We recently developed a set of novel cryptographic protocols that lets users authenticate themselves online with virtually the same security guarantees as hardware security tokens, but without all their practical inconveniences.
Our protocols prove that it is indeed possible to achieve strong security based only on easy-to-memorize passwords, contrary to the widespread belief that the use of passwords has become insecure. Because weak passwords can be easily entered on touchscreen keyboards, our protocols are ideal for use on mobile devices.
The security of hardware tokens
For security-sensitive use cases such as e-banking, companies often resort to tamper-proof hardware such as smart cards, SIM cards, or trusted platform modules (TPMs). These hardware tokens provide an interface to interact with cryptographic keys, e.g., to compute digital signatures or to encrypt and decrypt data, whereas the corresponding private keys are generated and stored inside the token and cannot be extracted. Usually, a password or PIN code is used as an additional layer of protection. Offline attacks on this password or PIN are impossible because the token will become blocked after too many failed attempts. Moreover, depending on the use case, a lost or stolen token can be rendered useless by revoking the corresponding public key.
Despite these outstanding security guarantees (which are also referred to as non-exportability, anti-hammering, and revocability), hardware tokens are extremely unpopular because of their inconvenience and their difficulty to employ and manage.
Hardware token security — without hardware tokens
The cryptographic protocols we have developed enable the distributed computation of digital signatures and decryption. To achieve their strong security guarantees, our protocols rely on interaction with an online server and require the user merely to remember a (potentially even very weak) password.
The security guarantees of our protocols are practically identical to those provided by hardware tokens for the following three reasons:
Non-exportability. The involved private key is secret-shared across the device and an online server such that each share by itself is worthless. Cryptographic operations are performed jointly by device and server, but without ever reconstructing the private key. Because the distributed key shares are worthless on their own, the private key is safe as long as not both the device and the server are compromised. Also, the server cannot impersonate the user.
Revocability. The user can instruct the server to longer cooperate no longer with the protocol in the case that the device is stolen, lost, or otherwise compromised.
Anti-hammering, online attack prevention. The online server is involved in every cryptographic operation and in verifying the password (without learning it!). Thus, the server can throttle and eventually block failed authentication attempts. The possibility to block after too many failed authentication attempts is also the reason why the involved password can be weak.
Resistant against offline attacks
Our protocols realize a virtual smartcard on the one hand, and multi-factor authentication on the other hand as the authentication transaction succeeds only if both the user’s password and the user’s device (with its key share) are involved. Even in situations where the authentication server’s infrastructure is compromised (e.g., is hacked) or the user’s device falls into an attacker’s hands, the user’s password (and keys) is safe in the sense that offline attacks on it are impossible.
Despite their strong security guarantees, our protocols are simple and efficient and we have a prototype implementation readily available.
Contact the experts
Jan Camenisch
IBM Research scientist
Anja Lehmann
IBM Research scientist
Gregory Neven
IBM Research scientist
Franz-Stefan Preiss
IBM Research scientist
Kai Samelin
IBM Research scientist