Secure Set-Based Policy Checking and Its Application to Password Registration

Dong, Changyu; Kiefer, Franziskus

doi:10.1007/978-3-319-26823-1_5

Cited by 3 publications

(1 citation statement)

References 19 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An alternate approach using symmetric key primitives, secure set-based policy checking (SPC), to check password policy was proposed in [17]. Policies are represented set-theoretically as monotone access structures and are mapped to linear secret sharing schemes (LSSS).…”

Section: Introductionmentioning

confidence: 99%

Zero-Knowledge Password Policy Check from Lattices

Nguyen

Tan

Wang

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

show abstract

Section: Introductionmentioning

confidence: 99%

Zero-Knowledge Password Policy Check from Lattices

Nguyen

Tan

Wang

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Framework for Design Exploration of Secure Embedded System Development

Wortman

Chandy

2019

Systems Engineering in Context

View full text Add to dashboard Cite

Zero-Knowledge Password Policy Check from Lattices

Nguyen¹,

Tan²,

Wang³

2018

Preprint

View full text Add to dashboard Cite

Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one's sensitive information in case of such events, passwords should be hidden from servers. Verifier-based password authenticated key exchange, proposed by Bellovin and Merrit (IEEE S&P, 1992), allows authenticated secure channels to be established with a hash of a password (verifier). Unfortunately, this restricts password policies as passwords cannot be checked from their verifier. To address this issue, Kiefer and Manulis (ESORICS 2014) proposed zero-knowledge password policy check (ZKPPC). A ZKPPC protocol allows users to prove in zero knowledge that a hash of the user's password satisfies the password policy required by the server. Unfortunately, their proposal is not quantum resistant with the use of discrete logarithm-based cryptographic tools and there are currently no other viable alternatives. In this work, we construct the first post-quantum ZKPPC using lattice-based tools. To this end, we introduce a new randomised password hashing scheme for ASCII-based passwords and design an accompanying zero-knowledge protocol for policy compliance. Interestingly, our proposal does not follow the framework established by Kiefer and Manulis and offers an alternate construction without homomorphic commitments. Although our protocol is not ready to be used in practice, we think it is an important first step towards a quantum-resistant privacy-preserving password-based authentication and key exchange system.

show abstract

Secure Set-Based Policy Checking and Its Application to Password Registration

Cited by 3 publications

References 19 publications

Zero-Knowledge Password Policy Check from Lattices

Zero-Knowledge Password Policy Check from Lattices

Framework for Design Exploration of Secure Embedded System Development

Zero-Knowledge Password Policy Check from Lattices

Contact Info

Product

Resources

About