Almost all cryptographic software relies, among other things, on storing secrets. Such software often assumes that the storage is persistent, and preserves the confidentiality of the secret. This is commonly achieved by using secure hardware such as a smart card as the storage media. Access to the secrets is then dependent on two factors: having access to the secure hardware—so called “what you have” factor—and knowing the right code such as a PIN that unlocks the access (the “what you know” factor). The code is typically just a few digits or characters long.
Cryptographic software that runs on personal computers, tablets, smart phones or similar unsecure devices has often to work without any secure hardware: Persistent storage is available but the available measures to preserve integrity and confidentiality of the secret are limited.
The invention at hand focuses on software running on such unsecure devices. A commonly used approach to implement two-factor cryptography on such a device is to store the secrets in a file called keystore, which is encrypted using a long passphrase. However, long passphrases are burdensome to use; the more burdensome the more limited keyboard capabilities the device has, especially without a “qwerty”-keyboard.
Using a PIN or other short passphrase would make the software more user-friendly but a brute-force attack on the encrypted file would become feasible. Typically, dictionary attacks can enable an attacker to access the content of the sensitive data store.
Another difference between unsecure devices and secure devices like smart cards is that copying a smart card along with the stored secrets is considered extremely difficult whereas copying a keystore from an unsecure device is usually considered quite feasible.
Thus, in general, unsecure devices cannot reliably provide two-factor cryptography because the core of the “what you have” factor—the keystore—can be cloned to other devices. After cloning, the keystore is no longer considered to be “what you have” but to be “what anyone might have”. Furthermore, it may take a long time to detect that cloning has taken place or it may go totally unnoticed.
Relying on a server to access to sensitive data is known from U.S. Pat. No. 7,149,311. In this document are disclosed several server-based solutions, some relying on the use of a trusted server to store keys. In this case, sensitive data are sent to a device on the device's request.
This presents the drawback to permit the reception of the private key itself once the password is known. If the password is guessed or attacked, an attacker will obtain the key from the server and will be able to use it for unlimited time.
This document also describes a server based protocol where a part of the cryptographic calculations are realized by the server. As far as this server is secure, this increases the security in regards to the manipulation of sensitive data. Nevertheless this solution is not directly relevant in regards to offline dictionary attack and presents weaknesses similar to the ones of the previous solution.
More specifically, the invention described in U.S. Pat. No. 7,149,311 proposes to divide the key into shares and to use the server for the retrieval of one of the shares. For this purpose, the request of the device towards the server comprises cryptographic information included in the data stored in the keystore and previously generated from the key, i.e. a share of the key. Data protected in the keystore of this prior art are not any kind of data but shares of key. Such a keystore is not intended to include any kind of whole sensitive data that need to be protected. The server gives a partial assistance to extract the share then used in the device to recover the whole key. This solution implies computation inside the server and inside the device, preliminarily to the implementation and during the operation of the method.