Ask the experts
“Our protocols are ideal for use on mobile devices.”
—Jan Camenisch, Cryptographer
We recently developed a set of novel cryptographic protocols that lets users authenticate themselves online with virtually the same security guarantees as hardware security tokens, but without all their practical inconveniences.
Our protocols prove that it is indeed possible to achieve strong security based only on easy-to-memorize passwords, contrary to the widespread belief that the use of passwords has become insecure. Because weak passwords can be easily entered on touchscreen keyboards, our protocols are ideal for use on mobile devices.
The security of hardware tokens
For security-sensitive use cases such as e-banking, companies often resort to tamper-proof hardware such as smart cards, SIM cards, or trusted platform modules (TPMs). These hardware tokens provide an interface to interact with cryptographic keys, e.g., to compute digital signatures or to encrypt and decrypt data, whereas the corresponding private keys are generated and stored inside the token and cannot be extracted. Usually, a password or PIN code is used as an additional layer of protection. Offline attacks on this password or PIN are impossible because the token will become blocked after too many failed attempts. Moreover, depending on the use case, a lost or stolen token can be rendered useless by revoking the corresponding public key.
Despite these outstanding security guarantees (which are also referred to as non-exportability, anti-hammering, and revocability), hardware tokens are extremely unpopular because of their inconvenience and their difficulty to employ and manage.
Hardware token security — without hardware tokens
The cryptographic protocols we have developed enable the distributed computation of digital signatures and decryption. To achieve their strong security guarantees, our protocols rely on interaction with an online server and require the user merely to remember a (potentially even very weak) password.
The security guarantees of our protocols are practically identical to those provided by hardware tokens for the following three reasons:
Resistant against offline attacks
Our protocols realize a virtual smartcard on the one hand, and multi-factor authentication on the other hand as the authentication transaction succeeds only if both the user’s password and the user’s device (with its key share) are involved. Even in situations where the authentication server’s infrastructure is compromised (e.g., is hacked) or the user’s device falls into an attacker’s hands, the user’s password (and keys) is safe in the sense that offline attacks on it are impossible.
Despite their strong security guarantees, our protocols are simple and efficient and we have a prototype implementation readily available.