Paper 2020/1544

PAS-TA-U: PASsword-based Threshold Authentication with PASsword Update

Rachit Rawat and Mahabir Prasad Jhanwar

Abstract

A single-sign-on (SSO) is an authentication system that allows a user to log in with a single identity and password to any of several related, yet independent, server applications. SSO solutions eliminate the need for users to repeatedly prove their identities to different applications and hold different credentials for each application. Token-based authentication is commonly used to enable an SSO experience on the web, and on enterprise networks. A large body of work considers distributed token generation which can protect the long-term keys against a subset of breached servers. A recent work (CCS'18) introduced the notion of Password-based Threshold Authentication (PbTA) with the goal of making password-based token generation for SSO secure against server breaches that could compromise both long-term keys and user credentials. They also introduced a generic framework called PASTA that can instantiate a PbTA system. The existing SSO systems built on distributed token generation techniques, including the PASTA framework, do not admit password-update functionality. In this work, we address this issue by proposing a password-update functionality into the PASTA framework. We call the modified framework PAS-TA-U. As a concrete application, we instantiate PAS-TA-U to implement in Python a distributed SSH key manager for enterprise networks (ESKM) that also admits a password-update functionality for its clients. Our experiments show that the overhead of protecting secrets and credentials against breaches in our system compared to a traditional single server setup is low (average 119 ms in a 10-out-of-10 server setting on Internet with 80 ms round trip latency).

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. SPACE 2020: Tenth International Conference on Security, Privacy and Applied Cryptographic Engineering
Keywords
Password-based AuthenticationThreshold Cryptography
Contact author(s)
mahavir jhawar @ ashoka edu in
History
2020-12-13: received
Short URL
https://ia.cr/2020/1544
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/1544,
      author = {Rachit Rawat and Mahabir Prasad Jhanwar},
      title = {{PAS}-{TA}-U: {PASsword}-based Threshold Authentication with {PASsword} Update},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/1544},
      year = {2020},
      url = {https://eprint.iacr.org/2020/1544}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.