Many information systems such as computer networks use secret data to perform security functions which include but are not limited to entity authentication, data encryption or decryption, communication integrity protection, and other security services. For example, passwords or PINs (Personal Identification Numbers) are common secret data as an input to authenticate a user. Chosen by owners or authorized users, passwords and PINs are probably among the earliest types of secret data used in security services. Those human-chosen secrets are generally considered weak secrets, because such secrets are often guessable and thus are vulnerable to several known attacks, particularly in the environment of the Internet or other computer networks. It is generally recognized that use of human-chosen secrets alone may not be sufficient to successfully perform security services in many circumstances. Accordingly, other forms of secret data may be further required for security services. Examples of secret data that are not chosen by users include but are not limited to private keys used in a Public-Key Infrastructure (PKI) environment, vendor-provided PINs—long PINs—used for authenticating a bank account or a membership, vendor-provided decryption keys for deciphering scrambled information contents, secret keys of symmetric cryptography for generating Message Authentication Codes (MACs), session keys for keeping message confidential during a communication session, and other secret information. Such secrets are not chosen by users and are usually generated by computer codes. Secrets of this type are hereafter referred to as computer-generated secrets. Protection of both the computer-generated secrets and the human-chosen secrets is increasingly important and is becoming increasing difficult on the Internet and computer networks in general.
Computer-generated secrets for security services usually include more data bits than a user chosen secret does and often present no semantic meanings to human beings. Due to this lack of semantic meaning, it is generally difficult if not impossible for a person to memorize computer-generated secrets. Therefore, there exist two needs with different orientations. There is a human need for using user chosen secrets like passwords; on the other hand, there is a system need for using computer-generated secrets like cryptographic keys. In the past decades of the Internet era, many solutions were developed to meet both needs in an information system. A solution is acceptable only if it securely protects both the computer-generated secret and the human-chosen secret.
In one approach, a computer-generated secret is generated, regenerated or recovered at a client by accepting human-chosen secret data and with the assistance of other computing facilities connected to the client through the network. In this context, a client is a network station or device that is capable of performing computational task and communicating with other network stations or devices. Other network-connected computing facilities to assist a client are referred to as servers.
Various solutions for adopting the server-assistance approach were surveyed by R. Perlman and C. Kaufman and published in “Secure Password-Based Protocol for Downloading a Private Key,” Proc. 1999 Network and Distributed System Security Symposium, Internet Society (January 1999). The Bellovin and Merritt's EKE (Encrypted Key Exchange) protocol (1992) is included in this survey. See, Bellovin and Merritt in “Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 72-84 (1992). EKE allows a client and a server sharing a common password to generate cryptographic keys for confidential and authenticated message communications. Related patents include U.S. Pat. Nos. 5,241,599 and 5,440,635. These and other solutions with the server-assistance approach are limited in their effectiveness in part because the server represents a major vulnerability or involves authenticated and often complicated communications with clients.
Kaliski presented a method in 2001 that permits a client to regenerate a computer-generated secret (a strong secret) from human-chosen secrets (weak secret data) with the assistance of servers while remaining resistant to attacks on the servers. See, U.S. patent publication No. 20010055388 entitled “Server-assisted regeneration of a strong secret from a weak secret.” In one application, the regenerated secret is an input to user authentication. In another application, the regenerated secret is a decryption key to decipher private data such as a private key in public-key cryptography. An indispensable part of the method is a computing process for generating strong secrets. In other words, the regenerated strong secret is initially generated by the same method, not originated from a system implemented with other secret-data generating schemes.
In another approach, the computer-generated secret is stored on a secure hardware token. The hardware token is physically connected to a client computer and the secret is made accessible to a user at the client computer by accepting the user's chosen secret. An integrated circuit card (IC card) is a typical example of secure hardware tokens. IC cards consist of two-factor authenticator, the card and the PIN. A PIN, a short PIN, is chosen by a cardholder and is used to authenticate the cardholder's access to a computer-generated secret, such as a private key, stored on the card. IC cards have secure, tamper-resistant memory to store secrets. In some implementations, processors inside IC cards are able to perform critical computation entirely within a card, thereby preventing the protected secret from leaking out. As an example, signing the digital fingerprint of a message is confined in a card where the signature private key is stored. This additional capability is useful for protecting highly sensitive secret information.
In the physical-token approach, the secret under protection can be originated from a variety of secret-data generating computer codes. In this sense, the physical-token approach can be adopted to accommodate the need of various security services now in use or those to be developed in the future.
Using IC cards to protect computer-generated secret data needs additional hardware cost, because it demands the use of cards as well as card readers and other equipment such as card manufacturing equipment. Using IC cards further causes user inconvenience since card readers are not yet ubiquitous.
Other memory devices or storage apparatuses like a USB (Universal Serial Bus) or a RFID (Radio Frequency Identification) tag or a diskette are more convenient and less costly. Data on these mediums are easier to be copied. Therefore, a USB or a RFID tag or a diskette or something alike may not be a secure token. Secrets stored in these mediums are often encrypted using a password as the encryption key. The password or its verification data (such as a hash value of the password) must be saved somewhere for validating password entries. Theft of the password or the verification data presents a threat to security of such secrets. Password guessing is another threat when the encrypted secret is available or is accessible to attackers. Cryptanalysis is a further threat to break the encrypted secret; some cryptanalysis techniques demand no prior knowledge about the encryption key—the password.