Strengthening Public Key Authentication Against Key Theft (Short Paper)
Accepted version
Peer-reviewed
Repository URI
Repository DOI
Change log
Authors
Kleppmann, Martin https://orcid.org/0000-0001-7252-6958
Irwin, Conrad
Abstract
Authentication protocols based on an asymmetric keypair provide strong authentication as long as the private key remains secret, but may fail catastrophically if the private key is lost or stolen. Even when encrypted with a password, stolen key material is susceptible to offline brute-force attacks. In this paper we demonstrate a method for rate-limiting password guesses on stolen key material, without requiring special hardware or changes to servers. By slowing down offline attacks and enabling easy key revocation our algorithm reduces the risk of key compromise, even if a low-entropy password is used.
Description
Keywords
4606 Distributed Computing and Systems Software, 46 Information and Computing Sciences, 4604 Cybersecurity and Privacy
Journal Title
Lecture Notes in Computer Science
Conference Name
9th International Conference on Passwords
Journal ISSN
0302-9743
1611-3349
1611-3349
Volume Title
Publisher
Springer International Publishing