Phoenix: Rebirth of a Cryptographic Password-Hardening Service

Beitrag bei einer Tagung


Details zur Publikation

Autor(en): Lai RWF, Egger C, Schröder D, Chow SS
Verlag: USENIX Association
Verlagsort: 2560 Ninth Street, Suite 215
Berkeley, CA 94710
USA

Jahr der Veröffentlichung: 2017
Tagungsband: 26th USENIX Security Symposium (USENIX Security 17)
Seitenbereich: 899--916
ISBN: 978-1-931971-40-9
Sprache: Englisch


Abstract




Password remains the most widespread means of authentication, especially on the Internet. As such, it is the Achilles heel of many modern systems. Facebook pioneered using external cryptographic services to harden password-based authentication in a large scale. Everspaugh et al. (USENIX Security ’15) provided the first comprehensive treatment of such a service and proposed the PYTHIA PRF-Service as a cryptographically secure solution. Recently, Schneider et al. (ACM CCS ’16) proposed a more efficient solution which is secure in a weaker security model.



In this work, we show that the scheme of Schneider et al. is vulnerable to offline attacks just after a single validation query. Therefore, it defeats the purpose of using an external crypto service in the first place and it should not be used in practice. Our attacks do not contradict their security claims, but instead show that their definitions are simply too weak. We thus suggest stronger security definitions that cover these kinds of real-world attacks, and an even more efficient construction, PHOENIX, to achieve them. Our comprehensive evaluation confirms the practicability of PHOENIX: It can handle up to 50% more requests than the scheme of Schneider et al. and up to three times more than PYTHIA.





 


FAU-Autoren / FAU-Herausgeber

Egger, Christoph
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)
Lai, Russell W. F.
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)
Schröder, Dominique Prof. Dr.
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)


Zitierweisen

APA:
Lai, R.W.F., Egger, C., Schröder, D., & Chow, S.S. (2017). Phoenix: Rebirth of a Cryptographic Password-Hardening Service. In 26th USENIX Security Symposium (USENIX Security 17) (pp. 899--916). Vancouver, BC, CA: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association.

MLA:
Lai, Russell W. F., et al. "Phoenix: Rebirth of a Cryptographic Password-Hardening Service." Proceedings of the USENIX Security Symposium, Vancouver, BC 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association, 2017. 899--916.

BibTeX: 

Zuletzt aktualisiert 2018-03-10 um 15:23