The Pythia PRF Service - University of...
Transcript of The Pythia PRF Service - University of...
![Page 1: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/1.jpg)
The Pythia PRF Service
Adam Everspaugh, Rahul Chatterjee, Sam Scott, Ari Juels, Thomas Ristenpart
![Page 2: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/2.jpg)
SummaryPasswords: Ubiquitous, but vulnerable to offline attack
2
New direction: Complete architecture for password storage using a new cryptographic PRF service.
Better: no offline attacks, compromise recovery, key management, cryptographic erasure of stolen information
password db
![Page 3: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/3.jpg)
3
![Page 4: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/4.jpg)
4
Website stores one of: • pw • Hash(pw) • salt, Hash(salt, pw) • salt, Hash4096(salt, pw)
6.5M hashes leaked
90%recovered 2 weeks
![Page 5: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/5.jpg)
Password Database Compromises
5
Password DB breaches are common
![Page 6: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/6.jpg)
Facebook’s Password Onion
$cur = ‘password’ $cur = md5($cur) $salt = randbytes(20) $cur = hmac_sha1($cur, $salt) $cur = remote_hmac_sha256($cur, $secret) $cur = scrypt($cur, $salt) $cur = hmac_sha256($cur, $salt)
6
Archeological record of FB’s struggles with password security.
![Page 7: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/7.jpg)
Facebook’s Password Onion
$cur = ‘password’$cur = md5($cur)$salt = randbytes(20)$cur = hmac_sha1($cur, $salt)$cur = remote_hmac_sha256($cur, $secret)$cur = scrypt($cur, $salt)$cur = hmac_sha256($cur, $salt)
7
![Page 8: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/8.jpg)
Remote HMAC Distributes Trust
8
Web Server
pw db
$cur
hmac($cur, $secret)
pwCrypto Server
$secret
pw db
How do we rotate $secret?
Hard to detect online attacks
cur1cur2cur3
![Page 9: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/9.jpg)
Our Approach: Pythia PRF
Web Server
pw db
pw
pw db
Pythia PRF Service
Detects online attacks
Compromise recovery Proactive key rotation
Cryptographic erasure
Multi-tenant
pw db
$secret
![Page 10: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/10.jpg)
PRF Query — New User
10
User Pythia Server
user,pw
y
Web Server
t:=random() x:=blind(pw)
query: w,t,x
z := unblind(y) store: (user,t,z)
k := keytable[w]y := Fk(t,x)
Web Server ID
User ID
Blinded PW
Protected PW
![Page 11: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/11.jpg)
Compromise Recovery
11
Pythia ServerWeb Serverz0 z1 …
z0 z1 … k->k’
kk’
z0’ z1’ …
Doesn’t require original password User password remains unchanged
Password db is uselessw,t,x0’w,t,x1’w,t,x2’
![Page 12: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/12.jpg)
Existing Crypto Primitives are Insufficient
12
Deterministic
Pseudorandom
Key Rotation
PRFs
Key Updateable Encryption
Proxy Re-encryption
(Partial) Message Privacy
Oblivious PRFs
Partially-Blind Signatures
Partially Oblivious PRF
empty
![Page 13: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/13.jpg)
Partially Obl. PRF ConstructionBilinear Pairing e: G1xG2→GT
e(ax, by) = e(a,b)xy
w,t,x x := H(pw)r
blind() k := keytable[w]y := e(H(t), x)k Fk(t,x)
unblind()z := y1/r = e(H(t), H(pw))k= e(H(t), H(pw))k*r*1/r
Similar use of pairings: [Sakai, Ohgishi, Kasahara] [Boneh,Waters]
Pythia ServerWeb ServerPRF Query
![Page 14: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/14.jpg)
Partially Obl. PRF ConstructionPythia ServerWeb Server
Compromise Recovery
z’ := zk’/k = e(H(t), H(pw))k*k’/k = e(H(t), H(pw))k’
update()
k’/k
![Page 15: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/15.jpg)
Advantages of Partially Obl. PRF
15
Web Server
pw db
pw
Pythia PRF Service
Doesn’t learn secret key
Detect online attacks Doesn’t learn pw
![Page 16: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/16.jpg)
Easy to Deploy
16
ppass = pythia.query(server, w, t, pass) digest = pythia.combine(ppass, digest)
def verify(username, pass): (salt,check) = authTableLookup(username) digest = hashpass(salt, pass)
Small change to code base No impact on user experience
return digest == check
![Page 17: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/17.jpg)
Parallel Password Onion
17
Pythia ServerWeb Server
a = H4096(pw, t) w,t,x x:=blind(pw)y
z:=unblind(pw)
result := za
No performance penalty Strictly better security — Defense in depth
![Page 18: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/18.jpg)
Pythia Open Source Implementation
18
nginx MongoDB
Source code on GitHub
Find links and information at: https://pages.cs.wisc.edu/~ace
Test + Development server: remote-crypto.io
![Page 19: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/19.jpg)
Fast, Scalable PRF Service
19
Throughput: 1350 connections/sec (8-core EC2 instance)
PRF Query: 11.8ms (LAN)
Storage:
Within factor of 2 of a TLS query
18.6 GB (keytable)100M Web Server:
O(1) per web serverSupports arbitrary number of users for each web server
96ms (WAN)
![Page 20: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/20.jpg)
Beyond Web Servers
20
Bitcoin Brainwallet
Message-locked Encryption
File Encryption with remote erasure
![Page 21: The Pythia PRF Service - University of Wisconsin–Madisonpages.cs.wisc.edu/~ace/papers/pythia-talk.pdfSummary Passwords: Ubiquitous, but vulnerable to offline attack 2 New direction:](https://reader036.fdocuments.us/reader036/viewer/2022070719/5edf0cd4ad6a402d666a67a3/html5/thumbnails/21.jpg)
ConclusionPassword storage is broken: too easy to crack with offline attacks
Pythia PRF:
• prevents offline attacks, detects online attacks
• enables compromise recovery via key rotation, and crypto erasure via deletion
• democratizes access with a service architecture
21