We consider a solution for securing the classical password-based authentication scheme, because in many cases this type of authentication is given as a requirement. Our solution is based on the well-known $(k,n)$ threshold scheme of Shamir for sharing a secret, where in our case the secret is the password itself and $(k, n)$ threshold scheme means that $n$ password-derived secrets (shares) are created and $kleq n$ shares are necessary and sufficient for reconstructing the password, while $k-1$ are not sufficient. The scheme is information-theoretic secure. We improve the approach so that the password is one-time. Since each of the $n$ shares is stored on a different host (Shareholder), an attacker will need to compromise $k$ different Shareholders for obtaining an amount of data sufficient for reconstructing the secret. Furthermore, to be resistant to the compromising of the server (Dealer) coordinating the Shareholders, we define a variant of the classic Shamir, where the Shamir's abscissas are unknown to Dealer and Shareholders, making the reconstruction impossible even in the case of Dealer and Shareholders compromised. In addition, we apply the Pedersen method for allowing the verification of shares. For the described scenario we have designed two protocols allowing the communication between application, Dealer and Shareholders, so that the relevant players can participate in the phases of registration (users sign-up, to be carried out once), and of authentication (users login). We analyse several scenarios where Dealer and/or Shareholders are partially/totally compromised and confirm that none of them is enabling the attacker to break the authentication. Furthermore we focus on cases where one or more byzantine servers are presented, analysing the impact on the authentication and show the adopted mechanisms to be secure against these kinds of attacks. We have developed a prototype demonstrating that our method works correctly, effectively and efficiently. It provides a first feasibility study that will provide a base for structured and engineered cloud-based implementations aiming at providing what we call an authentication-as-a-service.

Authentication as A Service Based on Shamir Secret Sharing / Bissoli, Andrea; D'Amore, Fabrizio. - (2021). (Intervento presentato al convegno International Symposium on Computer Science and Intelligent Controls (ISCSIC) tenutosi a Online) [10.1109/ISCSIC54682.2021.00072].

Authentication as A Service Based on Shamir Secret Sharing

Bissoli, Andrea
Co-primo
Membro del Collaboration Group
;
d'Amore, Fabrizio
Co-primo
Membro del Collaboration Group
2021

Abstract

We consider a solution for securing the classical password-based authentication scheme, because in many cases this type of authentication is given as a requirement. Our solution is based on the well-known $(k,n)$ threshold scheme of Shamir for sharing a secret, where in our case the secret is the password itself and $(k, n)$ threshold scheme means that $n$ password-derived secrets (shares) are created and $kleq n$ shares are necessary and sufficient for reconstructing the password, while $k-1$ are not sufficient. The scheme is information-theoretic secure. We improve the approach so that the password is one-time. Since each of the $n$ shares is stored on a different host (Shareholder), an attacker will need to compromise $k$ different Shareholders for obtaining an amount of data sufficient for reconstructing the secret. Furthermore, to be resistant to the compromising of the server (Dealer) coordinating the Shareholders, we define a variant of the classic Shamir, where the Shamir's abscissas are unknown to Dealer and Shareholders, making the reconstruction impossible even in the case of Dealer and Shareholders compromised. In addition, we apply the Pedersen method for allowing the verification of shares. For the described scenario we have designed two protocols allowing the communication between application, Dealer and Shareholders, so that the relevant players can participate in the phases of registration (users sign-up, to be carried out once), and of authentication (users login). We analyse several scenarios where Dealer and/or Shareholders are partially/totally compromised and confirm that none of them is enabling the attacker to break the authentication. Furthermore we focus on cases where one or more byzantine servers are presented, analysing the impact on the authentication and show the adopted mechanisms to be secure against these kinds of attacks. We have developed a prototype demonstrating that our method works correctly, effectively and efficiently. It provides a first feasibility study that will provide a base for structured and engineered cloud-based implementations aiming at providing what we call an authentication-as-a-service.
2021
International Symposium on Computer Science and Intelligent Controls (ISCSIC)
authentication; Shamir; authentication-as-a-service; cryptography
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Authentication as A Service Based on Shamir Secret Sharing / Bissoli, Andrea; D'Amore, Fabrizio. - (2021). (Intervento presentato al convegno International Symposium on Computer Science and Intelligent Controls (ISCSIC) tenutosi a Online) [10.1109/ISCSIC54682.2021.00072].
File allegati a questo prodotto
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1598811
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? 0
social impact