EN100-web
EN100-web
EN100-web
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Research and Innovation<br />
A Single Password<br />
for Everything?<br />
by Jan Camenisch, Anja Lehmann, Anna Lysyanskaya<br />
and Gregory Neven<br />
The authors have developed a three-pronged approach<br />
that can secure all of your passwords for social media,<br />
email, cloud files, shopping and financial <strong>web</strong>sites, with<br />
one practically hack-proof password. This password is<br />
secured by the new “Memento protocol.”<br />
In the 2000 film “Memento” by Christopher Nolan, the protagonist<br />
suffers from short-term memory loss. Throughout<br />
the film, he meets people who claim to be his friends but, due<br />
to his condition, he never really knows whether they are truly<br />
his friends, or whether they are just trying to manipulate him<br />
or steal something from him.<br />
This scenario got the authors thinking, because it leads to an<br />
interesting cryptographic problem: If all you can remember<br />
is a single password, then how can you store your secrets<br />
among your friends, and later recover your secrets from your<br />
friends, even if you may not remember exactly who your<br />
friends were? Or, put differently, can a user protect all her<br />
sensitive data on a set of servers with a single password, in<br />
such a way that even malicious servers do not learn anything<br />
about the data or the password when the user tries to retrieve<br />
it?<br />
These basic questions have many applications, including<br />
protecting and recovering data on mobile devices if they are<br />
lost, encrypted data storage in the cloud, and securing access<br />
to third-party <strong>web</strong>sites such as social networks, online shops,<br />
healthcare portals, or e-banking. Users nowadays are<br />
expected to remember dozens of strong, different passwords<br />
at home and in the workplace. This is obviously unreasonable,<br />
so we need a better solution.<br />
Something important to realize about password security is<br />
that, whenever a single server can tell you whether your<br />
password is correct, then that server must be storing some<br />
information that can be used by an attacker to mount an<br />
offline dictionary attack, where the attacker simply tries to<br />
guess the password by brute force. These attacks have<br />
become so efficient lately that, if this piece of information is<br />
stolen from the server, the password itself must be considered<br />
stolen too.<br />
The Memento protocol [1] overcomes this limitation by<br />
storing the password and data in a distributed way across<br />
multiple servers. No single server can autonomously verify a<br />
user’s password; it always requires the collaboration of the<br />
other servers. To gain access, an attacker would either have<br />
to hack more than a given threshold of the servers simultaneously,<br />
or try to mount an online guessing attack on the password.<br />
The former can be addressed by using servers in different<br />
security domains and running different operating systems.<br />
The latter is prevented by letting honest servers throttle<br />
password attempts, e.g., by blocking the account after too<br />
many failed attempts, much like is done for ATM cards.<br />
Furthermore, the Memento protocol keeps your password<br />
safe even if the user is tricked into entering her password and<br />
authenticating with a set of corrupt servers. For example,<br />
suppose you created your account on three different servers<br />
that you trust are unlikely to collude against you or to get<br />
hacked all at the same time, for example ibm.com, admin.ch,<br />
and icann.org. Next, you may be tricked in a phishing attack<br />
and you mistakenly log into ibn.com, admim.ch and ican.org.<br />
Game over for your password, right?<br />
Wrong. With the Memento protocol, even in this situation the<br />
servers cannot figure out your password or impersonate you,<br />
because the protocol doesn’t let the servers reconstruct the<br />
password when testing whether it’s correct.<br />
Instead, the protocol roughly proceeds as follows. When creating<br />
the account, the user’s password p is encrypted under a<br />
special key so that at least a threshold of the servers have to<br />
collaborate to decrypt it. When logging in with password<br />
attempt q, the servers send the encryption of p back to the<br />
user, who then uses special homomorphic properties of the<br />
encryption algorithm to transform the encryption of p into an<br />
encryption of “one” if p=q, or into a an encryption or a<br />
random string if p≠q. The servers jointly decrypt the<br />
resulting ciphertext to discover whether the password was<br />
correct.<br />
Some more cryptographic machinery is added to the protocol<br />
to obtain strong security guarantees, e.g., for the case that the<br />
user makes a typo when entering her password or that the<br />
attacker has some side information about the password, but<br />
this is the basic idea.<br />
When using the Memento protocol, the user only needs one<br />
username and password to retrieve all her secrets. At the<br />
same time, she can rest assured that even if some of her<br />
servers get hacked or she tries to log into the wrong servers,<br />
here password and secrets remain secure.<br />
If only the lead character in the film “Memento” had it so<br />
easy!<br />
Link:<br />
http://www.zurich.ibm.com/csc/security/<br />
Reference:<br />
[1] J. Camenisch, A. Lehmann, A. Lysyanskaya, and G.<br />
Neven, “Memento: How to Reconstruct your Secrets from<br />
a Single Password in a Hostile Environment”, Advances in<br />
Cryptology – CRYPTO 2014, Springer LNCS, Volume<br />
8617, 2014, pp 256-275.<br />
Please contact:<br />
Jan Camenisch, IBM Research Lab Zurich<br />
E-mail jca@zurich.ibm.com<br />
44<br />
ERCIM NEWS 100 January 2015