IBM researchers in Zurich hope they’ve found a way to solve one of the great vexing problems for CISOs: Making passwords more secure.
The answer, they said last week in a paper presented at a security conference in Denver, is to make they way passwords are stored better. Many organizations store them in a single server, which means if it’s compromised the passwords are at risk. Large enterprises can afford systems that split passwords up and store them across multiple servers — such as RSA’s Distributed Credential Protection, for example –but they have a potential weakness: They need a quick way to allow a server (or servers) in the chain to refresh encryption keys so they can securely recover in case there’s a compromise. “Without a recovery mechanism,” the researchers note, “it’s only a matter of time until all servers have been hacked and the passwords are leaked.”
Note the word quick. IBM says the only current way to do this kind of recover is with a lot of compute power.
The researchers’ proposed solution is an efficient cryptographic protocol that distributes the capability to verify passwords over multiple servers.
“In spite of its simplicity, our scheme boasts security against dynamic and transient corruptions, meaning that servers can be corrupted at any time and can recover from corruption by going through a non-interactive key refresh procedure,” the authors say. “The users’ passwords remain secure against offline dictionary attacks as long as not all servers are corrupted within the same time period between refreshes.”
The implementation was tested on a commercial cloud infrastructure, with the prototype handling about 100 logins per second per server core. “At this cost, there’s almost no excuse for companies to lose any more user passwords as a result of a server breach,” say the authors.
That would include, I note, small and medium-sized firms, who could benefit from improved security.
When will we see this solution commercialized by a vendor or cloud provider (IBM is both, although their research is public)? No word yet.