Lai RWF, Egger C, Schröder D, Chow SS (2017)
Publication Language: English
Publication Type: Conference contribution
Publication year: 2017
Publisher: USENIX Association
City/Town: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA
Pages Range: 899--916
Conference Proceedings Title: 26th USENIX Security Symposium (USENIX Security 17)
ISBN: 978-1-931971-40-9
URI: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lai
Open Access Link: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/lai
Password remains the most widespread means of authentication, especially on the Internet. As such, it is the Achilles heel of many modern systems. Facebook pioneered using external cryptographic services to harden password-based authentication in a large scale. Everspaugh et al. (USENIX Security ’15) provided the first comprehensive treatment of such a service and proposed the PYTHIA PRF-Service as a cryptographically secure solution. Recently, Schneider et al. (ACM CCS ’16) proposed a more efficient solution which is secure in a weaker security model.
In this work, we show that the scheme of Schneider et al. is vulnerable to offline attacks just after a single validation query. Therefore, it defeats the purpose of using an external crypto service in the first place and it should not be used in practice. Our attacks do not contradict their security claims, but instead show that their definitions are simply too weak. We thus suggest stronger security definitions that cover these kinds of real-world attacks, and an even more efficient construction, PHOENIX, to achieve them. Our comprehensive evaluation confirms the practicability of PHOENIX: It can handle up to 50% more requests than the scheme of Schneider et al. and up to three times more than PYTHIA.
APA:
Lai, R.W.F., Egger, C., Schröder, D., & Chow, S.S. (2017). Phoenix: Rebirth of a Cryptographic Password-Hardening Service. In 26th USENIX Security Symposium (USENIX Security 17) (pp. 899--916). Vancouver, BC, CA: 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association.
MLA:
Lai, Russell W. F., et al. "Phoenix: Rebirth of a Cryptographic Password-Hardening Service." Proceedings of the USENIX Security Symposium, Vancouver, BC 2560 Ninth Street, Suite 215 Berkeley, CA 94710 USA: USENIX Association, 2017. 899--916.
BibTeX: Download