时间: 2019年4月4日 下午 2:30
地点: 软件大楼 542
Abstract:
Password remains the most widespread means of authentication, especially on the Internet. We witnessed the trend of recurring breaches where (salted) password databases get stolen. Any low-entropy passwords can then be guessed easily by brute-force attacks. To harden password-based authentication, Facebook pioneered the involvement of an additional cryptographic server in the authentication process. We call it password-hardening (PH) service.
In USENIX Security '15, a PRF service called Pythia is proposed to realize PH. Our work first formalizes the security requirements of PH. In particular, the crypto server, which serves as a helper in the validation process and as a rate-limiter to thwart online dictionary attack, can do so without learning the (candidate) password. Our PH solution, called Phoenix, handles up to three times more requests than the first (and the only) solution remains secure before our work.
PH only provides user-authentication but cannot ensure the confidentiality of sensitive user data (e.g., credit card number for an e-commerce site). Although encryption somewhat alleviates the problem, keeping the decryption key within reach for recurrent decryption is dangerous. To address this seemingly unavoidable problem, we propose the notion of password-hardened encryption (PHE).
PHE inherits the security features of PH, in particular, the crypto server learns neither the password nor the sensitive data, while validating the password and helping in decryption. More importantly, both the crypto server and the PH-service client can rotate their secret keys, providing a proactive security mechanism mandated by the Payment Card Industry Data Security Standard. We build an extremely simple PHE which is even more efficient than Phoneix. It can handle more than 525 encryption and (successful) decryption requests per second per core on a 10-core Intel Xeon E5-2640 CPU.
This talk (also presented as a keynote speech in ISPEC 2018) summarizes the results from two papers appeared in USENIX Security 2017 and 2018.
Short Bio:
Sherman S.M. Chow joined CUHK in November 2012 and received the Early Career Award from Hong Kong RGC. He got his Ph.D. from New York University and did his post-doc at the University of Waterloo.
His main interests are in Cryptography, Security, and Privacy, with publications in AsiaCrypt, CCS, EuroCrypt, ITCS, NDSS, and USENIX Security. He served on the program committee of AsiaCrypt for 6 years and other top-tier conferences like CRYPTO and TheWeb in 2019. He is a distinguished TPC of Infocom 2018, and co-chaired CANS, ISC, and ProvSec before. He is on the editorial boards of a number of journals including IEEE Transactions on Information Forensics and Security (TIFS). He is also an editor of the Springer on Cyber Security Systems and Networks book series.