Forgot your password?
typodupeerror
Encryption Security

University of Cambridge Develops Potentially More Secure Password Storage System 70

Posted by Unknown Lamer
from the tpm-minus-bad-things dept.
An anonymous reader writes "University of Cambridge's S-CRIB Scrambler resides in a Raspberry Pi and performs a hash-based message authentication code (HMAC). 'The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.' There are pros and cons associated with this method, of course, ranging from scalability to loss of access due to device hardware failure. As with all current options for password security, there's no guarantee that even this system remains secure."
This discussion has been archived. No new comments can be posted.

University of Cambridge Develops Potentially More Secure Password Storage System

Comments Filter:
  • why a RasPi? (Score:2, Insightful)

    by SuperBanana (662181) on Monday March 10, 2014 @10:39PM (#46452183)

    Can someone please explain why this is attached to a RasPi?

    Among other things, the poor architecture and inability to run a standard distribution makes it a remarkably bad choice when you can get low-power x86 boards that will wipe the floor with it.

  • How do I log in to my account from a new device? What if I'm travelling and I don't have my computer with me, how do I use an internet cafe?

    As you always would - with your username and password.

    What these guys propose doing is server side - you enter a password, the server hashes it, it's sent to the box which signs it, then the resulting hash is spit back out and stored in the database. When you log in, you provide the password, it's hashed by the server, send to the box, and the resulting signed hash is compared with the stored hash.

    The reason for this is to make breaches of websites that much less useful - if the attackers get the database, they won't have the HMAC key so they can't really run through and crack the hashes. The website can regenerate a new HMAC key and force everyone to recreate their passwords (which can be the same) and they'll end up different in the database again because they are signed with the new key.

    Since the key never leaves the hardware box, it's impossible to extract it when you're grabbing the user database.

    The big problem is, well, it protects the user with less benefit and more cost tot he website in question, meaning few, if any, would actually implement it because the benefits go solely to the user.

  • by raymorris (2726007) on Tuesday March 11, 2014 @12:25AM (#46452479)

    You wouldn't use an RPi in production, of course. x86 would be just as silly. A $3 hardware encryption chip attached to most any microcontroller would be several thousand times faster and an order of magnitude cheaper than x86. x86 is for general purpose computing - this is a single purpose device.

    So why did they use a raspberry pi? Probably because they already had one, or several, already knew how to use it, and could put the code together in an hour or so to demonstrate the concept and have a little fun doing it.

"Our reruns are better than theirs." -- Nick at Nite

Working...