Paper 2023/809

Password-Based Credentials with Security against Server Compromise

Dennis Dayanikli, Hasso-Plattner-Institute, University of Potsdam
Anja Lehmann, Hasso-Plattner-Institute, University of Potsdam
Abstract

Password-based credentials (PBCs), introduced by Zhang et al. (NDSS'20), provide an elegant solution to secure, yet convenient user authentication. Therein the user establishes a strong cryptographic access credential with the server. To avoid the assumption of secure storage on the user side, the user does not store the credential directly, but only a password-protected version of it. The ingenuity of PBCs is that the password-based credential cannot be offline attacked, offering essentially the same strong security as standard key-based authentication. This security relies on a secret key of the server that is needed to verify whether an authentication token derived from a password-based credential and password is correct. However, the work by Zhang et al. assumes that this server key never gets compromised, and their protocol loses all security in case of a breach. As such a passive leak of the server's stored verification data is one of the main threats in user authentication, our work aims to strengthen PBC to remain secure even when the server's key got compromised. We first show that the desired security against server compromise is impossible to achieve in the original framework. We then introduce a modified version of PBCs that circumvents our impossibility result and formally define a set of security properties, each being optimal for the respective corruption setting. Finally, we propose a surprisingly simple construction that provably achieves our stronger security guarantees, and is generically composed from basic building blocks.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. ESORICS '23
Keywords
PasswordsAuthenticationPassword-Based Credentials
Contact author(s)
dennis dayanikli @ hpi de
anja lehmann @ hpi de
History
2023-06-06: approved
2023-06-01: received
See all versions
Short URL
https://ia.cr/2023/809
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/809,
      author = {Dennis Dayanikli and Anja Lehmann},
      title = {Password-Based Credentials with Security against Server Compromise},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/809},
      year = {2023},
      url = {https://eprint.iacr.org/2023/809}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.