User authentication is an important element in modern computer security. Even though there are authentication mechanisms based on biometric devices (“what the user is”) and physical devices such as smart cards (“what the user has”), the most widespread strategy still is to rely on secret passwords (“what the user knows”). This is because password-based authentication is well-known to users, simple, cost effective and efficient. Whether this is right or wrong, the advantages of password-based authentication in practice tend to out-shadow any disadvantages, for example, those related to the problems of choosing strong, yet easy-to-remember passwords. Thus, it is likely that password-based authentication will be used for quite some time into the future.
Typical password-based systems employ key derivation functions (KDF). These are cryptographic algorithms that allow the generation of a pseudorandom string of bits from the password itself. Typically, the output of a KDF is employed in one of two manners: it can be locally stored in the form of a “token” for future verifications of the password, or it can be used as the secret key for data encryption and/or authentication. Whichever the case, such solutions employ, internally, a one-way function (e.g., a hash function), so that recovering the password from the key derivation's output is computationally unfeasible. Nonetheless, an attacker can still use so-called “dictionary attacks”, in which many different passwords are tried until a match is found.
Key derivation functions usually rely on two basic strategies for preventing such brute-force attacks. The first is purposely to raise the computational cost of every password guess, such as processing time and/or memory usage. The second is to take as input not only the user-memorisable password, but also a sequence of random bits known as a “salt”. The presence of such random variable thwarts several attacks based on pre-build tables of common passwords, i.e., the attacker is forced to create a new table from scratch for every different salt. The salt can thus be seen as an index into a large set of possible keys derived from the password, and need not to be memorized by the user or kept secret.
Data delivery to remote locations typically employs password authenticated key exchange (PAKE) protocols. Such schemes allow two or more parties who share a shared secret, such as a password or information derived from a password, to authenticate each other and create a secure channel for protecting their communications. In order to be considered secure, PAKE solutions should ensure that an unauthorized party (one who controls the communication channel but has no access to the password) is unable to learn the resulting key and is, as much as possible, unable to guess the password using offline brute force attacks.
The security of a computer system commonly depends on the condition that attackers cannot gain access to its underlying secret (e.g., a password). In practice, however, ensuring that this condition is met is a difficult challenge. In addition, most strategies employed for hindering the exposure of the secret keys end-up raising the costs, and may not be adequate for use in all scenarios. Examples include the use of special devices (e.g., smart-cards) and multiple factor mechanisms (e.g., regular passwords combined with smart-cards and/or biometric readings). Therefore, a sufficiently motivated attacker may succeed in exposing a system's secrets (e.g., by stealing and directly accessing a device's storage unit).
It is possible to build password-based protocols having so-called “perfect forward security” (also called perfect forward secrecy). In the case of PAKE schemes, this property can be translated as follows: if long-term secret information (e.g., the password) is revealed to an attacker, this information cannot be used to obtain keys (and access encrypted information) from past communications. This effectively protects all information previously exchanged. In other words, if the parties participating in the protocol share a long-term secret S and run the protocol r times before the password S is discovered by an attacker, that attacker is unable to determine the set of ephemeral keys {K1, . . . , Kr} generated prior to this disclosure of S. Only the subsequent keys Kr+i (i>0) generated using the same password S can be compromised by that attacker.
This concept is an integral part of many modern security solutions, including pseudo-random generators, digital signatures and public key encryption. It is usually employed for securing data channels between communicating parties during a limited/temporal interaction. Nonetheless, it is also possible to employ the perfect forward secrecy concept to the context of secure data storage, avoiding the encryption of large quantities of data with a single secret key. A drawback of applying forward secrecy is that such strategy incurs additional operations and, most likely, a more complex key management/evolving scheme. In addition, perfect forward secrecy schemes store data such that it is not accessible (e.g. for further update/edit) even by an authorised user, as even knowledge of the password must not allow access to the stored data.
Unlike PAKE schemes, KDF schemes allow a user to be authenticated toward a device without the need of contacting a remote entity. On the other hand, KDFs are unable to prevent offline dictionary attacks if the underlying salt is discovered, in particular, if the salt is sent to a remote location during data delivery, or if an attacker accesses a device's memory. Even some forward secure PAKE schemes are vulnerable to physical attacks, in which an adversary simply steals the device in which the keys are kept in memory and then recovers the password-protected data without discovering the password itself. This is a particularly serious threat when we consider applications in which users cannot renew their keys very often due to limited connectivity with their counterparts (e.g., if a mobile device has limited connectivity to a network and, therefore, to a server at which it wishes to store data). This is the case in so-called Delay/Disruption Tolerant Networks (DTN).
In DTNs, user equipments are obliged to (1) store the session key in volatile memory for a long time and/or (2) store the session key in non-volatile memory, retrieving it whenever necessary (e.g., when an application is run). One example of a real-world application with such connectivity issues is a data collection system deployed in remote areas, such as those in which health care workers visit families' homes in areas with poor/unstable cellular/broadband coverage. Such areas unfortunately often also make for high-risk regions, e.g., economically poor areas where mobile devices are highly attractive for theft.