Authenticating Cloud Storage with Distributed Credentials · Cleversafe Proprietary & Confidential...
Transcript of Authenticating Cloud Storage with Distributed Credentials · Cleversafe Proprietary & Confidential...
www.cleversafe.com
Authenticating Cloud Storage
with Distributed Credentials
Library of Congress – September 27, 2011
2
The Mission of Cloud Storage
Cloud storage presents unique challenges:
– Users expect flexible access from any location
– Many nodes are involved in storing the data
– The system must be able to scale indefinitely
•Requires decentralization of critical services
•Decentralization eliminates single points of
failure
Challenge: How can we make the authentication
system reliable without sacrificing security?
3
Recent cases in the news…
3
2011, 10 million users of the mobile
application Trapsters' e-mail address and
password compromised
2011, hosting site SourceForge was attacked, affecting
the security of over 2 million user accounts
2010, the blog network Gawker was
compromised, exposing the passwords of
1.3 million users
4
The Solution: Distributed Credentials
Enable end-users to recover a private key from
any location on the network
– Bridges the gap between password authentication
and PKI authentication
• Appears like password authentication to end users
• Appears like PKI authentication to service providers
Nothing enabling an offline attack exists at any
location
– Breach of authentication server yields nothing!
5
Distributed Credentials Architecture
5
User device
username: jsmith01
password: ********
6
Distributed Credentials Architecture
6
User device
Distributed Credentials
Protocol
7
Distributed Credentials Architecture
7
User device
Recovered Key
8
Distributed Credentials Architecture
8
User device
PKI Authentication
Recovered Key
9
Distributed Credentials Architecture
9
User device
Recovered Key
10
Comparison of Mechanisms
Password PKI DK
1. No single point of failure
2. No single point of compromise
3. Enables access from any location
4. Easy to use
5. Immune to offline brute-force attacks *
6. Credentials are not disclosed to use
7. Immune to physical theft
* Requires a threshold number of simultaneous compromises
www.cleversafe.com
Questions
11
www.cleversafe.com
Backup
12
13
Authenticating to the Cloud
Implementers of cloud storage are forced to
choose between several sub-optimal
authentication systems:
– A system whose security is inversely proportional to
the number of nodes in the cloud
– A system with poor availability and scalability
– A system that is inconvenient and hard to use
At my company, we were faced with this
dilemma:
– How can we make the authentication system reliable
without sacrificing security?
14
How it Works
We found that through a combination of
various cryptographic protocols, an
authentication system with almost ideal
properties could be formed
– Server-assisted strong secret generation
•Warwick Ford and Burton S. Kaliski Jr.
(2000)
– Secret Sharing
•Adi Shamir and George Blakley (1979)
– Encryption and Digital Signatures
14
15
Auth Server 1
Auth Server 2
Auth Server N
Distributed Key Storage
15
...
strong-key1
password
eN
f(password)2e
mod p
private key
Secret
Sharing
Scheme
share1
share2
shareN
...
e1
e2 ...
strong-key2
strong-keyN
...
Cipher
Cipher
Cipher
SK1{share
1}
SK2{share
2}
SKN{share
N}
e1
SK1{share
1}
e2
SK2{share
2}
eN
SKN{share
N}
User’s Device
Random
Number
Generator
Cleversafe Proprietary & Confidential
16
Auth Server
1
Auth Server
2
Auth Server K
Distributed Key Retrieval (1 of 2)
16
...
User’s Device
blinded-pass1
password
bK
f(password)2b
mod p b
1 b
2 ...
blinded-pass2
blinded-passK
...
e1
SK1{share
1}
e2
SK2{share
2}
eK
SKK{share
K}
(blinded-pass1)e
mod p
blinded-SK1
(blinded-pass1)e
mod p
(blinded-passK)e
mod p
blinded-SKK
(blinded-pass2)e
mod p
blinded-SK2
SK1{share
1} blinded-SK
1
SK2{share
2} blinded-SK
2
SKK{share
K} blinded-SK
K
... ...
Random
Number
Generator
Cleversafe Proprietary & Confidential
17
Distributed Key Retrieval (2 of 2)
17
User’s Device
bK b
1 b
2 ...
(blinded-SK1)v
mod p
SK1{share
1}
blinded-SK1
SK2{share
2}
blinded-SK2
SKK{share
K}
blinded-SKK
vK
v1 v
2 ...
b*v = 1 mod q
(blinded-SK2)v
mod p
(blinded-SKK)v
mod p
strong-key1
strong-key2
strong-keyK
Cipher share1
share2
shareK
...
private key
Secret
Sharing
Scheme
Cipher
Cipher
...
Cleversafe Proprietary & Confidential
18
Why the math works
18
P and Q - two large primes defined in the
system
12 qp
Represent the f(password) with the number x )(passwordfx
Strong key is password to the power 2e )(mod2 pxstrongkey e
This is what will be proved… )(mod))(( 22 pxx eveb
Implies (bv)/q = n remainder 1, for some
integer n.
1)(mod1 nqbvqbv
Substitute (bv) with (nq+1) eenqnqebevveb xxxx 22)1(222 ))((
Isolate the strong key eenqeenq xxx 2222 )(
Replace 2q with (p-1), since p = 2q+1 eenp xx 21)(
By Fermat’s little theorem: a(p-1) = 1 (mod p) )(mod1 2 px een
1 raised to any power is 1, this is the strong-
key strongkeypx e )(mod2
Cleversafe Proprietary & Confidential
19
References
[1] Estimating password strength
• NIST Special Publication 800-63, Version 1.0.2
[2] How to Share a Secret
• Adi Shamir, In Communications of the ACM 22 (11): 612–613, 1979.
[3] Server-Assisted Generation of a Strong Secret from a Password
• Warwick Ford and Burton S. Kaliski Jr. In Proc. IEEE 9th
Int. Workshop on Enabling Technologies:
Infrastructure for Collaborative Enterprises, pages 176-180. IEEE Press, 2000.
[4] Compromise of 10 million user passwords from Trapster:
• http://blogs.computerworld.com/17690/over_10_million_passwords_possibly_compromised_at_trapste
r
[5] Compromise of 2 million user passwords from SourceForge:
• http://thenextweb.com/industry/2011/01/29/sourceforge-attacked-resets-2-million-account-
passwords-to-protect-users/
[6] Vulnerability of Kerberos to offline dictionary attacks (RFC 1510, section 1.2):
• http://www.ietf.org/rfc/rfc1510.txt
[7] Compromise of 1.3 million user passwords from Gawker:
• http://gadgetwise.blogs.nytimes.com/2010/12/13/gawker-passwords-hacked-what-you-should-do/
19