Phoenix: Rebirth of a Cryptographic Password-Hardening Service

Lai RWF, Egger C, Schröder D, Chow SS (2017)


Publication Language: English

Publication Type: Conference contribution

Publication year: 2017

Publisher: USENIX Association

City/Town: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA

Pages Range: 899--916

Conference Proceedings Title: 26th USENIX Security Symposium (USENIX Security 17)

Event location: Vancouver, BC CA

ISBN: 978-1-931971-40-9

URI: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lai

Open Access Link: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lai

Abstract

Password remains the most widespread means of authentication, especially on the Internet. As such, it is the Achilles heel of many modern systems. Facebook pioneered using external cryptographic services to harden password-based authentication in a large scale. Everspaugh et al. (USENIX Security ’15) provided the first comprehensive treatment of such a service and proposed the PYTHIA PRF-Service as a cryptographically secure solution. Recently, Schneider et al. (ACM CCS ’16) proposed a more efficient solution which is secure in a weaker security model.

In this work, we show that the scheme of Schneider et al. is vulnerable to offline attacks just after a single validation query. Therefore, it defeats the purpose of using an external crypto service in the first place and it should not be used in practice. Our attacks do not contradict their security claims, but instead show that their definitions are simply too weak. We thus suggest stronger security definitions that cover these kinds of real-world attacks, and an even more efficient construction, PHOENIX, to achieve them. Our comprehensive evaluation confirms the practicability of PHOENIX: It can handle up to 50% more requests than the scheme of Schneider et al. and up to three times more than PYTHIA.

 

Authors with CRIS profile

How to cite

APA:

Lai, R.W.F., Egger, C., Schröder, D., & Chow, S.S. (2017). Phoenix: Rebirth of a Cryptographic Password-Hardening Service. In 26th USENIX Security Symposium (USENIX Security 17) (pp. 899--916). Vancouver, BC, CA: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association.

MLA:

Lai, Russell W. F., et al. "Phoenix: Rebirth of a Cryptographic Password-Hardening Service." Proceedings of the USENIX Security Symposium, Vancouver, BC 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association, 2017. 899--916.

BibTeX: Download