Phoenix: Rebirth of a Cryptographic Password-Hardening Service

Conference contribution


Publication Details

Author(s): Lai RWF, Egger C, Schröder D, Chow SS
Publisher: USENIX Association
Publishing place: 2560 Ninth Street, Suite 215
Berkeley, CA 94710
USA

Publication year: 2017
Conference Proceedings Title: 26th USENIX Security Symposium (USENIX Security 17)
Pages range: 899--916
ISBN: 978-1-931971-40-9
Language: English


Abstract




Password remains the most widespread means of authentication, especially on the Internet. As such, it is the Achilles heel of many modern systems. Facebook pioneered using external cryptographic services to harden password-based authentication in a large scale. Everspaugh et al. (USENIX Security ’15) provided the first comprehensive treatment of such a service and proposed the PYTHIA PRF-Service as a cryptographically secure solution. Recently, Schneider et al. (ACM CCS ’16) proposed a more efficient solution which is secure in a weaker security model.



In this work, we show that the scheme of Schneider et al. is vulnerable to offline attacks just after a single validation query. Therefore, it defeats the purpose of using an external crypto service in the first place and it should not be used in practice. Our attacks do not contradict their security claims, but instead show that their definitions are simply too weak. We thus suggest stronger security definitions that cover these kinds of real-world attacks, and an even more efficient construction, PHOENIX, to achieve them. Our comprehensive evaluation confirms the practicability of PHOENIX: It can handle up to 50% more requests than the scheme of Schneider et al. and up to three times more than PYTHIA.





 


FAU Authors / FAU Editors

Egger, Christoph
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)
Lai, Russell W. F.
Schröder, Dominique Prof. Dr.
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)


How to cite

APA:
Lai, R.W.F., Egger, C., Schröder, D., & Chow, S.S. (2017). Phoenix: Rebirth of a Cryptographic Password-Hardening Service. In 26th USENIX Security Symposium (USENIX Security 17) (pp. 899--916). Vancouver, BC, CA: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association.

MLA:
Lai, Russell W. F., et al. "Phoenix: Rebirth of a Cryptographic Password-Hardening Service." Proceedings of the USENIX Security Symposium, Vancouver, BC 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association, 2017. 899--916.

BibTeX: 

Last updated on 2018-03-10 at 15:23