover password stretching [50]. Similar to our work, Van Laer et al. propose to use a KDF for password stretching and to store the required salt parameter at the service provider [12]. Compared to our work, they only use pre-defined KDF parameters, such as CPU cost, and only have configurable salt, which makes their approach inflexible regarding account ageing (see Section IV). Furthermore, they use the Schnorr protocol [21], which is vulnerable to parameter attacks, e.g., when the provider returns a manipulated salt value.

An interesting KDF approach that is not vulnerable against parameter attacks is a Halting KDF (HKDF) [39, 40]. When evaluating an HKDF, the user executes a KDF algorithm till a halting parameter is encountered. An invalid password can not be discarded with absolute certainty. This results in more than 3 times more work for an attacker when performing a dictionary attack [39]. The HPAKE authentication protocol uses an HKDF and stores the required halting parameter at the predefine provider [51]. The halting parameters are concealed from external attackers using a hidden credential retrieval scheme [11] to make offline dictionary attacks for external attackers impossible. Using HPAKE, a parameter attack would not be feasible since the user’s HKDF calculation would not terminate. A disadvantage of HKDFs is the usability issue that a user, who accidentally entered a wrong password, does not get a timely feedback about the mistake. Our approach works with any conventional state of the art KDFs.

Another group of authentication protocols leverage the use of external devices, such as mobile phones [37, 38], or uses a credential server [11]. In our work, no extra device or server is needed for the authentication with the service provider.

Password Management

A server-less approach that allows a user to reuse a password on multiple web sites is to derive an authentication key using a hash function that takes the domain name and the password as arguments [10]. Since this approach is vulnerable to dictionary attacks, it has been proposed to apply the hash function times to strengthen the password [35]. However, is a hard-coded value, which means the approach cannot be adapted to future hardware. Moreover, these approaches suffer from the problem that the site password can not be changed without changing the master password or to remember additional state information.

One way to store the password manager’s master key (but not the password manager itself) is to leverage secret sharing [32].This approach requires a set of storage servers from which at least a certain subset is not compromised by an attacker.

Decoy passwords (honeywords) or honey encryption can be used to protect passwords to make online attacks difficult [41, 42]. However, recent work showed that real passwords can be distinguished from decoy passwords with high accuracy [43]

Some other approaches leverages user devices, such as mobile devices [44, 45, 46] or a smart card [47] to protect the user password. A common issue is that losing the user devices also means to lose access to the password store and a local backup of the device needs to be maintained manually.

Pvault offers encrypted cloud based data storage and password management but uses the same password for data encryption and for authenticate at the storage server [16]. Zhao et al. use a KDF to protect a password store on secure reliable cloud storage but only a simple authentication method is assumed [15], i.e., the service provider must be trusted. Passpet uses the same simple key stretching technique as used by Halderman et al. [35] but stores KDF parameters on a Passpet server [1]. However, for authentication, Passpet uses the Secure Remote Password protocol [20], which is vulnerable to parameter attacks.

Table I shows which related work fulfils our requirements from Section II. The data storage requirement is only evaluated for password managers that store passwords at a server. Only AuthStore fulfils all requirements, i.e., it provides simple password based login, passwords can arbitrarily be strengthen, the authentication protocol doesn’t reveal any information about the used password, and the authentication password can securely be used for data storage.

Viii Conclusion

In this paper, we presented AuthStore, a secure password-based authentication method. We showed that a strong authentication method that keeps the user password confidentially is a requirement for secure password-based encrypted cloud storage. AuthStore allows users to securely reuse passwords for authentication at multiple service providers as well as for secure data encryption. AuthStore only requires a single service, i.e., a service provider, to operate. Users only need to remember username and password to authenticate and access their encrypted data. Using AuthStore, users are in control of how secure passwords are protected using key stretching. We discussed a parameter attack and showed how other solutions are vulnerable to this attack. We presented CompactPAKE, a compact asymmetric PAKE protocol that includes the retrieval of key stretching parameters and requires fewer communication messages than other PAKE protocols.

In a case study, we presented a AuthStore-based password manager that allows users to securely store arbitrary credential such as web login passwords in the cloud. We showed how the password manager helps to make user registration and authentication at service providers that support CompactPAKE faster and more convenient.

References

  • [1] K.-P. Yee and K. Sitaker, “Passpet: Convenient password management and phishing protection,” in Proc. of 2nd Symposium on Usable Privacy and Security, ser. SOUPS ’06, New York, NY, USA, 2006, pp. 32–43.
  • [2] S. Van Acker, D. Hausknecht, and A. Sabelfeld, “Measuring login webpage security,” in Proc. of the Symposium on Applied Computing, ser. SAC ’17, New York, NY, USA, 2017, pp. 1753–1760.
  • [3] C. P. Wright, M. C. Martino, and E. Zadok, “NCryptfs: A secure and convenient cryptographic file system,” in In Proceedings of the Annual USENIX Technical Conference, 2003, pp. 197–210.
  • [4] V. Kher and Y. Kim, “Securing distributed storage: Challenges, techniques, and systems,” in Proc. of the 2005 ACM Workshop on Storage Security and Survivability, ser. StorageSS ’05, New York, NY, USA, 2005, pp. 9–25.
  • [5] C. Zeidler and M. R. Asghar, Towards a Framework for Privacy-Preserving Data Sharing in Portable Clouds, Cham, 2017, pp. 273–293.
  • [6] D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proc. 16th International Conference on WWW, 2007, pp. 657–666.
  • [7] A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang, “The tangled web of password reuse,” in NDSS, vol. 14, 2014, pp. 23–26.
  • [8] I. Ion, R. Reeder, and S. Consolvo, ““… no one can hack my mind”: Comparing expert and non-expert security practices.” in SOUPS, 2015, pp. 327–346.
  • [9] E. Bauman, Y. Lu, and Z. Lin, “Half a century of practice: Who is still storing plaintext passwords?” in ISPEC, 2015, pp. 253–267.
  • [10] B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell, “Stronger password authentication using browser extensions.” in Usenix security.   Baltimore, MD, USA, 2005, pp. 17–32.
  • [11] X. Boyen, “Hidden credential retrieval from a reusable password,” in Proc. 4th Int. Symp. on Info., Computer, and Communications Sec.   ACM, 2009, pp. 228–238.
  • [12] G. Van Laer, R. Dasgupta, A. Patil, and M. Green, “Harden zero knowledge password proofs against offline dictionary attacks,” 2016.
  • [13] L. Ferretti, M. Colajanni, and M. Marchetti, “Distributed, concurrent, and independent access to encrypted cloud databases,” Parallel and Distributed Systems, vol. 25, no. 2, pp. 437–446, February 2014.
  • [14] S. Zarandioon, D. Yao, and V. Ganapathy, “K2C: Cryptographic cloud storage with lazy revocation and anonymous access,” in Security and Privacy in Communication Networks, 2012, vol. 96, pp. 59–76.
  • [15] R. Zhao and C. Yue, “Toward a secure and usable cloud-based password manager for web browsers,” Computers & Security, vol. 46, pp. 32–47, 2014.
  • [16] R. C. Jammalamadaka, S. Mehrotra, and N. Venkatasubramanian, “Pvault: a client server system providing mobile access to personal data,” in Proc. ACM workshop on Storage security and survivability.   ACM, 2005, pp. 123–129.
  • [17] D. Leibenger and C. Sorge, “A storage-efficient cryptography-based access control solution for subversion,” in Proc. of 18th ACM symp. on Access control models and technologies, 2013, pp. 201–212.
  • [18] A. Narayanan and V. Shmatikov, “Fast dictionary attacks on passwords using time-space tradeoff,” in Proc. 12th conference on Computer and communications security.   ACM, 2005, pp. 364–372.
  • [19] C. Forler, E. List, S. Lucks, and J. Wenzel, “Overview of the candidates for the password hashing competition,” in International Conference on Passwords.   Springer, 2014, pp. 3–18.
  • [20] T. D. Wu et al., “The secure remote password protocol.” in NDSS, vol. 98, 1998, pp. 97–111.
  • [21] C.-P. Schnorr, “Efficient identification and signatures for smart cards,” in Conference on the Theory and Application of Cryptology.   Springer, 1989, pp. 239–252.
  • [22] C. Gentry, P. MacKenzie, and Z. Ramzan, A Method for Making Password-Based Key Exchange Resilient to Server Compromise, 2006, pp. 142–159.
  • [23] M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in International Conference on the Theory and Applications of Cryptographic Techniques.   Springer, 2000, pp. 139–155.
  • [24] P. Gasti and K. B. Rasmussen, “On the security of password manager database formats.” in ESORICS.   Springer, 2012, pp. 770–787.
  • [25] Z. Li, W. He, D. Akhawe, and D. Song, “The emperor’s new password manager: Security analysis of web-based password managers.” in USENIX Security Symposium, 2014, pp. 465–479.
  • [26] P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez, “Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms,” in Security and Privacy (SP).   IEEE, 2012, pp. 523–537.
  • [27] R. V. Yampolskiy, “Analyzing user password selection behavior for reduction of password space,” in Carnahan Conferences Security Technology, Proc. 40th Annual IEEE International.   IEEE, 2006, pp. 109–115.
  • [28] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password memorability and security: Empirical results,” IEEE Security & privacy, vol. 2, no. 5, pp. 25–31, 2004.
  • [29] B. Kaliski, “PKCS# 5: Password-based cryptography specification version 2.0,” 2000.
  • [30] C. Percival, “Stronger key derivation via sequential memory-hard functions,” Self-published, pp. 1–16, 2009.
  • [31] A. Biryukov, D. Dinu, and D. Khovratovich, “Argon2: New generation of memory-hard functions for password hashing and other applications,” in Security and Privacy (EuroS&P).   IEEE, 2016, pp. 292–302.
  • [32] J. Camenisch, A. Lehmann, A. Lysyanskaya, and G. Neven, “Memento: How to reconstruct your secrets from a single password in a hostile environment,” in Int. Cryptology Conf.   Springer, 2014, pp. 256–275.
  • [33] B. Ur, F. Alfieri, M. Aung, L. Bauer, N. Christin, J. Colnago, L. F. Cranor, H. Dixon, P. Emami Naeini, H. Habib et al., “Design and evaluation of a data-driven password meter,” in Proc. CHI Conference on Human Factors in Computing Systems.   ACM, 2017, pp. 3775–3786.
  • [34] D. P. Jablon, “Extended password key exchange protocols immune to dictionary attack,” in Enabling Technologies: Infrastructure for Collaborative Enterprises, 1997. Proc. 6th Workshops.   IEEE, 1997, pp. 248–255.
  • [35] J. A. Halderman, B. Waters, and E. W. Felten, “A convenient method for securely managing passwords,” in Proc. 14th international conference on WWW.   ACM, 2005, pp. 471–479.
  • [36] F. A. Maqbali and C. J. Mitchell, “AutoPass: An automatic password generator,” CoRR, 2017.
  • [37] H.-M. Sun, Y.-H. Chen, and Y.-H. Lin, “oPass: A user authentication protocol resistant to password stealing and password reuse attacks,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 651–663, 2012.
  • [38] S. Jarecki, H. Krawczyk, M. Shirvanian, and N. Saxena, “Device-enhanced password protocols with optimal online-offline protection,” in Proc. 11th Asia Conference on Computer and Communications Security.   ACM, 2016, pp. 177–188.
  • [39] X. Boyen, “Halting password puzzles,” in Proc. Usenix Security, 2007.
  • [40] J. Blocki and A. Sridhar, “Client-cash: Protecting master passwords against offline attacks,” in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security.   ACM, 2016, pp. 165–176.
  • [41] H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh, “Kamouflage: Loss-resistant password management,” in European Symposium on Research in Computer Security.   Springer, 2010, pp. 286–302.
  • [42] R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart, “Cracking-resistant password vaults using natural language encoders,” in Security and Privacy (SP).   IEEE, 2015, pp. 481–498.
  • [43] M. Golla, B. Beuscher, and M. Dürmuth, “On the security of cracking-resistant password vaults,” in Proc. SIGSAC Conf. on Computer and Communications Security.   ACM, 2016, pp. 1230–1241.
  • [44] D. McCarney, D. Barrera, J. Clark, S. Chiasson, and P. C. van Oorschot, “Tapas: design, implementation, and usability evaluation of a password manager,” in Proc. 28th Annual Computer Security Applications Conference.   ACM, 2012, pp. 89–98.
  • [45] M. Horsch, A. Hülsing, and J. Buchmann, “PALPAS–PAssword Less PAssword Synchronization,” in Availability, Reliability and Security (ARES), 2015 10th Int. Conference on.   IEEE, 2015, pp. 30–39.
  • [46] M. Shirvanian, S. Jareckiy, H. Krawczykz, and N. Saxena, “SPHINX: A password store that perfectly hides passwords from itself,” in Distributed Computing Systems (ICDCS).   IEEE, 2017, pp. 1094–1104.
  • [47] M. Horsch, J. Braun, D. Metz, and J. Buchmann, “Update-tolerant and revocable password backup,” in Australasian Conference on Information Security and Privacy.   Springer, 2017, pp. 390–397.
  • [48] S. M. Bellovin and M. Merritt, “Encrypted key exchange: Password-based protocols secure against dictionary attacks,” in Research in Security and Privacy.   IEEE, 1992, pp. 72–84.
  • [49] ——, “Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise,” in Proc. ACM Conf. on Computer and Communications Security.   ACM, 1993, pp. 244–250.
  • [50] M. Johns, S. Lekies, B. Braun, and B. Flesch, “BetterAuth: Web authentication revisited,” in Proc. 28th Annual Computer Security Applications Conference.   ACM, 2012, pp. 169–178.
  • [51] X. Boyen, “HPAKE: Password authentication secure against cross-site user impersonation,” in International Confernence on Cryptology and Network Security.   Springer, 2009, pp. 279–298.