Security Evaluation

Using the decrypted shares x0_i, f (x0_i)
and equation (7.4), the polynomial f is then reconstructed. The value s0 = KDF (f (0)) obtained by application of the respective KDF to f (0) is then compared to the stored common secret s. All authorised subsets of password elements can be used to reconstruct the correct polynomial. The depiction of the verification phase in figure 7.5 illustrates the involved operations.

Adjusting the Portfolio Overhead. Adjusting the portfolio overhead corresponds to changing the threshold t. In order to adjust the threshold, i.e. transforming this second variant of the (t, n)-threshold verification scheme from a (t, n)-threshold verification scheme into a (t ± k, n)-threshold verification scheme, a new polynomial of degree t ± k − 1 needs to be chosen. Therefore, the complete enrolment has to be redone, encrypting the new shares with the derived valuesei derived from the password elements ei.

Adding and Removing Challenges. To add challenge-response pairs, i.e. transforming this second variant from (t, n)-threshold verification scheme into a (t, n+k)-threshold verification scheme, additional shares have to be created and encrypted using the new password elements. To perform this operation, the polynomial f (x) has to be reconstructed (which is possible, given any authorised subset of the password). With f (x), additional shares can be created as outlined in the explanations of the enrolment phase at the beginning of this section.

Removing challenges from the scheme (i.e. transforming the (t, n)-threshold scheme into a (t, n−k)-threshold scheme) is easily possible by deleting the respective k encrypted shares ci. Of course this is only viable if n − 1 ≥ t.

7.3 Security Evaluation

This section deliberates the proposed (t, n)-threshold verification scheme variants regarding the security aspects identified in section 7.1.3. First the guessing resistance is discussed, then the secure storage.

7.3.1 Guessing Resistance

The guessing resistance is determined by the two values p and t. Thereby, p determines the guessing resistance when guessing one value of the (t, n)-threshold verification scheme directly, e.g. any share yi or the shared secret x or a04. On the other hand, t determines the guessing resistance when guessing the password elements ei and subsequently applying the normal (t, n)-threshold verification procedures. In the following, first the security with respect to guessing values of the (t, n)-threshold verification scheme directly is discussed. Thereafter, the security regarding the guessing of password elements is discussed. Note that the former is not relevant for the naive approach outlined in the introduction to this chapter, since it only uses KDF and no other underlying mathematical structure only direct guessing of the password elements is possible. Therefore, the naive approach is only discussed in the context of guessing password elements.

Guessing Resistance of (t,n)-threshold Verification Scheme Values

Both, Blakley and Shamir secret sharing, are perfect secret sharing schemes. Therefore, the guessing resis- tance of the variables in the (t, n)-threshold verification scheme is directly related to the size of GF (p), i.e.

7 The (t,n)-threshold Verification Scheme for Portfolio Authentication

the number of possible values for each variable. There are only p distinct values any variable in the system can represent. Therefore, any attacker needs on average p₂ attempts to guess the correct value. This holds obviously if the attacker tries to directly guess x or a0 respectively.

Additionally, guessing the secret, i.e. x or a0, does not get easier if a share is known to the attacker. If the attacker tries to guess the correct shares yi and was (in the worst case) able to obtain all but one share they have again to try on average p₂ values for the remaining share. This holds for both variants of the (t, n)-threshold verification scheme.

• Variant 1 - Blakley secret sharing: By definition, the linear system of equations (7.2) has one solution, since the determinant of the t × t matrix M is unequal to zero for all possible vectors of shares

y. Consequently, all shares yi ∈ {1, 2, . . . , p} are equiprobable.

• Variant 2 - Shamir secret sharing: By definition, the Lagrange interpolation polynomials are unique for each set of t < n points. Therefore, each of the p different shares yiyields a valid polynomial of degree t − 1 in equation (7.4). Consequently, all shares yi ∈ {1, 2, . . . , p} are equiprobable.

Also, for both variants guessing the share is not easier than a standard brute force attack, even when the number of available shares p0 < p is constrained by the authentication scheme. However, the guessing resistance then decreases to p₂0.

It is important to choose p for both variants as explained below, to ensure that the space of actually chosen passwords is not shrunk unintentionally. Note that in the following it is assumed that the passwords (i.e. the sets P = {e1, . . . , en}) are randomly chosen (i.e. user choice is not modelled). Following the classical information theoretic argumentation in [116] it is of the essence to ensure that

H ≤ − p X i=1 1 plog2  1 p  .

As stated before, the attacker has to test on average p₂ values to to find x1. Consequently, p should ideally be chosen such that

p ≥ 2H+1, (7.5)

where H is the desired strength against guessing attacks of the authentication scheme in bit. Otherwise, guessing one share is easier than guessing an authorised subset of the password.

Guessing Resistance of Password Elements

When guessing password elements, knowledge-based authentication exists mostly at two security levels:

the PIN-level and the password-level. While the main focus of this thesis is the password-level, both of

these these two levels are specifically considered in the following deliberations. For both of these levels a sample configuration will be provided below, which does not impair the guessing resistance in comparison to non-portfolio authentication schemes. The portfolio overhead of o= 3₂ as used in [62] is applied in all configurations.

7.3 Security Evaluation

PIN-level. The PIN-level spans a password space of 104 entries. It is used widely, from unlocking smart- phones to banking applications. To achieve this security level in a portfolio setting, t is chosen as

tP IN = 4.

Applying the portfolio overhead o= 3₂, n is therefore set to

n_{P IN} = 6.

In accordance with the deliberations regarding the size of p for the two (t, n)-threshold verification variants, it was chosen as p= 216− 15, so that guessing the shared secret, i.e. x or a0 respectively, is harder than guessing an actual authorised subset of password elements. Using these values for the parameters n, t, and p, the setting of the PIN-level is equivalent to random PINs of length 6, where 4 elements of the PIN have to be entered during the authentication phase over the usual 10 digit alphabet A= {0, 1, . . . , 9}. This results in an unchanged overall effort for the attacker of |A|t= 104= 2log2(10)·4_{. While this effort is below the threshold of} 106 for online guessing attacks proposed by Florêncio and Herley [73], it offers the same guessing resistance as normal PINs. This holds for the two (t, n)-threshold verification variants as well as the naive approach.

Password-level. The password-level is more ambiguously defined, but can generally be regarded as the security level needed to withstand guessing attacks on traditional text passwords. As Florêncio and Herley [73] note in their review of password research literature and best practices, online guessing is a prevalent and easily performed attack, while offline guessing is only relevant when a specific set of prerequisites are met. They propose 106 guesses as threshold to resist online guessing attacks. Since any attacker needs on average to exhaust half the available password space to guess a password, the password space of the password-level of security must be larger than 2 · 106. As Florêncio and Herley [73] note, exceeding this threshold generally does not hold benefits, unless the necessary guesses also exceed the threshold for offline guessing (i.e. 1014). Consequently, the following example of the password-level stays as closely as possible above the online guessing threshold. To that end, t is chosen as

tP assword= 5.

Again, n is determined by applying the portfolio overhead o=3₂. It is therefore set to n_{P assword}= 8.

Using these values for n and t, the setting of the password-level is equivalent to random passwords of length 9, where 6 elements of the password have to be entered during each authentication attempt. In order to reach the desired password space of 2 · 106_{, an alphabet of size 19 is chosen (19}5 _{≈ 2}21.24_{> 10}6_{). This is} also in line with the findings of Florêncio and Herley [72], who found that password policies used by large Internet companies result in minimum strengths of about 20 to 27 bits. In order to achieve that guessing the shared secret, i.e. x or a0 respectively, is harder than guessing any authorised subset of the password, p was chosen as p= 232− 5 for the two (t, n)-threshold verification variants.

7 The (t,n)-threshold Verification Scheme for Portfolio Authentication

7.3.2 Secure Storage

Both (t, n)-threshold verification scheme variants provide secure storage of the verification information. Analogously to the procedure common in traditional text password settings, the shared secret, i.e. x or a0 respectively, is only stored for later verification of the user input after the application of an appropriate KDF. As long as the KDF is secure, the shared secret is secure. In particular, it is recommended to follow best practice and include salting into the KDF. These considerations hold analogously for the naive approach outlined in the introduction to this chapter. Additionally, the shares in the Shamir secret sharing variant have to be encrypted with a secure symmetric encryption algorithm.