Abstract
In the proposed homomorphic methods, the server authenticates clients without ever knowing their passwords. During enrollment, the users subject their passwords to multiple hashing cycles, typically 1000 times, and communicate the resulting message digests to the server. Rather than storing these message digests, the server uses them to find addresses in the physical unclonable functions, which generate data streams that are stored for future authentication. The authentication cycles use the following steps: i) The users hash their passwords multiple times, at levels lower than the one used during enrollment; ii) The server generates data streams from the physical elements at the address extracted from the message digest and compares it to the data streams stored during enrollment, and iii) The server reiterates the previous step by incrementally hashing the resulting message digest to find a match, or it rejects the password. During subsequent authentication cycles, the users again hash their passwords multiple times, but at levels lower than the ones used during the previous cycles. Thereby it becomes pointless for third parties to intercept previously hashed passwords; they are never used twice. Hacking a database containing the data streams extracted from the physical unclonable functions during enrollment is also pointless without also having access to the devices. In this entire homomorphic protocol, the users are the only ones who know their passwords. This paper presents a prototype demonstrating the functionality of an example of a homomorphic password manager protocol with SHA-3–512 hashing algorithm exploiting the physical randomness of static random-access memories.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Jeong, Y.-S., Park, J. S., Park, J.H.: An efficient authentication system of smart device using multi factors in mobile cloud service architecture. Int. J. Commun. Syst. 28(4), 659–674 (2015)
Saxena, N., Choi, B.J.: State of the art authentication, access control, and secure integration in smart grid, vol. 8, MDPI AG, pp. 11883–11915 (2015)
Zhang, M., Zhang, J., Zhang, Y.: Remote three-factor authentication scheme based on Fuzzy extractors. Secur. Commun. Netw. 8(4), 682–693 (2015)
US20050125699A1 - Sarts password manager - Google Patents. https://patents.google.com/patent/US20050125699A1
Coates, M.: darkreading.com, Safely Storing User Passwords: Hashing vs. Encrypting, 4 June 2014. https://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting. Accessed 20 Dec 2018
Gordon, W.: Life hacker, How Your Passwords Are Stored on the Internet (and When Your Password Strength Doesn't Matter), 20 June 2012. https://lifehacker.com/how-your-passwords-are-stored-on-the-internet-and-when-5919918. Accessed 28 Aug 2018
Higgins, K.J.: Dark reading, 8 5 2008. https://www.darkreading.com/risk/hackers-choice-top-six-database-attacks/d/d-id/1129481. Accessed 25 Oct 2018
Hari Balakrishnan, B.M., Raluca Ada Popa, C.M.: Methods and apparatus for securing a database. USA Patent US13/357,988, 25 1 (2012)
Cambou, B.: Physically Unclonable Function Based Password Generation Scheme. United States of America Patent D2016–011, Sept 2016
Cambou, B.: Password management with addressable PUF generators. USA Patent D2018–040, 04 (2018)
Cambou, B.: Addressabke PUF generators for database-free password management system. In: Advances in Intelligent Systems and Computing, Flagstaff (2018)
Tsai, J.L.: Efficient multi-server authentication scheme based on one-way hash function without verification table. Comput. Secur. 27(3–4), 115–121 (2008)
Zen, J.: Iterated password hash systems and methods for preserving password entropy (2007)
(Rainbow Table). https://www.windowsecurity.com/uplarticle/Cryptography/LSO-RainbowCrack.pdf
Arias, D.: auth0.com Hashing Passwords: One-Way Road to Security, Hashing Passwords: One-Way Road to Security, 25 April 2018. https://auth0.com/blog/hashing-passwords-one-way-road-to-security/. Accessed 4 Feb 2019
US8291491B2 - Password system, method of generating a password, and method of checking a password - Google Patents
US Patent for Systems and methods for providing a covert password manager Patent (Patent # 9,571,487 issued February 14, 2017) - Justia Patents Search
Assiri, S., Cambou, B.: Homomorphic Password Manager Using Multiple-Hash with PUF. USA Patent 07(05), D2019–D2045 (2019)
Assiri, S., Cambou, B., Duane Booher, D., Mohammadinodoushan, M.: Software implementation of a SRAM PUF-based password manager. In: Advances in Intelligent Systems and Computing 2020 Computing Conference, London (2020)
Gao, Y., Ranasinghe, D., Al-Sarawi, S., Kavehei, O., Abbott, D.: Emerging physical unclonable functions with nanotechnology (2016). ieeexplore.ieee.org.
Herder, C., Yu, M.D., Koushanfar, F., Devadas, S.: Physical unclonable functions and applications: a tutorial, vol. 102, Institute of Electrical and Electronics Engineers Inc., pp. 1126–1141 (2014)
Maes, R., Tuyls, P., Verbauwhede, I.: A soft decision helper data algorithm for SRAM PUFs. In: IEEE International Symposium on Information Theory - Proceedings (2009)
Holcomb, D.E., Burleson, W.P., Fu, K.: Power-Up SRAM state as an identifying fingerprint and source of true random numbers. IEEE Trans. Comput. 58(9), 1198–1210 (2009)
Robust, Q.: asecurity site.com, Winternitz one-time signature scheme (W-OTS). https://asecuritysite.com/encryption/wint. Accessed 17 Jan 2019
Forler, C., List, E., Lucks, S., Wenzel, J.: Overview of the candidates for the password hashing competition and their resistance against garbage-collector attacks. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2015)
Zhang, Z., Yang, K., Hu, X., Wang, Y.: Practical anonymous password authentication and TLS with anonymous client authentication. In: Proceedings of the ACM Conference on Computer and Communications Security, New York (2016)
Paral, Z., Edward, G., Thomas, S., Ras, C., Devadas, R.N., Handelval, V.: Authentication with physical unclonable functions, patent, 19 9 2007
Dong-gyu, K.: Puf-based hardware device for providing one-time password, and method for 2-factor authenticating using thereof. Korean Patent KR20140126787A, 22 4 2013
Becker, G.T., Wild, A., Guneysu, T.: Security analysis of index-based syndrome coding for PUF-based key generation. In: Proceedings of the 2015 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2015 (2015)
Cambou, B.: Password manager combining hashing functions and ternary PUFs. In: Intelligent Computing-Proceedings of the Computing Conference., London (2019)
427 million Hacked Myspace Passwords Get Dumped Online | Digital Trends. https://www.digitaltrends.com/social-media/myspace-hack-password-dump/
Cybercrime Damages $6 Trillion by 2021. https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
Target: Data stolen from up to 70 million customers. https://www.usatoday.com/story/money/business/2014/01/10/target-customers-data-breach/4404467/
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: Proceedings of the ACM Conference on Computer and Communications Security, New York, NY, USA (2016)
Bonneau, J., Van Oorschot, P.C., Herley, C., Stajano, F.: Passwords and the evolution of imperfect authentication (2015)
Tsai, C.-S., Lee, C.-C., Hwang, M.-S.: Password Authentication Schemes: Current Status and Key Issues (2006)
N.-. H. function, NIST - information technology labortory Computer security resource center, Hash function, 04 01 2017
Dai, W.: Crypto++. https://en.wikipedia.org/wiki/Crypto++
Booher, D.D., Cambou, B., Carlson, A.H., Philabaum, C.: Dynamic key generation for polymorphic encryption. In: IEEE 9th Annual Computing systems and Conference (CCWC), Las Vegas (2019)
Assiri, S., Cambou, B., Booher, D.D., Ghanai Miandoab, D.: Key exchange using ternary system to enhance security. In: IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA (2019)
US20040193925A1 - Portable password manager - Google Patents. https://patents.google.com/patent/US20040193925A1/en
US20070226783A1 - User-administered single sign-on with automatic password management for web server authentication - Google Patents. https://patents.google.com/patent/US20070226783A1/en
Blocki, J., Harsha, B., Zhou, S.: On the economics of offline password cracking. In: Proceedings - IEEE Symposium on Security and Privacy (2018)
Acknowledgments
The author is thanking the contribution of several graduate students at the cyber-security lab at Northern Arizona University, in particular, Christopher Philabaum, Vince Rodriguez, Ian Burke, and Dina Ghanaimiandoab. Also, the author is thanking the contribution of Jazan University.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Assiri, S., Cambou, B. (2021). Homomorphic Password Manager Using Multiple-Hash with PUF. In: Arai, K. (eds) Advances in Information and Communication. FICC 2021. Advances in Intelligent Systems and Computing, vol 1363. Springer, Cham. https://doi.org/10.1007/978-3-030-73100-7_55
Download citation
DOI: https://doi.org/10.1007/978-3-030-73100-7_55
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-73099-4
Online ISBN: 978-3-030-73100-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)