By Chris Sciacca
If you believe the press, you may think that passwords are antiquated. And who could blame you? With major breaches being reported at popular websites such as LinkedIn, Adobe, Yahoo!, and Twitter, passwords may sound like a vestige of past security solutions.
Well, not so fast. IBM scientists have developed a three-pronged approach that can secure all of your passwords for social media, email, cloud files or shopping websites, with one practically, hack-proof password.
And this password is secured by something they like to refer to as the “Memento Protocol.” In the 2000 film “Memento” by Christopher Nolan, the protagonist suffers from short-term memory loss. Throughout the film he meets several so-called friends, but due to his condition he never really knows if they are trustworthy or if they are trying to steal something from him.
“This scenario got us thinking because it leads to an interesting cryptographic problem — can a user securely recover his/her secrets using one password from a set of servers which cannot be trusted or even if they are the wrong servers?,” said Dr. Gregory Neven, a cryptographer at IBM Research. “We were also motivated by helping users who lose all of their devices — they too should still be able to retrieve their secret information using one password.”
In their newly published paper, “Memento: How to Reconstruct your Secrets from a Single Password in a Hostile Environment,” IBM scientists and Dr. Anna Lysyanskaya from Brown University propose a new security protocol in which no single server stores your full password, instead it’s distributed in a cloud. Therefore the attacker would have to hack more than a threshold of the servers simultaneously to gain access.
One of the most common techniques to steal passwords is known as the dictionary attack, which attempts to defeat a security tool by trying million of possibilities, including all of the words in a dictionary.
IBM security scientist Dr. Jan Camenisch said, “Our protocol has a throttling mechanism to block brute force or dictionary attacks. In addition, we require at least two servers with two keys to unveil the password, this way if one is corrupted the secrets remain safe — obviously the more servers the better. Our last line of defense is a protection technique which keeps your password secure even if you are tricked into typing it into a corrupted website caused by a phishing attack.”
For example, suppose you set up your password account on three different servers that you trust and are unlikely to collude against you or to be hacked all at the same time, for example ibm.com, admin.ch, and icann.org.
Next, suppose you are tricked in a phishing attack and you mistakenly log into ibn.com, admim.ch or ican.org and enter your password. You are cooked right? Wrong. With the Memento Protocol even in this situation the servers cannot figure out your password, or impersonate you because in a sense they never actually knew your password from the start.Dr. Camenisch adds, “Unless all of the servers are breached or you physically give someone your password this protocol is tough to beat.”
The scientists see an endless number of applications for the protocol spanning all web services including cloud data storage, social networking, online shopping, medical/DNA analysis websites and insurance.
“It’s clear that people can no longer be expected to remember the dozens of passwords they require at home and in the workplace,” said Dr. Lehmann. “With our protocol when the user wants to retrieve their secret they should only require one username and password and at the same time feel confident that even if something is occurring unknowingly in the background the data remains secure.”
If only the lead character in Memento had it so easy. The Memento Protocol is being presented by Dr. Lehmann on 20 August at the International Cryptology Conference (CRYPTO) in Santa Barbara, California.