New crypto techniques protect passwords from unreliable doorkeepers

Imagine coming home and instead of just putting your key into the lock, you first had to hand it to a doorkeeper for verification. The doorkeeper would take your key, and insert it into an electronic box to confirm that you indeed have the right key before the door could be unlocked. That would be annoying and unsafe — you wouldn’t want the doorkeeper to make a copy of the key while it’s out of your possession.

In a way, this is what we all do when typing in a password, online.

And this is what our latest research is about protecting — developing novel cryptographic techniques to bypass the “doorkeeper,” boosting privacy for all internet users.

One of the solutions involves allowing identity verification without the need to reveal the password to the doorkeeper. In a more-advanced protocol, the verification is distributed among two or more doorkeepers, none of which can steal a user’s identity, alone. This work is also being extended to protect not only digital passwords, but also To further improve and expand the scope of these protocols to biometric authentication, IBM’s Dr. Julia Hesse received the Ambizione grant of CHF620,000 from the Swiss National Science Foundation.biometrics, such as fingerprints, which users also sometimes provide as identification.

These advanced protocols are likely to increase users’ trust in services such as e-commerce, e-voting, or mobile device authentication.

From hashing to OPRFs

The most common way to log in online using a password is “password-over-TLS,” where TLS stands for transport layer security. It works by sending a clear-text password to the servers of a web service provider, via secure channels.

The user knows they are using TLS (or the older secure sockets layer (SSL) certificate) when the website’s URL starts with “https” (instead of “http”) or when a padlock shows up in the browser address bar. But even though the user’s password travels securely to the server, there’s still a chance that it can be stolen at its destination.

While users may trust the companies that provide them with internet services, the fact that they need to reveal their password at each login poses a security threat. Can a website’s user really be assured that their password won’t end up in the wrong hands, due, say, to a dishonest employee or faulty software or hardware?

Typically, though, user passwords aren’t stored in clear text on companies’ servers, providing a certain degree of privacy protection. Instead, a “hash” is created with the help of a mathematical function. This hash — a sort of an encoded version of the password — is then stored along with the username in a password database. But when hackers breach into the password database, they’re often able to figure out the clear-text password from the hash.

This is what our new crypto techniques are trying to change. First, let’s dive into how users can be freed from the necessity to reveal their password every time they log into a website: For that, our team developed protocols that use Oblivious Pseudo-Random Functions (OPRFs) — mathematical techniques that allow for a more secure way to verify that a password matches its encoding in the database. Unlike with password-over-TLS, computing the encoding with OPRFs is done without revealing the password to the internet service provider.

Going back to the physical home analogy, using OPRFs means that instead of a user handing keys to a doorkeeper, the doorkeeper would, instead, hand over the electronic box to the user for verification. The user would insert the key into the box, and the doorkeeper would only be shown the result, confirming (or denying) the user’s identity. This reduces the risk associated with trusting the doorkeeper.

More doorkeepers, more security

Going a step further, our team looked into the potential security vulnerabilities of the servers that store the hashes linked to the passwords.

First, we published research into a modified and improved protocol¹ based on the popular single sign-on (SSO) authentication. Many websites rely on SSO when they offer users the ability to log in through their personal account with a social media company.

SSO removes the need to create an additional password for each new web service. In the doorkeeper analogy, this likens a situation in which a user has several homes (websites) but only one doorkeeper (the one social media company used for SSO) that handles their key for identity verification.

This does lower the risk. Only one doorkeeper needs to be trusted for access. However, that single doorkeeper is also a single point of failure; the doorkeeper could impersonate the user and enter any past websites visited without their knowledge.

So, we removed that single doorkeeper, and created a distributed SSO protocol that uses at least two social media providers for authentication. With this new method, server breaches will no longer result in leaked passwords.

With this new method, users never need to hand their password to a doorkeeper. Instead, they compute password encodings, themselves, using an OPRF protocol, assisted by the social media providers, who never learn the password in the process. The encodings are then fragmented into unintelligible pieces, and each piece is stored on a provider’s server.

Since none of the service providers have the full encoding, they can no longer figure out the password — and are therefore unable to impersonate the user. And neither can attackers who breach a provider’s database. The only way these distributed doorkeepers could steal a user’s identity is if they all conspired to do so together. But as long as just one of them remains honest, passwords and digital identities are safe.

To implement this distributed SSO protocol we use distributed OPRFs. This protocol abides by the principle that the best password is the one that never leaves a user’s device. Or, in this analogy, the safest way for a user to enter their home is to never give away their key.

With distributed SSO, it’s as if a user had never before signed into any website, and they could enjoy their internet journey without the need to ever share a password (or its hash) with any web service provider. That is a significant gain in terms of privacy protection considering how regular password database breaches have become.

The missing pieces of the hash

Next, we are investigating a version of distributed SSO known as “threshold distributed SSO” that necessitates three or more social media providers to generate a distributed hash. To log in, a user would only need some of them. But not all.

It means that a user’s identity can be verified even when some pieces of the hash (the encoded password) are missing. This complicates the underlying cryptography since we cryptographers must ensure the missing information doesn’t interfere with verification. But on the other hand, it enhances the user experience, as only a subset of the social media providers needs to be accessible for the verification to work.

It is still early days, but it won’t be long until users will be able enter their digital homes without handing their keys to a doorkeeper.

Watch the replay: New privacy and encryption developments

To learn more about the ways that IBM Research is developing cutting-edge technology, watch a replay of the November 24 discussion from The Future for AI & Quantum for Accelerated Discovery event. In this session, IBM cryptography researchers reported on their latest achievements in using cryptographic techniques to improve trust in everything from password privacy, to email encryption, and analytics of sensitive data.

• Dr. Julia Hesse, Research scientist, Cryptography & Privacy, IBM Research Europe-Zurich
• Dr. Luca De Feo, Research scientist, Cryptography & Privacy, IBM Research Europe-Zurich
• Dr. Bertram Poettering, Research scientist, Cryptographic Protocols, IBM Research Europe-Zurich
• Dr. Michael Osborne, Principal Research Scientist, Manager, Foundational Cryptography, IBM Research Europe-Zurich