CryptoDB
CHIP and CRISP -- Password based key exchange: Storage hardening beyond the client-server setting
| Authors: | |
|---|---|
| Download: | |
| Abstract: | Recent advances in password-based key exchange (PAKE) protocols can offer stronger security guarantees for globally deployed security protocols. Notably, the OPAQUE protocol realizes saPAKE [Eurocrypt2018], strengthening the protection offered by aPAKE to compromised servers: after compromising an saPAKE server, the adversary still has to perform a full brute-force search to recover any passwords or impersonate users. However, (s)aPAKEs do not protect client storage, and can only be applied in the so-called asymmetric setting, in which some parties, such as servers, do not communicate with each other. Nonetheless, passwords are also widely used in symmetric settings, where a group of parties share a password and can all communicate (e.g., Wi-Fi with client devices, routers, and mesh nodes; or industrial IoT scenarios). In these settings, the (s)aPAKE techniques cannot be applied, and the state-of-the-art still involves handling plaintext passwords. We propose the notions of (strong) identity-binding PAKEs that improve this situation in two dimensions: they protect all parties from compromise, and can also be applied in the symmetric setting. We propose stronger counterparts to state-of-the-art security notions from the asymmetric setting in the UC model, and construct protocols that provably realize them. Our constructions bind the local storage of all parties to abstract identities, building on ideas from identity-based key exchange, but without requiring a third party. Our first protocol, CHIP, generalizes the security of aPAKE protocols to all parties, forcing the adversary to perform a brute-force search to recover passwords or impersonate others. Our second protocol, CRISP, additionally renders any adversarial pre-computation useless, thereby offering saPAKE-like guarantees for all parties, instead of only the server. We aim to work towards standardization of CHIP and CRISP, for example through IETF. Exposure through Real World Crypto will not only help people find our solutions, but also help to connect us with people who might be interested in working with us towards standardization. |
BibTeX
@misc{rwc-2022-35492,
title={CHIP and CRISP -- Password based key exchange: Storage hardening beyond the client-server setting},
howpublished={Talk given at RWC 2022},
author={Cas Cremers and Moni Naor and Shahar Paz and Eyal Ronen},
year=2022
}