Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

University of Cambridge Develops Potentially More Secure Password Storage System

Unknown Lamer posted about 7 months ago | from the tpm-minus-bad-things dept.

Encryption 70

An anonymous reader writes "University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi and performs a hash-based message authentication code (HMAC). 'The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.' There are pros and cons associated with this method, of course, ranging from scalability to loss of access due to device hardware failure. As with all current options for password security, there's no guarantee that even this system remains secure."

Sorry! There are no comments related to the filter you selected.

2 factor? (1)

invictusvoyd (3546069) | about 7 months ago | (#46451789)

Isnt this the good old 2 factor authentication ?

Re:2 factor? (2)

gnoshi (314933) | about 7 months ago | (#46451859)

Sort of, but the server (rather than the client) has the device, and 'having' the device is needed (ideally) in order to check user passwords at the server end. So rather than being used to identify a user to the server, it is used by the server to generate the password hash which is stored and compared.

Usefulness is reduces if a single account is known (5, Interesting)

gnoshi (314933) | about 7 months ago | (#46451831)

As was pointed out by someone on Ars [arstechnica.com] , even if the secret key used by this device isn't stolen it can be bruteforced by having a single known account on the system. This is not a trivial problem, because it seems that they are using SHA1 (on the basis that the key can never be stolen, so the hashes don't need to be so strong). As such, there is a mountain of good gear out there for running lots and lots of hashes fast.

Basically:
1. Create account/password with online retailer
2. Steal user database for online retailer
3. Find you own account, for which you know the username and password (and salt, because it is in the database) and associated hash
4. Bruteforce the HMAC key required to get the stored hash using your username, password and salt
5. Use that same universal HMAC key for attacking all the other accounts
6. profit?

This assumes that there is a single key used for the HMAC and stored on the dongle, but it seems that is actually the case.
It does make getting all the passwords a bit harder, but it isn't a miracle cure.

Re:Usefulness is reduces if a single account is kn (0)

Anonymous Coward | about 7 months ago | (#46451921)

We always hear about new cool stuff, and then someone quickly turns around and breaks the stuff.

Can someone explain why we don't just use SSH certificates, so that the server effectively only stores the user's id_rsa.pub for authentication? And before someone says "yeah, but then all someone has to do is copy your .ssh folder," keep in mind that individual certificates can be password protected, so it's both something you have -AND- something you know. Granted, there would be plenty of idiots that don't use passwords, or that use hunter2 or 12345, but those people are already screwed anyway.

We've had this technology for years. Why isn't it widespread? Storage space? Too hard for average joes to use?
Anyone have a clue?

Re:Usefulness is reduces if a single account is kn (2)

viperidaenz (2515578) | about 7 months ago | (#46451989)

How do I log in to my account from a new device? What if I'm travelling and I don't have my computer with me, how do I use an internet cafe?

Re:Usefulness is reduces if a single account is kn (0)

Anonymous Coward | about 7 months ago | (#46452081)

Check out the GNUK, It's a low-power ARM microcrontroller can can keep a private key private. Sign it's public key with the private key you used to set up the account, and use gpg-agent to complete the authorization. I

Re:Usefulness is reduces if a single account is kn (3, Insightful)

tlhIngan (30335) | about 7 months ago | (#46452463)

How do I log in to my account from a new device? What if I'm travelling and I don't have my computer with me, how do I use an internet cafe?

As you always would - with your username and password.

What these guys propose doing is server side - you enter a password, the server hashes it, it's sent to the box which signs it, then the resulting hash is spit back out and stored in the database. When you log in, you provide the password, it's hashed by the server, send to the box, and the resulting signed hash is compared with the stored hash.

The reason for this is to make breaches of websites that much less useful - if the attackers get the database, they won't have the HMAC key so they can't really run through and crack the hashes. The website can regenerate a new HMAC key and force everyone to recreate their passwords (which can be the same) and they'll end up different in the database again because they are signed with the new key.

Since the key never leaves the hardware box, it's impossible to extract it when you're grabbing the user database.

The big problem is, well, it protects the user with less benefit and more cost tot he website in question, meaning few, if any, would actually implement it because the benefits go solely to the user.

Re:Usefulness is reduces if a single account is kn (1)

viperidaenz (2515578) | about 7 months ago | (#46457393)

You've missed the boat completely.
I was replying to someone who said we should be using certificate authentication.

By the way, the key can leave the hardware box. They explicitly built that functionality so they can be cloned to make a cluster.

Re:Usefulness is reduces if a single account is kn (1)

gnoshi (314933) | about 7 months ago | (#46452027)

I think basically using client certificates is too hard for average joes to use, especially across devices.
Different browsers on one machine don't share certs. You need to be able to share certs across devices, which means copying them somehow while keeping them secure - and not just keeping them all in DropBox. If you're using certificates, you can't just log on from your friend's phone when you left yours at home.

Also, if you're trying to replace insecure passwords with certificates, then you have the problem that the people who would normally use the crappy passwords will either not password protect their certificates or use crappy passwords on them too. Even if they do this, it does mean that the server password DB being stolen wouldn't reveal their keys but it does mean you need some way to revoke certificates and get new ones if yours are compromised.

In reality, using the same password across multiple sites is a much bigger problem (for those users) than using rubbish passwords if the site is managing passwords correctly. If the server is salting the passwords and using good hashes, as well as limiting the rate of password attempts and implementing some form of lockout then everything beyond the most abysmally bad password is reasonably safe.
However, if a user has the same password for their e-mail account, and the dodgy torrent forum they just signed up for using that e-mail address then they are screwed any which way.

Re:Usefulness is reduces if a single account is kn (0)

Anonymous Coward | about 7 months ago | (#46452057)

They're not SSH certificates, but PKI client certificates are quite common in enterprise applications. It does add to management complexity (storage, etc.) but I agree they can be more secure. At least until users start replicating their private keys to multiple devices, but at least you can revoke them.

Re:Usefulness is reduces if a single account is kn (1)

mlts (1038732) | about 7 months ago | (#46452449)

Even better, perhaps a standard of crypto token that works with USB? Right now, there is one for cards, but for USB tokens, I need special drivers for every maker (be it Safenet, Gemalto, or whomever.)

That way, the private ssh key can be used on the device, but never leaves it unless one is doing a backup of it to another device, or to other media where it is stored (encrypted with a passphrase) for safekeeping.

For two factor authentication, things like the Google Authenticator is good enough. The only improvement I can see with that would be going to a public/private key system or having a hardened authentication server that used Kerberos. We really do not need more hardware dongles that are not really a standard. Having standardized hardware key protection for SSH private keys would be nice, but oftentimes, the perfect is the enemy of the good... if we can go with SSH keys/certificates and/or a standardized OTP, that is 95% of the battle right there... an attacker would then have to start attacking individual endpoints.

Re:Usefulness is reduces if a single account is kn (0)

Anonymous Coward | about 7 months ago | (#46451937)

...This assumes that there is a single key used for the HMAC and stored on the dongle, but it seems that is actually the case.
It does make getting all the passwords a bit harder, but it isn't a miracle cure.

This also assumes that any system would be able to brute-force mass ignorance. It's 2014 and people still use "password" and "password1" to secure their shit. The only miracle here is if people actually get security one day.

Re:Usefulness is reduces if a single account is kn (2)

swillden (191260) | about 7 months ago | (#46452017)

Good point. The weakness is easy to fix, though: Use a longer key. The only problem here is that the key is only 10 characters, which is probably only 40-50 bits of entropy even if the characters are chosen randomly. Use a 128-bit random key instead and known plaintext will become useless.

Oh, and new systems should use SHA-256, or SHA-3, not SHA-1. But that's probably not an issue in practice.

Re:Usefulness is reduces if a single account is kn (4, Informative)

Bengie (1121981) | about 7 months ago | (#46452061)

10 random chars are good for 65bits. Log(92^10)/Log(2) = 65.24

Re:Usefulness is reduces if a single account is kn (1)

swillden (191260) | about 7 months ago | (#46452185)

10 random chars are good for 65bits. Log(92^10)/Log(2) = 65.24

Heh. Good catch. I should have done the math, or at least thought about it for another second or two. Five bits per character assumes a character set of 32, which is obviously silly.

Words are MUCH less secure than random chars (2)

billstewart (78916) | about 7 months ago | (#46452523)

English words average between 1-2 bits per character. 10 random characters may be good for 80 bits if you can really use 2^8 values, or maybe 65 bits if you're only choosing randomly over 92 values per character, but if you choose actual words for your password, it's a lot less. The OED has about 200K words (~18 bits), so you get maybe 20-24 bits depending on word endings, l33t-spellings, capitalization variants, combinations of short words, etc.

128 bits is theoretically sort of secure today, as long as it's used in ways that aren't susceptible to birthday attacks (probably not an issue here), and as long as there's enough real entropy used to generate those bits. Even that's a realistic problem here - are you going to remember a passphrase that has 8-10 random words from the OED? Or are you going to have to keep them written on a yellow sticky note in your office, or dogear the pages in your dictionary that have words highlighted in 7 different colors so you know what order they're in?

Re:Usefulness is reduces if a single account is kn (1)

Fnord666 (889225) | about 7 months ago | (#46454585)

10 random chars are good for 65bits. Log(92^10)/Log(2) = 65.24

Quick question. Where did the 92 come from? Uppercase + Lowercase + digits + special chars? I'm struggling to get to 92 here.

Re:Usefulness is reduces if a single account is kn (1)

mdielmann (514750) | about 7 months ago | (#46456277)

Take a look at your keyboard, and count all the keys that produce a character of some sort. Now multiply by 2 (for using the shift key). And that is your approximate number of readily-available characters for a password. Mine has 94 (47 character keys), but I'm sure there are some that are just a bad idea.

I personally just assume that Bengie [slashdot.org] is a greybeard and is used to the old keyboards, or that he is big into security and that is the exact number of characters allowed by most security tools.

Re: Usefulness is reduces if a single account is k (1)

SmartCrib (2726777) | about 7 months ago | (#46457831)

Completely futile exercise as you have the length wrong as well as the size of character set. Try 32 character l permutation of

Re: Usefulness is reduces if a single account is k (1)

SmartCrib (2726777) | about 7 months ago | (#46457877)

76 characters.

Re:Usefulness is reduces if a single account is kn (2)

WaffleMonster (969671) | about 7 months ago | (#46452043)

4. Bruteforce the HMAC key required to get the stored hash using your username, password and salt

It seems far fetched someone would go through all of the trouble to deploy such a solution and yet select a key with insufficient entropy to protect the system from any remotely feasible brute force attack.

Re:Usefulness is reduces if a single account is kn (2)

gnoshi (314933) | about 7 months ago | (#46452329)

Absolutely, but if the summary and the Ars article are to be believed then the on-device key is 10 characters long. From TFA, the output characterset appears to include 76 characters, so it seems plausible that they are using this same set for the on-device key as well. They are using HMAC-SHA1, and it seems (from Ars) that they are not using iterated SHA1 (i.e. they are using a single pass).

Not saying anyone would deploy it like that.

Re:Usefulness is reduces if a single account is kn (2)

TubeSteak (669689) | about 7 months ago | (#46452425)

It seems far fetched someone would go through all of the trouble to deploy such a solution and yet select a key with insufficient entropy to protect the system from any remotely feasible brute force attack.

15 years ago, there were people saying the exact same thing about [other encryption technology].
Never underestimate the ability of the technically incompetent to kludge something into semi-working order, while simultaneously botching all the important steps.

Re:Usefulness is reduces if a single account is kn (1)

VikingNation (1946892) | about 7 months ago | (#46452439)

How about their remote API over HTTP?

Re:Usefulness is reduces if a single account is kn (1)

AmiMoJo (196126) | about 7 months ago | (#46452949)

It's a proof of concept, not a commercial product. No-one would deploy an RPi in a production environment, they would develop a low power and much faster USB dongle with secure storage. Probably some kind of ARM based micro, although you can get dedicated ICs with a USB interface.

Re:Usefulness is reduces if a single account is kn (1)

SmartCrib (2726777) | about 7 months ago | (#46452835)

The password / key used for SHA1-HMAC is actually 32 characters long - up to about 199 bits of entropy with the character set used (a-zA-Z0-9+10 special chars)

Re:Usefulness is reduces if a single account is kn (1)

gnoshi (314933) | about 7 months ago | (#46458549)

That certainly changes things. The summary for this article and the Ars article both suggested that the key was 10 chars long, and I couldn't find a specific number in TFA to replace it with.

Re:Usefulness is reduces if a single account is kn (1)

AlphaWolf_HK (692722) | about 7 months ago | (#46453059)

I have a bitcoin asic that does 8 billion sha256 hashes per second, and it is a cheap asic. Why not just throw each password+salt through a sha256 hash 1 million times? The requirement for brute force guessing it would be insane even with a really expensive asic, yet simple authentication if you already had the right password would be cheap. Just flat out forget about trying to do it with a regular CPU or GPU.

Re:Usefulness is reduces if a single account is kn (1)

StripedCow (776465) | about 7 months ago | (#46453227)

This assumes you know the salt used to compute the hash.

The arstechnica reply states this explicitly, but I don't understand this assumption.
How can the hacker be assumed to know the salt?

Re: Usefulness is reduces if a single account is k (1)

BitZtream (692029) | about 7 months ago | (#46453635)

The salt is generally stored as the first few chars of the hashed password. If the have a password, they almost certainly fave the salt used for it as well

Re: Usefulness is reduces if a single account is k (1)

StripedCow (776465) | about 7 months ago | (#46453695)

Not if one stores a long, fixed salt in the device.

(Here fixed means fixed over all users.)

Re: Usefulness is reduces if a single account is k (1)

Fnord666 (889225) | about 7 months ago | (#46454619)

Not if one stores a long, fixed salt in the device.

(Here fixed means fixed over all users.)

That sort of defeats the purpose of the salt.

Re: Usefulness is reduces if a single account is k (1)

StripedCow (776465) | about 7 months ago | (#46454683)

How?

You can always use two salts (one based on the username/password if you like, and one fixed one stored in the device).

known plaintext attack (0)

Anonymous Coward | about 7 months ago | (#46454237)

That does not seem true. If it was, it would mean there is a known plaintext attack versus HMAC, and would be considered broken.

http://crypto.stackexchange.com/questions/8500/with-hmac-can-an-attacker-recover-the-key-given-many-known-plaintext-tag-pairs/8540#8540

Re:Usefulness is reduces if a single account is kn (1)

SmartCrib (2726777) | about 7 months ago | (#46457975)

Do it, publish it at crypto conferences, become famous:-) The key is 199 bits long. You can try to use collision attacks on SHA-1 but that would be again stuff securing life-long glory.

This was proven to be insecure... (0)

Anonymous Coward | about 7 months ago | (#46451835)

This was proven to be insecure. its does not need to be on the file system to be read.
It needs to be in plain text to be used, and It needs to be in memory.
which means DUH That it can be read OUT of memory.

Let me fucking google that for you:
https://www.google.com/search?q=reading+encryption+keys+in+memory&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

So... (0)

Anonymous Coward | about 7 months ago | (#46451887)

You created an HSM, congratulations?

So... this is a cheaper version of a HSM? (0)

Anonymous Coward | about 7 months ago | (#46451947)

Hardware Security Modules (HSMs) offload crypto work to a trusted hardware device so that loss of a server doesn't mean losing all the data inside. HSMs can be had for $1000 and are very mature and secure. This looks like the beginnings of a home-brew cheaper version - or am I missing something?

Re:So... this is a cheaper version of a HSM? (1)

vipw (228) | about 7 months ago | (#46453507)

Not only cheaper, also it provides no physical security and can leak the master key. Hooray!

Makes sense (4, Interesting)

swillden (191260) | about 7 months ago | (#46451977)

This isn't by any means a new concept; systems that care deeply about security have been using host security module (HSM)-based keyed hashing for decades. But doing it in an inexpensive, readily-available device is a really good idea for systems that don't need the physical security features offered by HSMs -- and that's nearly all systems. The key is to make sure that the communications channel between host and dongle cannot be used to compromise the dongle. Ideally, you should just ensure that the dongle system will not -- under any circumstances -- respond to anything other than hashing requests, and that codepath should be carefully validated for security bugs.

Not only new, but already commercially available (0)

Anonymous Coward | about 7 months ago | (#46454333)

Not only is the concept not new, it is already commercially available. In fact, your computer may already have this capability. It's called the TPM chip. It can store your private keys and authenticate using PKCS11. It can also seal your password database to the hash of your entire boot process, ensuring that it is accessible only if your system is booted properly. Identity theft is a real problem and can cause you a lot of grief, so use your TPM chip already!

Re:Not only new, but already commercially availabl (1)

SmartCrib (2726777) | about 7 months ago | (#46458093)

We would be interested in PHP or Python support for TPM! The TPM is a bit tricky to use in virtual machines - my guess is that 99% of online servers run in VM, am I far from truth?

Next please. (3, Interesting)

viperidaenz (2515578) | about 7 months ago | (#46451983)

All that has been done is the HMAC key is being stored on an external device. A device that can only handle 5.6 transactions per second.

They talk about clustering them, but that means the private key must be the same for each node in the cluster, unless you tied nodes to users. Your tied user accounts get locked when the hardware fails.

If the private keys are the same, that key needs to be stored somewhere else. Once you find that key, you find the passwords.
They explicitly say you can clone dongles. They say there is protection - you can only overwrite the private key before you make real requests. Great, but pointless. You can always read the key from the dongle you're cloning. Otherwise hardware replacement and cluster expansion is impossible.

Re:Next please. (1)

SmartCrib (2726777) | about 7 months ago | (#46458003)

You can't "always read the key from the dongle you're cloning". You can only do it at the initialisation phase = before the first scrambling command. You can print it, store in a strong box, split into components and put each into a different strong box . and only again use it when you need to create a clone of a dongle already in use.

Scrambled Eggs (1)

WaffleMonster (969671) | about 7 months ago | (#46451995)

Looks like all their doing is storing an encryption key on a separate hardware component and offloading all operations requiring said key to hardware. Isn't this what TPM already does? Why reinvent the wheel?

See also
http://tools.ietf.org/html/dra... [ietf.org]

Re:Scrambled Eggs (0)

Anonymous Coward | about 7 months ago | (#46452053)

Yes, TPM does this and supports HMAC and costs maybe $3. This is stupid.

Re:Scrambled Eggs (0)

Anonymous Coward | about 7 months ago | (#46452137)

Poached, not stirred.
It`s because theyre ENGLISH.... duh
Odd, that, Cambridge is held in high regard, but the UK Government contracts out American company 3M for the passpord rfid`s . Wouldve thought the ENGLISH could do a far better job at that.

Now, what about 3M disclosing the FACT that their RFID chips can be tracked from space, and give the codes to the SEARCH and RESCUE in the South China Sea????

Oh, bother, it might link the story to the stolen Irish, French, German, and other passpords used in the SUCCESSFUL assassination at that posh hotel in some Arab country a few years ago.... did someone mention the Israelis and faulty blackboxes?

verisigned- Black Diamond Poacher

p.s. misread the articles password as passpord!

API over HTTP??? (1)

VikingNation (1946892) | about 7 months ago | (#46452013)

They are encouraging folks to connect to their system to send passwords to scramble over HTTP. Does anybody else see a problem with this proposal?

Re:API over HTTP??? (1)

SmartCrib (2726777) | about 7 months ago | (#46458033)

I encourage to read the specs. HTTPS is your option if you have money, expertise and time to sort out proper certificates. Simply run the web service with HTTPS/SSL switched on. If you don't want to do that, the API provides end-to-end encryption of sensitive data.

Re:API over HTTP??? (1)

VikingNation (1946892) | about 7 months ago | (#46460205)

I did a quick read and it appeared they were passing passwords from the client to the unit where the dongle was plugged in via HTTP. Is this not the case?

Smart card, secure element, HSM (1)

YesIAmAScript (886271) | about 7 months ago | (#46452175)

Also, RSAs authenticator keychains. And more.

http://en.wikipedia.org/wiki/S... [wikipedia.org]

http://en.wikipedia.org/wiki/I... [wikipedia.org]

This has been invented a million times. The practicality of carrying a device specific for this purpose holds back the widespread use of stuff like this.

why a RasPi? (1, Insightful)

SuperBanana (662181) | about 7 months ago | (#46452183)

Can someone please explain why this is attached to a RasPi?

Among other things, the poor architecture and inability to run a standard distribution makes it a remarkably bad choice when you can get low-power x86 boards that will wipe the floor with it.

because it's a cheap, easy, fun proof of concept (4, Insightful)

raymorris (2726007) | about 7 months ago | (#46452479)

You wouldn't use an RPi in production, of course. x86 would be just as silly. A $3 hardware encryption chip attached to most any microcontroller would be several thousand times faster and an order of magnitude cheaper than x86. x86 is for general purpose computing - this is a single purpose device.

So why did they use a raspberry pi? Probably because they already had one, or several, already knew how to use it, and could put the code together in an hour or so to demonstrate the concept and have a little fun doing it.

Blog cred, and easier than Arduino (2)

billstewart (78916) | about 7 months ago | (#46452547)

RPi already comes with an ethernet port on it, and you don't have to bitbang USB like you would for the standard Arduinos (though there are libraries like V-USB that'll do that for you), and the CPU's a lot faster so you don't have to optimize crypto libraries yourself.) And you can easily attach a keyboard to it for inputting passphrases instead of using the PC, which is critical for doing the security right.

This is an application where you don't need a lot of speed - if it takes a second to cough up a password, that's fine, so you don't need a $3 hardware crypto chip to go with the $1 ARM CPU, though of course you certainly could make a much cheaper piece of ARM hardware if you wanted.

Re:Blog cred, and easier than Arduino (0)

Anonymous Coward | about 7 months ago | (#46452613)

If you actually read TFA (yeah, this is slashdot...), the RPi here is just a example host.
In practice it's simply the USB HSM dongle + a library on the host to talk to it.
Also, this is *server* side, so at one second per authentication you better hope your site never gets popular...

And here's a more realistic interpretation:
330 authentications per minute. using non-iterated HMAC-SHA1... that thing *is* a $1 ARM CPU (wild guess: cortex-m3) doing software crypto.
HTTP over usb-serial over "full speed USB2.0"... wait a sec, full speed is just the plain old 12Mb/s of USB1.1.
Also... HTTP? Writing a safe HTTP parser is a lot harder than writing a parser for a dumb binary protocol, and to talk to the thing you need a library on the host side either way.
Another point, form factor... lose that stupid hump and stay within the USB recommended envelope. See their picture of 2 of the things plugged into a raspi and you know why.
Then there's the physical security aspects. Real HSMs are designed to be tamper-evident and tamper-resistant. This toy likely stores the master keys in a I2C eeprom or internal flash with no further protection.

Re:Blog cred, and easier than Arduino (1)

AmiMoJo (196126) | about 7 months ago | (#46453855)

There are plenty of cheap microcontrollers with real USB ports, crypto functions and most importantly secure storage areas that could be used. Smaller, lower power, faster and cheaper.

Re:why a RasPi? (1)

Kryczek (2500658) | about 7 months ago | (#46453125)

Can someone please explain why this is attached to a RasPi?

Because doing anything with a Raspberry Pi gets you free Slashvertisement: Dan Cvrcek, the author of the blog post, is also the one selling the USB dongle used [s-crib.com] .

Re:why a RasPi? (1)

SmartCrib (2726777) | about 7 months ago | (#46457907)

cheap, easy to setup, runs Debian (almost) so our code (web service in Python) is likely to be portable.

Whatever happened to iris scans? (1)

BoRegardless (721219) | about 7 months ago | (#46452365)

Virtually every smartphone and computer seems to come with a camera these days.

How do you get more secure than the iris?

Re:Whatever happened to iris scans? (3, Funny)

jalet (36114) | about 7 months ago | (#46452383)

How do you get more secure than the iris?

By using the anus instead.

Re:Whatever happened to iris scans? (0)

Anonymous Coward | about 7 months ago | (#46453025)

I know shit authentication mechanisms when I see them

Re:Whatever happened to iris scans? (1)

AvitarX (172628) | about 7 months ago | (#46456591)

The problem with an iris I suspect is taking the image of a random iris scan, and converting it to a number in such a way that it consistently gets the same number (in the sense that all data is numbers), but also introduces significant entropy.

You can't just take a picture of the eye, and use that to salt a password over the wire, and if your sending the actual scan of the eye over the wire to be compared, it begins to run into the security issues of a password in general.

Good in principle, for my wristwatch (1)

davecb (6526) | about 7 months ago | (#46453487)

After fixing the inevitable bugs, I want it on my wristwatch with a limited-distance, on-only-if-button-pressed communications link.

Resides in a Raspberry Pi? (1)

Fnord666 (889225) | about 7 months ago | (#46454661)

University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi...

No it doesn't. The S_CRIB Scrambler is a trusted hardware component implemented as a USB dongle that just happens to be plugged into a Raspberry Pi as a host server.

The current implementation uses Raspberry Pi as an "untrusted" host for web service. It is an inexpensive but sufficiently powerful platform for our password scrambling system.

This could just as easily be plugged into a server or any other PC. My point is that the device has nothing to do with and has no dependency on the Raspberry Pi and to imply otherwise is disingenuous.

10 Character Key? (1)

Fnord666 (889225) | about 7 months ago | (#46454743)

Where did the submitter get the quote that says this uses a 10 character key for the HMAC?
From the article:

The dongle (Scrambler) uses 4 keys / passwords.
1 - 10 characters long is used to identify clusters (when more than one dongle is used to boost throughput).
2 - this is the actual key for SHA1-HMAC
3 - this is used for initialisation vectors.
4 - encryption key for remote commands ENSCRAMBLE and ENGETID. This key is shared with the client (Wordpress in our case) to provide end-to-end encryption of passwords sent for scrambling.

Here are the details from the article about key lengths, etc.

S-CRIB Scrambler Design Basics We use the same hardware as for our Password S-CRIB and only re-implemented the firmware to add required functionality. The keys / passwords now have 32 characters so they can be directly used with AES-256. Each password can give provide up to 199 bits of entropy as we use 76 different characters. The source of passwords is a combination of a "dongle key" (unique for each Scrambler) and a random SHA1 key generated using microsecond timer applied on communication between Scrambler and the host PC.

Ridiculous (1)

SJ2000 (1128057) | about 7 months ago | (#46454811)

Have they never seen a PKCS#11 device?

Re: Ridiculous (1)

SmartCrib (2726777) | about 7 months ago | (#46457727)

We did see quite a few Of those HSMs and cracked some of them.

Re: Ridiculous (1)

SJ2000 (1128057) | about 7 months ago | (#46461429)

Why not follow the same interface standard instead of defining your own?

Re: Ridiculous (0)

Anonymous Coward | about 7 months ago | (#46462071)

A paper on these so-called attacks on existing HSMs would be more interesting than this project.

University of Cambridge ... (1)

SmartCrib (2726777) | about 7 months ago | (#46458821)

it should be stated for record that we have links with the security group at University of Cambridge as well as alumni but Scrambler was developed by a startup Smart Crib Ltd.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?