Patent Application
20250219836
This application claims the benefit of Korean Patent Application No. 10-2023-0192554, filed Dec. 27, 2023, which is hereby incorporated by reference in its entirety into this application.
The disclosed embodiment relates to password-based authentication technology.
In online services, various methods are used in order to verify the identity of users, and passwords are still the most commonly used means of user authentication.
A password method is a means of user authentication in which a user ID and a password, which is secret information corresponding to the user ID, are stored in a server and when a user logs in, whether the user is a valid user is determined by checking whether the password input by the user matches the password stored in the server. The password method is the oldest user authentication means, and is still provided as the primary means of user authentication in most online services.
In addition to the password method, PIN numbers, public certificates, biometric recognition technology, such as fingerprints, an iris, and the like, are used as the means of user authentication, but these are used as a supplementary or auxiliary authentication means in addition to passwords in order to enhance security and convenience.
User passwords used in the password authentication method are typically stored and managed in a single server or secure repository of a service provider. In other words, if a malicious attacker successfully hacks the password of a user (a service subscriber), the password of the user is exposed to the attacker, which may lead to the leakage of more personal information of the user and an invasion of privacy. When the exposed password is not that of a regular user but an administrator password for the service provider's server, the damage becomes more severe, which leads to massive leakage of personal information of all service subscribers, legal sanctions, shutdown of the corresponding service, mass exodus of service subscribers, etc., and substantial loss such as a decrease in trust of the service provider is caused.
As a conventional countermeasure against hacking attacks on user credentials (information used for authenticating users, such as passwords or biometric information), there is a method of dividing user credentials and storing the same in multiple repositories rather than a single repository. However, because this method simply divides the user credentials physically, if any one of the multiple repositories is hacked into, portions of the user credentials are exposed to an attacker, and the attacker may more easily infer or obtain the original user credentials by exploiting the exposed credential information.
An object of the disclosed embodiment is to securely register the password of a user in multiple servers in a distributed manner.
Another object of the disclosed embodiment is to enable user authentication without exposing password verification fragment values stored in a distributed manner.
A further object of the disclosed embodiment is to issue and manage a token without a trusted third-party organization (a trusted server).
Yet another object of the disclosed embodiment is to make it easy to apply the means of user authentication using various credentials that can be digitally expressed, such as biometric information including fingerprints, an iris, etc., in addition to passwords.
An apparatus for password-based distributed authentication according to an embodiment includes memory in which at least one program is recorded and a processor for executing the program. The program may perform at least one of registering a password input by a user in a service membership sign-up procedure in multiple servers in a distributed manner based on multi-party computation, authenticating a password input by the user in a login procedure based on multi-party computation with the multiple servers, or acquiring a resource of a service requested by the authenticated user, or a combination thereof.
Here, when registering the password, the program may perform receiving an identifier and the password from the user who requests signing up for a membership, converting the received password into a password verification value, generating a secret-sharing polynomial using the password verification value, generating multiple password verification fragment values using the secret-sharing polynomial and IDs of the multiple servers, and distributing the password verification fragment values to corresponding ones of the multiple servers.
Here, converting the received password may comprise converting the received password into the password verification value using a salt or a hash.
Here, generating the secret-sharing polynomial may comprise generating the secret-sharing polynomial using a Shamir's secret sharing method.
Here, when authenticating the password, the program may perform generating a token generation key when an identifier and the password are input by the user, converting the password input by the user into a password verification value, restoring a password verification comparison value, checking whether the restored password verification comparison value matches the password verification value, generating a token key and a token based on the token generation key when the password verification comparison value matches the password verification value, and storing the generated token.
Here, when restoring the password verification comparison value, the program may restore the password verification comparison value based on password verification fragment values of t servers, among N servers across which the password verification fragment values are distributed, and the password verification comparison value may be calculated as the sum of Lagrange basis polynomials multiplied by the respective password verification fragment values.
Here, the token may include a token signature and token data.
Here, the token data may include at least one of a user identifier, a token serial number, service access authority information, a token issuance date and time, or a token expiration date and time, or a combination thereof.
Here, the token key may be generated based on the sum of token generation keys initially generated by a user terminal and t servers.
Here, when acquiring the resource, the program may perform retrieving whether a token for the requested service is present, transferring the retrieved token to a server providing the requested service, and receiving the resource from the server when the token is verified.
An apparatus for password-based distributed authentication according to an embodiment includes memory in which at least one program is recorded and a processor for executing the program. The program may perform at least one of registering password verification fragment values generated through multi-party computation with one or more additional servers based on a password input by a user through a user terminal in a service membership sign-up procedure, authenticating a password input by the user in a login procedure based on multi-party computation using the password verification fragment values registered in the one or more additional servers in a distributed manner, or providing a resource of a service requested from the user terminal based on token verification, or a combination thereof.
Here, when authenticating the password, the program may perform reading the password verification fragment values corresponding to an identifier of the user and generating a token generation key, converting the password input by the user into a password verification value, restoring a password verification comparison value from the password verification fragment values registered in a distributed manner through multi-party computation with the one or more additional servers, checking whether the restored password verification comparison value matches the password verification value, generating a token key and a token based on the token generation key when the password verification comparison value matches the password verification value, and storing the generated token key.
Here, the token key may be generated based on the sum of token generation keys initially generated by the user terminal and t servers.
Here, when providing the resource, the program may perform receiving a service request and a token from the user terminal, retrieving a token key corresponding to the token, verifying the token using the retrieved token key, and providing the resource when the token is verified.
Here, when verifying the token, the program may perform generating a token signature using the retrieved token key and token data included in the token and checking whether the generated token signature matches a token signature included in the token.
A method for password-based distributed authentication according to an embodiment may include receiving an identifier and a password from a user who requests signing up for a membership, converting the received password into a password verification value, generating a secret-sharing polynomial using the password verification value, generating multiple password verification fragment values using the secret-sharing polynomial and the IDs of multiple servers, and distributing the password verification fragment values to corresponding ones of the multiple servers.
Here, the method for password-based distributed authentication according to an embodiment may further include generating a token generation key when an identifier and a password are input by the user, converting the password input by the user into a password verification value, restoring a password verification comparison value, checking whether the restored password verification comparison value matches the password verification value, generating a token key and a token based on the token generation key when the password verification comparison value matches the password verification value, and storing the generated token.
Here, restoring the password verification comparison value may comprise restoring the password verification comparison value based on password verification fragment values of t servers, among N servers across which the password verification fragment values are distributed, and the password verification comparison value may be calculated as the sum of Lagrange basis polynomials multiplied by the respective password verification fragment values.
Here, the token key may be generated based on the sum of token generation keys initially generated by a user terminal and the t servers.
Here, the method for password-based distributed authentication according to an embodiment may further include acquiring a resource of a service requested by the user, and acquiring the resource may include retrieving whether a token for the requested service is present, transferring the retrieved token to a server providing the requested service, and receiving the resource from the server when the token is verified. The token may include a token signature and token data, and may be verified depending on whether the token signature included in the transferred token matches a token signature generated by the server using a token key and the token data.
The above and other objects, features, and advantages of the present disclosure will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
The advantages and features of the present disclosure and methods of achieving them will be apparent from the following exemplary embodiments to be described in more detail with reference to the accompanying drawings. However, it should be noted that the present disclosure is not limited to the following exemplary embodiments, and may be implemented in various forms. Accordingly, the exemplary embodiments are provided only to disclose the present disclosure and to let those skilled in the art know the category of the present disclosure, and the present disclosure is to be defined based only on the claims. The same reference numerals or the same reference designators denote the same elements throughout the specification.
It will be understood that, although the terms “first,” “second,” etc. may be used herein to describe various elements, these elements are not intended to be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element discussed below could be referred to as a second element without departing from the technical spirit of the present disclosure.
The terms used herein are for the purpose of describing particular embodiments only and are not intended to limit the present disclosure. As used herein, the singular forms are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises,” “comprising,”, “includes” and/or “including,” when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Unless differently defined, all terms used herein, including technical or scientific terms, have the same meanings as terms generally understood by those skilled in the art to which the present disclosure pertains. Terms identical to those defined in generally used dictionaries should be interpreted as having meanings identical to contextual meanings of the related art, and are not to be interpreted as having ideal or excessively formal meanings unless they are definitively defined in the present specification.
Referring to
Here, through the user terminal 10, a user may sign up for a service that a service provider provides through the multiple servers 20-1, 20-2, . . . , 20-N.
Here, the multiple servers 20-1, 20-2, . . . , 20-N may be operated by a single service provider or multiple service providers. Also, according to an embodiment, the multiple servers 20-1, 20-2, . . . , 20-N may perform Multi-Party Computation (MPC) through mutual communication.
According to an embodiment, the user terminal 10 and the multiple servers 20-1, 20-2, . . . , 20-N may perform a process of registering the password, which is input by the user in the service membership sign-up procedure, in the multiple servers 20-1, 20-2, . . . , 20-N in a distributed manner based on multi-party computation at step S100. This will be described in detail later in with reference to
In the conventional user authentication technology, there is an invention in which a biometric information verification value (a cryptographically secure value derived from a biometric information value using a one-way hash function, or the like), which is one of pieces of user credential information, is simply divided into segments and the segments are mixed and stored in a distributed manner, but when servers or repositories in which the segments are stored in a distributed manner are hacked into, part of the user's biometric information verification value may be exposed.
However, in an embodiment, rather than simply dividing a password hash value (referred to as a password verification value hereinbelow), cryptographically randomized values (referred to as password verification fragment values hereinbelow) using multi-party computation are stored in a distributed manner, so an attacker is not able to obtain even one bit of information about the user's password verification value unless the attacker hacks into more than a certain number of servers or repositories across which the password verification fragment values are distributed. Also, when the user is authenticated, the password verification value is verified through multi-party computation of the random values stored in a distributed manner, so each of the servers or repositories cannot obtain the password verification value.
Also, according to an embodiment, a process of authenticating the password input by the user in a login procedure based on multi-party computation with multiple servers may be performed at step S200 based on multi-party computation between the user terminal 10 and two or more of the multiple servers 20-1, 20-2, . . . , 20-N.
That is, it is checked whether the password input through the user terminal 10 for user login matches the password that was registered in two or more of the multiple servers 20-1, 20-2, . . . , 20-N in a distributed manner when the user signed up.
When user authentication succeeds, a token is generated based on multi-party computation between the user terminal 10 and two or more of the multiple servers 20-1, 20-2, . . . , 20-N without a separate trusted server and is then issued to the user terminal 10, and simultaneously, a token key used for verification of the token is transmitted to the two or more of the multiple servers 20-1, 20-2, . . . , 20-N, which participated in generation of the token. This will be described in detail later with reference to
That is, according to an embodiment, multi-party computation technology may be used not only for user login but also for issuance of a token for user authentication.
Generally, a token authentication method is used as one of means of maintaining authentication after user login for the user convenience, in which case a separate trusted server (Trusted Third Party (TTP)) for issuing a token is required. This incurs additional service administrative costs borne by the service provider, and may cause the problem of a Single Point Of Failure (SPOF).
In contrast, when password authentication is performed based on multi-party computation as in the embodiment, a token may be securely issued through multi-party computation between multiple service provider's servers without a separate trusted server.
Finally, according to an embodiment, the resources of the service requested by the authenticated user are acquired based on multi-party computation between the user terminal 10 and two or more of the multiple servers 20-1, 20-2, . . . , 20-N.
That is, the user terminal 10 transfers the token to the server that provides the service requested by the user. Accordingly, the server verifies the token using the token key acquired at the time of user login, and depending on the verification result, the server provides the service desired by the user to the user terminal 10 within resources allowed by the token to the user. This will be described in detail later with reference to
Referring to
Subsequently, distributed registration of the input password may be performed at step S120 through multi-party computation between the user terminal 10 and N servers 20-1, 20-2, . . . , 20-N.
Specifically, referring to
Here, the password may be converted into the password verification value using a salt, a hash, or the like.
Subsequently, the user terminal 10 generates a secret-sharing polynomial using the password verification value at S122.
Here, using a Shamir's secret sharing technique, a secret-sharing polynomial like Equation (1) below may be generated for distributed storage in the N servers 20-1, 20-2, . . . , 20-N.
In Equation (1), c; is the coefficient of an x term of degree i (1≤i≤t−1, t<N). When the (t−1)-th degree polynomial is used, the password verification value hpw may be restored using Lagrange interpolation by participation of t or more of the N servers 20-1, 20-2, . . . , 20-N.
Subsequently, the user terminal 10 acquires the respective IDs of the multiple servers 20-1, 20-2, . . . , 20-N and generates multiple password verification fragment values using the calculated secret-sharing polynomial Fhpw(x) and the respective IDs of the multiple servers 20-1, 20-2, . . . , 20-N at step S123.
For example, the user terminal 10 may calculate hpw1=Fhpw(1) as the first password verification fragment value for the first server 20-1, may calculate hpw2=Fhpw(2) as the second password verification fragment value for the second server 20-2, and may calculate hpwN=Fhpw(N) as the N-th password verification fragment value for the N-th server 20-N.
The user terminal 10 distributes the password verification fragment values to the corresponding ones of the multiple servers 20-1, 20-2, . . . , 20-N at step S124.
For example, hpw1 may be transmitted to the first server 20-1, hpw2 may be transmitted to the second server 20-2, and hpwN may be transmitted to the N-th server 20-N.
Subsequently, the N servers 20-1, 20-2, . . . 20-N each securely store the password verification fragment values, which are distributed after multi-party computation performed at S120, in the repositories thereof at step S130.
For example, the first server 20-1 may store the first password verification fragment value hpw1 distributed thereto at step S130-1, the second server 20-2 may store the second password verification fragment value hpw2 distributed thereto at step S130-2, and the N-th server 20-N may store the N-th password verification fragment value hpwN distributed thereto at step S130-N.
Referring to
Here, the password and the token generation key tokKey0 are used as the input values of a multi-party computation process at step S250.
Meanwhile, the password verification comparison value to be compared with a password verification value may be restored only when at least t servers 20-1, 20-2, . . . , 20-t, among N servers 20-1, 20-2, . . . , 20-N across which password verification fragment values are distributed, participate.
Accordingly, the at least t servers 20-1, 20-2, . . . , 20-t each read the password verification fragment values hpw1, hpw2, . . . , hpwt, which are stored when the password is registered in a distributed manner, at steps S230-1, S230-2, . . . , S230-t and generate token generation keys tokKey1, tokKey2, . . . , tokKeyt, which are random values, at steps S240-1, S240-2, . . . , S240-t.
Here, the password verification fragment values hpw1, hpw2, . . . , hpwt and the token generation keys tokKey1, tokKey2, . . . , tokKeyt may be used as the input values of the multi-party computation process at step S250.
Subsequently, operations for distributed authentication of the input password and token generation may be performed at step S250 through multi-party computation between the user terminal 10 and the t servers 20-1, 20-2, . . . , 20-t.
Specifically, referring to
The user terminal 10 and the t servers 20-1, 20-2, . . . , 20-t jointly restore the password verification comparison value hpw′ at step S252.
Here, the password verification comparison value hpw′ is restored by being calculated based on the password verification fragment values hpw1, hpw2, . . . , hpwt of the at least t servers 20-1, 20-2, . . . , 20-t, among the N servers 20-1, 20-2, . . . , 20-N across which the password verification fragment values are distributed, as shown in Equation (2) below:
In Equation (2), λi denotes Lagrange basis polynomials, and may be defined as Equation (3) below:
Subsequently, the user terminal 10 and the t servers 20-1, 20-2, . . . , 20-t, which participate in user authentication, check whether the restored password verification comparison value hpw′ matches the password verification value hpw at step S253.
Here, when the password verification comparison value hpw′ matches the password verification value hpw, it may be determined that user authentication succeeds. Conversely, when the password verification comparison value hpw′ does not match the password verification value hpw, the user login is terminated with user authentication failure due to the password mismatch.
When it is determined at step S253 that user authentication succeeds, the user terminal 10 and the t servers 20-1, 20-2, . . . , 20-t, which participate in user authentication, jointly generate a token key tokKey and a token tokken at step S254.
Here, the token may be configured with token data tokData and a token signature tokSig.
The token data is a set of pieces of data predefined by a service provider, and may include at least one of a user ID, a token serial number, service access authority information, a token issuance date and time, or a token expiration date and time, or a combination thereof.
The token signature may be defined based on various hash or digital signature algorithms. According to an embodiment, HMAC-SHA256, which is one of hash algorithms commonly used in JSON Web Token (JWT), may be used.
Here, Hash-based Message Authentication Code (HMAC) is a cryptographic algorithm for calculating a hash value of a given message using a secret key. Therefore, in order to calculate the token signature using HMAC-SHA256, a secret key is required, and, in an embodiment, the secret key is defined as the token key.
According to an embodiment, the token key tokKey may be calculated using the token generation keys, which are initially generated by the user terminal 10 and the t servers 20-1, 20-2, . . . , 20-t at steps S220, S240-1, S240-2, . . . , S240-t, as shown in Equation (4) below:
Here, because the token key is calculated through the multi-party computation process, each of the servers 20-1, 20-2, . . . , 20-t is not able to obtain information about the token generation key input by the other servers.
Also, the token signature tokSig may be calculated using the HMAC algorithm by receiving the token data as a message and receiving the token key as the secret key, as shown in Equation (5) below:
Finally, the token may be generated as tokken={tokData, tokSig} at step S255.
Referring again to
Here, by the multi-party computation process, the user terminal 10 cannot find out information about the token key obtained by each of the servers 20-1, 20-2, . . . , 20-t, and the servers 20-1, 20-2, . . . , 20-t also cannot find out the token value given to the user terminal 10.
Referring to
When a service request is input by the user at step S310, the user terminal 10 retrieves whether the token for the requested service is present at step S320.
Here, when the token is not present, the token may be provided through the password-based distributed authentication procedure (S200,
The user terminal 10 transfers the token to the first server 20-1, which is a server for providing the service, at step S330.
The first server 20-1 retrieves the token key corresponding to the token using some entries (e.g., a token serial number) included in the token received from the user terminal 10 at step S340.
Here, the token may include token data and a first token signature (tokken={tokData, tokSig}).
Subsequently, the first server 20-1 calculates a second token signature tokSig′ using the corresponding token key tokKey and the token data tokData included in the token at step S350, as shown in Equation (6) below:
The first server 20-1 checks whether the generated second token signature tokSig′ matches the first token signature included in the token (tokSig∈tokken) at step S360.
Here, when the first token signature does not match the second token signature, the token verification process is stopped.
Conversely, when the first token signature matches the second token signature, this indicates that the user terminal 10 provides a valid token and that the user terminal 10 is qualified to receive the resource for the service.
Accordingly, the first server 20-1 transfers the resource requested by the user terminal 10 at step S370.
The user terminal 10 and the servers 20-1, 20-2, . . . , 20-N according to an embodiment may be implemented in a computer system 1000 including a computer-readable recording medium.
The computer system 1000 may include one or more processors 1010, memory 1030, a user-interface input device 1040, a user-interface output device 1050, and storage 1060, which communicate with each other via a bus 1020. Also, the computer system 1000 may further include a network interface 1070 connected with a network 1080. The processor 1010 may be a central processing unit or a semiconductor device for executing a program or processing instructions stored in the memory 1030 or the storage 1060. The memory 1030 and the storage 1060 may be storage media including at least one of a volatile medium, a nonvolatile medium, a detachable medium, a non-detachable medium, a communication medium, or an information delivery medium, or a combination thereof. For example, the memory 1030 may include ROM 1031 or RAM 1032.
According to the disclosed embodiment, a password verification value may be randomized in a cryptological manner and securely registered in respective servers in a distributed manner.
According to the disclosed embodiment, when a password verification value is restored using password verification fragment values stored in a distributed manner, user authentication may be performed without exposing the original password verification fragment values by performing multi-party computation.
According to the disclosed embodiment, trusted operation and token issuance may be performed between participants (a user terminal and multiple servers), so a trusted third-party organization (a trusted server) for issuing and managing tokens is not required.
According to the disclosed embodiment, it becomes easy to apply the means of user authentication using various credentials capable of being digitally expressed, such as biometric information including fingerprints, an iris, etc., in addition to passwords.
Although the embodiments of the present disclosure have been described with reference to the accompanying drawings, those skilled in the art will appreciate that the present disclosure may be practiced in other specific forms without changing the technical spirit or essential features of the present disclosure. Therefore, the embodiments described above are illustrative in all aspects and should not be understood as limiting the present disclosure.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10-2023-0192554 | Dec 2023 | KR | national |
