Simple Password-Hardened Encryption Services

Conference contribution
(Conference Contribution)

Publication Details

Author(s): Lai RWF, Egger C, Reinert M, Chow SS, Maffei M, Schröder D
Editor(s): USENIX Association
Publisher: USENIX Association
Publishing place: 2560 Ninth Street, Suite 215
Berkeley, CA 94710

Publication year: 2018
Conference Proceedings Title: 27th USENIX Security Symposium (USENIX Security 18)
Language: English


A drastically increasing number of data breaches targeted online service providers for user-specific data such as their passwords or credit card number. A natural solution is to use encryption, but decryption is needed often (whenever the service needs to utilize these data) and storing the decryption key along is obviously dangerous.

To address this urgent need for data security, we propose password-hardened encryption (PHE). With the help of an external crypto server, a service provider can recover the user data encrypted by PHE only when an end user supplied a correct password. PHE inherits the security features of password-hardening (Usenix Security '15), adding protection for the user data. In particular, the crypto server does not learn any information about any user data.
More importantly, both the crypto server and the service provider can rotate their secret keys, a proactive security mechanism mandated by the Payment Card Industry Data Security Standard.

We build an extremely simple password-hardened encryption scheme. Compared with the state-of-the-art password-hardening scheme (Usenix Security '17), our scheme only uses minimal number-theoretic operations and is, therefore, 30% - 50% more efficient. In fact, our extensive experimental evaluation demonstrates that our scheme can handle more than 525 encryption and (successful) decryption requests per second per core, which shows that it is lightweight and readily deployable with large-scale systems. Regarding security, our scheme also achieves a stronger soundness property, which puts less trust on the good behavior of the crypto server.

FAU Authors / FAU Editors

Egger, Christoph
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)
Lai, Russell W. F.
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)
Schröder, Dominique Prof. Dr.
Lehrstuhl für Informatik 13 (Angewandte Kryptographie)

External institutions with authors

Universität des Saarlandes (UdS)

How to cite

Lai, R.W.F., Egger, C., Reinert, M., Chow, S.S., Maffei, M., & Schröder, D. (2018). Simple Password-Hardened Encryption Services. In USENIX Association (Eds.), 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD, US: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association.

Lai, Russell W. F., et al. "Simple Password-Hardened Encryption Services." Proceedings of the 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD Ed. USENIX Association, 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association, 2018.


Last updated on 2018-03-10 at 15:10