www.cleversafe.com

Authenticating Cloud Storage

with Distributed Credentials

Library of Congress – September 27, 2011

2

The Mission of Cloud Storage

Cloud storage presents unique challenges:

– Users expect flexible access from any location

– Many nodes are involved in storing the data

– The system must be able to scale indefinitely

•Requires decentralization of critical services

•Decentralization eliminates single points of

failure

Challenge: How can we make the authentication

system reliable without sacrificing security?

3

Recent cases in the news…

3

2011, 10 million users of the mobile

application Trapsters' e-mail address and

password compromised

2011, hosting site SourceForge was attacked, affecting

the security of over 2 million user accounts

2010, the blog network Gawker was

compromised, exposing the passwords of

1.3 million users

4

The Solution: Distributed Credentials

Enable end-users to recover a private key from

any location on the network

– Bridges the gap between password authentication

and PKI authentication

• Appears like password authentication to end users

• Appears like PKI authentication to service providers

Nothing enabling an offline attack exists at any

location

– Breach of authentication server yields nothing!

5

Distributed Credentials Architecture

5

User device

username: jsmith01

password: ********

6

Distributed Credentials Architecture

6

User device

Distributed Credentials

Protocol

7

Distributed Credentials Architecture

7

User device

Recovered Key

8

Distributed Credentials Architecture

8

User device

PKI Authentication

Recovered Key

9

Distributed Credentials Architecture

9

User device

Recovered Key

10

Comparison of Mechanisms

Password PKI DK

1. No single point of failure

2. No single point of compromise

3. Enables access from any location

4. Easy to use

5. Immune to offline brute-force attacks *

6. Credentials are not disclosed to use

7. Immune to physical theft

* Requires a threshold number of simultaneous compromises

www.cleversafe.com

Questions

11

www.cleversafe.com

Backup

12

13

Authenticating to the Cloud

Implementers of cloud storage are forced to

choose between several sub-optimal

authentication systems:

– A system whose security is inversely proportional to

the number of nodes in the cloud

– A system with poor availability and scalability

– A system that is inconvenient and hard to use

At my company, we were faced with this

dilemma:

– How can we make the authentication system reliable

without sacrificing security?

14

How it Works

We found that through a combination of

various cryptographic protocols, an

authentication system with almost ideal

properties could be formed

– Server-assisted strong secret generation

•Warwick Ford and Burton S. Kaliski Jr.

(2000)

– Secret Sharing

•Adi Shamir and George Blakley (1979)

– Encryption and Digital Signatures

14

15

Auth Server 1

Auth Server 2

Auth Server N

Distributed Key Storage

15

...

strong-key1

password

eN

f(password)2e

mod p

private key

Secret

Sharing

Scheme

share1

share2

shareN

...

e1

e2 ...

strong-key2

strong-keyN

...

Cipher

Cipher

Cipher

SK1{share

1}

SK2{share

2}

SKN{share

N}

e1

SK1{share

1}

e2

SK2{share

2}

eN

SKN{share

N}

User’s Device

Random

Number

Generator

Cleversafe Proprietary & Confidential

16

Auth Server

1

Auth Server

2

Auth Server K

Distributed Key Retrieval (1 of 2)

16

...

User’s Device

blinded-pass1

password

bK

f(password)2b

mod p b

1 b

2 ...

blinded-pass2

blinded-passK

...

e1

SK1{share

1}

e2

SK2{share

2}

eK

SKK{share

K}

(blinded-pass1)e

mod p

blinded-SK1

(blinded-pass1)e

mod p

(blinded-passK)e

mod p

blinded-SKK

(blinded-pass2)e

mod p

blinded-SK2

SK1{share

1} blinded-SK

1

SK2{share

2} blinded-SK

2

SKK{share

K} blinded-SK

K

... ...

Random

Number

Generator

Cleversafe Proprietary & Confidential

17

Distributed Key Retrieval (2 of 2)

17

User’s Device

bK b

1 b

2 ...

(blinded-SK1)v

mod p

SK1{share

1}

blinded-SK1

SK2{share

2}

blinded-SK2

SKK{share

K}

blinded-SKK

vK

v1 v

2 ...

b*v = 1 mod q

(blinded-SK2)v

mod p

(blinded-SKK)v

mod p

strong-key1

strong-key2

strong-keyK

Cipher share1

share2

shareK

...

private key

Secret

Sharing

Scheme

Cipher

Cipher

...

Cleversafe Proprietary & Confidential

18

Why the math works

18

P and Q - two large primes defined in the

system

12 qp

Represent the f(password) with the number x )(passwordfx

Strong key is password to the power 2e )(mod2 pxstrongkey e

This is what will be proved… )(mod))(( 22 pxx eveb

Implies (bv)/q = n remainder 1, for some

integer n.

1)(mod1 nqbvqbv

Substitute (bv) with (nq+1) eenqnqebevveb xxxx 22)1(222 ))((

Isolate the strong key eenqeenq xxx 2222 )(

Replace 2q with (p-1), since p = 2q+1 eenp xx 21)(

By Fermat’s little theorem: a(p-1) = 1 (mod p) )(mod1 2 px een

1 raised to any power is 1, this is the strong-

key strongkeypx e )(mod2

Cleversafe Proprietary & Confidential

19

References

[1] Estimating password strength

• NIST Special Publication 800-63, Version 1.0.2

[2] How to Share a Secret

• Adi Shamir, In Communications of the ACM 22 (11): 612–613, 1979.

[3] Server-Assisted Generation of a Strong Secret from a Password

• Warwick Ford and Burton S. Kaliski Jr. In Proc. IEEE 9th

Int. Workshop on Enabling Technologies:

Infrastructure for Collaborative Enterprises, pages 176-180. IEEE Press, 2000.

[4] Compromise of 10 million user passwords from Trapster:

• http://blogs.computerworld.com/17690/over_10_million_passwords_possibly_compromised_at_trapste

r

[5] Compromise of 2 million user passwords from SourceForge:

• http://thenextweb.com/industry/2011/01/29/sourceforge-attacked-resets-2-million-account-

passwords-to-protect-users/

[6] Vulnerability of Kerberos to offline dictionary attacks (RFC 1510, section 1.2):

• http://www.ietf.org/rfc/rfc1510.txt

[7] Compromise of 1.3 million user passwords from Gawker:

• http://gadgetwise.blogs.nytimes.com/2010/12/13/gawker-passwords-hacked-what-you-should-do/

19