Passwords are commonly used for returning-user authentication to a software application back-end across a network such as the Internet, but they have well known security weaknesses, including vulnerability to phishing attacks, breaches of back-end database security, and reuse at malicious sites. Furthermore, passwords are ill-suited for use on mobile devices such as smart phones and tablets: entering a strong password with letters, digits and punctuation on a small touch screen keyboard is cumbersome, and password characters are exposed to shoulder surfing because they are echoed by the keyboard as they are being typed in an effort to prevent typographical errors.
Cryptography provides alternatives for returning-user authentication that are more secure and better suited for mobile devices. For example, a mobile device could authenticate to an application back-end by proving knowledge of a private key that is part of a key pair pertaining to a public key cryptosystem, a hash of the public key that is part of the same key pair having been previously registered with the application back-end; the user would be indirectly authenticated as the owner of the device. This is more secure than authentication with a password because the private key is not sent to the application back-end or stored in a back-end database; and it is better suited for mobile devices because it does not require typing a password.
Cryptography also allows a user to authenticate to an application back-end as having an identity or attributes asserted by a third-party, without the third-party being involved in the authentication transaction. For example, a computing device owned by the user may generate a key pair pertaining to a public key cryptosystem. The user may ask the third-party to sign a public key certificate binding the public key that is part of the key pair to one or more identifiers and/or attributes that the third-party is authoritative for, and may then store the public key certificate in the computing device together with the private key that is part of the key pair. The computing device may then authenticate to the application back-end by sending the certificate and proving knowledge of the private key. The user controlling the device is then indirectly authenticated as being entitled to the identifier and/or attributes.
Cryptography is currently used successfully for user authentication in some specific use cases, such as authentication of a US federal employee to the information system of a US federal agency using a public key certificate and its associated private key stored in a Personal Identity Verification (PIV) card connected to a personal computer. But cryptographic authentication is not broadly used outside such specific use cases.
But cryptographic authentication also has drawbacks.
One drawback is that it is difficult to implement for application developers. While user authentication with a password simply requires transmission of the password from a user's device to the application back-end, cryptographic authentication requires execution of a cryptographic protocol involving multiple cryptographic operations (such as digital signatures, verification of digital signatures, computation of cryptographic hashes, etc.) by multiple parties, and transmission of multiple messages between those parties. The details of the individual cryptographic operations performed by the parties to a cryptographic protocol are typically hidden from application developers in cryptographic libraries, but application developers must still cope with many difficulties. They must understand the cryptographic protocol, install cryptographic libraries, ensure that all parties agree on the parameters of the protocol, implement the sequence of messages and cryptographic operations required by the protocol, and handle errors and exceptions.
Another drawback is that it relies on one or more secrets stored in the user's device, such as a private key. Mobile devices are easily lost or stolen, hence the user's device may easily be captured by an adversary. If no precautions are taken the adversary may obtain the secrets used for cryptographic authentication and use them to impersonate the user. One precaution that can be taken, is to encrypt such secrets using an encryption key derived from a password supplied by the user. However, prior art techniques for encrypting the secrets allow the adversary to launch an offline dictionary attack against the password after capturing the device and obtaining the encrypted secrets. To resist the attack, the user must use a high-entropy password, which is not practical when the password must be entered on a small touch screen keyboard.
Hence there is a need for cryptographic authentication techniques, well suited for mobile devices, that are easier to implement for application developers and provide more effective protection against an adversary who captures a device.