Simple Password Hardened Encryption Services

Abstract

Passwords and access control remain the popular choice for protecting sensitive data stored online, despite their well-known vulnerability to brute-force attacks. A natu- ral solution is to use encryption. Although standard prac- tices of using encryption somewhat alleviate the prob- lem, decryption is often needed for utility, and keeping the decryption key within reach is obviously dangerous. To address this seemingly unavoidable problem in data security, we propose password-hardened encryp- tion (PHE). With the help of an external crypto server, a service provider can recover the user data encrypted by PHE only when an end user supplied a correct pass- word. PHE inherits the security features of password- hardening (Usenix Security ´15), adding protection for the user data. In particular, the crypto server does not learn any information about any user data. More impor- tantly, both the crypto server and the service provider can rotate their secret keys, a proactive security mechanism mandated by the Payment Card Industry Data Security Standard (PCI DSS). We build an extremely simple password-hardened en- cryption scheme. Compared with the state-of-the-art password-hardening scheme (Usenix Security ´17), our scheme only uses minimal number-theoretic operations and is, therefore, 30% - 50% more efficient. In fact, our extensive experimental evaluation demonstrates that our scheme can handle more than 525 encryption and (suc- cessful) decryption requests per second per core, which shows that it is lightweight and readily deployable in large-scale systems. Regarding security, our scheme also achieves a stronger soundness property, which puts less trust on the good behavior of the crypto server.