Password-Protected Key Retrieval with(out) HSM Protection
Authors: 
Sebastian Faller, Tobias Handirk, Julia Hesse, Máté Horváth, Anja LehmannAuthors Info & Claims
Pages 2445 - 2459
Abstract
Password-protected key retrieval (PPKR) enables users to store and retrieve high-entropy keys from a server securely. The process is bootstrapped from a human-memorizable password only, addressing the challenge of how end-users can manage cryptographic key material. The core security requirement is protection against a corrupt server, which should not be able to learn the key or offline- attack it through the password protection. PPKR is deployed at a large scale with the WhatsApp Backup Protocol (WBP), allowing users to access their encrypted messaging history when switching to a new device. Davies et al. (Crypto'23) formally analyzed the WBP, proving that it satisfies most of the desired security. The WBP uses the OPAQUE protocol for password-based key exchange as a building block and relies on the server using a hardware security module (HSM) for most of its protection. In fact, the security analysis assumes that the HSM is incorruptible - rendering most of the heavy cryptography in the WBP obsolete.
In this work, we explore how provably secure and efficient PPKR can be built that either relies strongly on an HSM - but then takes full advantage of that - or requires less trust assumption for the price of more advanced cryptography. To this end, we expand the definitional work by Davies et al. to allow the analysis of PPKR with fine-grained HSM corruption, such as leakage of user records or attestation keys. For each scenario, we aim to give minimal PPKR solutions. For the strongest corruption setting, namely a fully corrupted HSM, we propose a protocol with a simpler design and better efficiency than the WBP. We also fix an attack related to client authentication that was identified by Davies et al.
References
[1]
Shashank Agrawal, Payman Mohassel, Pratyay Mukherjee, and Peter Rindal. 2018. DiSE: Distributed Symmetric-key Encryption. In ACM CCS 2018: 25th Conference on Computer and Communications Security, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM Press, Toronto, ON, Canada, 1993--2010. https://doi.org/10.1145/3243734.3243774
[2]
Ali Bagherzandi, Stanislaw Jarecki, Nitesh Saxena, and Yanbin Lu. 2011. Password-protected secret sharing. In ACM CCS 2011: 18th Conference on Computer and Communications Security, Yan Chen, George Danezis, and Vitaly Shmatikov (Eds.). ACM Press, Chicago, Illinois, USA, 433--444. https://doi.org/10.1145/2046707.2046758
[3]
Jean-Baptiste Bedrune and Gabriel Campana. 2019. Everybody be Cool, This is a Robbery! BlackHat USA 2019. http://i.blackhat.com/USA-19/Thursday/us-19-Campana-Everybody-Be-Cool-This-Is-A-Robbery.pdf, Accessed: 24.04.2024.
[4]
Steven M. Bellovin and Michael Merritt. 1993. Augmented Encrypted Key Exchange: A Password-Based Protocol Secure against Dictionary Attacks and Password File Compromise. In ACM CCS 93: 1st Conference on Computer and Communications Security, Dorothy E. Denning, Raymond Pyle, Ravi Ganesan, Ravi S. Sandhu, and Victoria Ashby (Eds.). ACM Press, Fairfax, Virginia, USA, 244--250. https://doi.org/10.1145/168588.168618
[5]
Dan Boneh and Victor Shoup. 2023. A Graduate Course in Applied Cryptography. http://toc.cryptobook.us/.
[6]
Victor Boyko, Philip D. MacKenzie, and Sarvar Patel. 2000. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In Advances in Cryptology -- EUROCRYPT 2000 (Lecture Notes in Computer Science, Vol. 1807), Bart Preneel (Ed.). Springer, Heidelberg, Germany, Bruges, Belgium, 156--171. https://doi.org/10.1007/3--540--45539--6_12
[7]
Jan Camenisch, Anja Lehmann, Anna Lysyanskaya, and Gregory Neven. 2014. Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment. In Advances in Cryptology -- CRYPTO 2014, Part II (Lecture Notes in Computer Science, Vol. 8617), Juan A. Garay and Rosario Gennaro (Eds.). Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 256--275. https://doi.org/10.1007/978--3--662--44381--1_15
[8]
Ran Canetti. 2000. Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Report 2000/067. https://eprint.iacr.org/2000/067.
[9]
Ran Canetti. 2001. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In 42nd Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, Las Vegas, NV, USA, 136--145. https://doi.org/10.1109/SFCS.2001.959888
[10]
Mihai Christodorescu, Sivanarayana Gaddam, Pratyay Mukherjee, and Rohit Sinha. 2021. Amortized Threshold Symmetric-key Encryption. In ACM CCS 2021: 28th Conference on Computer and Communications Security, Giovanni Vigna and Elaine Shi (Eds.). ACM Press, Virtual Event, Republic of Korea, 2758--2779. https://doi.org/10.1145/3460120.3485256
[11]
Poulami Das, Julia Hesse, and Anja Lehmann. 2022. DPaSE: Distributed Password-Authenticated Symmetric-Key Encryption, or How to Get Many Keys from One Password. In ASIACCS 22: 17th ACM Symposium on Information, Computer and Communications Security, Yuji Suga, Kouichi Sakurai, Xuhua Ding, and Kazue Sako (Eds.). ACM Press, Nagasaki, Japan, 682--696. https://doi.org/10.1145/3488932.3517389
[12]
Gareth T. Davies, Sebastian H. Faller, Kai Gellert, Tobias Handirk, Julia Hesse, Máté Horváth, and Tibor Jager. 2023. Security Analysis of the WhatsApp End-to-End Encrypted Backup Protocol. In Advances in Cryptology -- CRYPTO 2023, Part IV (Lecture Notes in Computer Science, Vol. 14084), Helena Handschuh and Anna Lysyanskaya (Eds.). Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 330--361. https://doi.org/10.1007/978--3-031--38551--3_11
[13]
Sebastian Faller, Tobias Handirk, Julia Hesse, Máté Horváth, and Anja Lehmann. 2024. Password-Protected Key Retrieval with(out) HSM Protection. Cryptology ePrint Archive, Paper 2024/1384. https://eprint.iacr.org/2024/1384
[14]
Craig Gentry, Philip MacKenzie, and Zulfikar Ramzan. 2006. A Method for Making Password-Based Key Exchange Resilient to Server Compromise. In Advances in Cryptology -- CRYPTO 2006 (Lecture Notes in Computer Science, Vol. 4117), Cynthia Dwork (Ed.). Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 142--159. https://doi.org/10.1007/11818175_9
[15]
Stanislaw Jarecki, Aggelos Kiayias, Hugo Krawczyk, and Jiayu Xu. 2016. Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online). In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, March 21--24, 2016. IEEE, 276--291.
[16]
Stanislaw Jarecki, Hugo Krawczyk, and Jiayu Xu. 2018. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks. In Advances in Cryptology -- EUROCRYPT 2018, Part III (Lecture Notes in Computer Science, Vol. 10822), Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer, Heidelberg, Germany, Tel Aviv, Israel, 456--486. https://doi.org/10.1007/978--3--319--78372--7_15
[17]
Ivan Krstic. 2016. Behind the scenes with iOS security. https://www.blackhat.com/docs/us-16/materials/us-16-Krstic.pdf, Accessed: 18.04.2024.
[18]
Joshua Lund. 2019. Technology preview for secure value recovery. https://signal.org/blog/secure-value-recovery/, Accessed: 18.04.2024.
[19]
Chris Orsini, Alessandra Scafuro, and Tanner Verber. 2023. How to Recover a Cryptographic Secret From the Cloud. Cryptology ePrint Archive, Paper 2023/1308. https://eprint.iacr.org/2023/1308 https://eprint.iacr.org/2023/1308.
[20]
Rafael Pass, Elaine Shi, and Florian Tramèr. 2017. Formal Abstractions for Attested Execution Secure Processors. In Advances in Cryptology -- EUROCRYPT 2017, Part I (Lecture Notes in Computer Science, Vol. 10210), Jean-Sébastien Coron and Jesper Buus Nielsen (Eds.). Springer, Heidelberg, Germany, Paris, France, 260--289. https://doi.org/10.1007/978--3--319--56620--7_10
[21]
Alessandra Scafuro. 2019. Break-glass Encryption. In PKC 2019: 22nd International Conference on Theory and Practice of Public Key Cryptography, Part II (Lecture Notes in Computer Science, Vol. 11443), Dongdai Lin and Kazue Sako (Eds.). Springer, Heidelberg, Germany, Beijing, China, 34--62. https://doi.org/10.1007/978--3-030--17259--6_2
[22]
Alon Shakevsky, Eyal Ronen, and Avishai Wool. 2022. Trust Dies in Darkness: Shedding Light on Samsungtextquoterights TrustZone Keymaster Design. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 251--268. https://www.usenix.org/conference/usenixsecurity22/presentation/shakevsky
[23]
Jo Van Bulck, Marina Minkin, Ofir Weisse, Daniel Genkin, Baris Kasikci, Frank Piessens, Mark Silberstein, Thomas F Wenisch, Yuval Yarom, and Raoul Strackx. 2018. Foreshadow: Extracting the keys to the intel SGX kingdom with transient Out-of-Order execution. In 27th USENIX Security Symposium (USENIX Security 18). 991--1008.
[24]
Jo Van Bulck, Frank Piessens, and Raoul Strackx. 2017. SGX-Step: A practical attack framework for precise enclave execution control. In Proceedings of the 2nd Workshop on System Software for Trusted Execution. 1--6.
[25]
Shabsi Walfish. 2018. Google Cloud Key Vault Service. https://developer.android.com/about/versions/pie/security/ckv-whitepaper, Accessed: 18.04.2024.
[26]
Xunhua Wang and Ben Huson. 2020. Robust distributed symmetric-key encryption. Cryptology ePrint Archive, Report 2020/1001. https://eprint.iacr.org/2020/1001.
[27]
WhatsApp. 2021. Security of End-to-End Encrypted Backups. https://www.whatsapp.com/security/WhatsApp_Security_Encrypted_Backups_Whitepaper.pdf, Accessed: 18.04.2024.
Index Terms
- Password-Protected Key Retrieval with(out) HSM Protection
Recommendations
Universally composable three-party password-authenticated key exchange with contributiveness
Three-party password-authenticated key exchange 3PAKE allows two clients, each sharing a password with a trusted server, to establish a session key with the help of the server. It is a quite practical mechanism for establishing secure channels in a large ...
Deniable Key Exchanges for Secure Messaging
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityIn the wake of recent revelations of mass government surveillance, secure messaging protocols have come under renewed scrutiny. A widespread weakness of existing solutions is the lack of strong deniability properties that allow users to plausibly deny ...
Separating Symmetric and Asymmetric Password-Authenticated Key Exchange
Security and Cryptography for NetworksAbstractPassword-Authenticated Key Exchange (PAKE) is a method to establish cryptographic keys between two users sharing a low-entropy password. In its asymmetric version, one of the users acts as a server and only stores some function of the password, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- ERC
- SNF
- DFG
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 62Total Downloads
- Downloads (Last 12 months)62
- Downloads (Last 6 weeks)62
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in