AuthStore: Password-based Authentication and Encrypted Data Storage in Untrusted Environments
This work addresses security challenges for users in untrusted environments like cloud storage, offering a flexible solution, though it appears incremental by building on existing password-based techniques.
The paper tackles the problem of securely reusing passwords for both authentication and encrypted cloud storage across multiple service providers, proposing AuthStore, a framework that integrates password stretching and a compact key exchange protocol, and demonstrates vulnerabilities in existing solutions.
Passwords are widely used for client to server authentication as well as for encrypting data stored in untrusted environments, such as cloud storage. Both, authentication and encrypted cloud storage, are usually discussed in isolation. In this work, we propose AuthStore, a flexible authentication framework that allows users to securely reuse passwords for authentication as well as for encrypted cloud storage at a single or multiple service providers. Users can configure how secure passwords are protected using password stretching techniques. We present a compact password-authenticated key exchange protocol (CompactPAKE) that integrates the retrieval of password stretching parameters. A parameter attack is described and we show how existing solutions suffer from this attack. Furthermore, we introduce a password manager that supports CompactPAKE.