Abstract
This paper explains the sync problem and compares solutions in Firefox 4 and Chrome 10. The sync problem studies how to securely synchronize data across different computers. Google has added a built-in sync function in Chrome 10, which uses a user-defined password to encrypt bookmarks, history, cached passwords etc. However, due to the low-entropy of passwords, the encryption is inherently weak – anyone with access to the ciphertext can easily uncover the key (and hence disclose the plaintext). Mozilla used to have a very similar sync solution in Firefox 3.5, but since Firefox 4 it has made a complete change of how sync works in the browser. The new solution is based on a security protocol called J-PAKE, which is a balanced Password Authenticated Key Exchange (PAKE) protocol. To our best knowledge, this is the first large-scale deployment of the PAKE technology. Since PAKE does not require a PKI, it has compelling advantages than PKI-based schemes such as SSL/TLS in many applications. However, in the past decade, deploying PAKE has been greatly hampered by the patent and other issues. With the rise of patent-free solutions such as J-PAKE and also that the EKE patent will soon expire in October, 2011, we believe the PAKE technology will be more widely adopted in the near future.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Hao, F., Ryan, P.: J-PAKE: Authenticated Key Exchange Without PKI. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds.) Transactions on Computational Science XI, Part II. LNCS, vol. 6480, pp. 192–206. Springer, Heidelberg (2010)
Hao, F., Ryan, P.Y.A.: Password Authenticated Key Exchange by Juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)
Dropbox, http://www.dropbox.com
Official SRP, http://srp.stanford.edu/
Bellovin, S., Merritt, M.: Encrypted Key Exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the IEEE Symposium on Research in Security and Privacy (May 1992)
Bellovin, S., Merritt, M.: Cryptographic protocol for secure communications, U.S. Patent 5,241,599
Jablon, D.: Strong password-only authenticated key exchange. ACM Computer Communications Review 26(5), 5–26 (1996)
Jablon, D.: Cryptographic methods for remote authentication, U.S. Patent 6,226,383 (March 1997)
Jaspan, B.: Dual-workfactor Encrypted Key Exchange: efficiently preventing password chaining and dictionary attacks. In: Proceedings of the Sixth Annual USENIX Security Conference, pp. 43–50 (July 1996)
IEEE P1363.2 Working Group, P1363.2: Standard Specifications for Password-Based Public-Key Cryptographic Techniques, draft available at http://grouper.ieee.org/groups/1363/
Zhang, M.: Analysis of the SPEKE password-authenticated key exchange protocol. IEEE Communications Letters 8(1), 63–65 (2004)
Hao, F.: On small subgroup non-confinement attacks. In: Proceedings of the 10th IEEE International Conference on Computer and Information Technology, CIT 2010, pp. 1022–1025 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hao, F., Ryan, P.Y.A. (2011). How to Sync with Alice. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds) Security Protocols XIX. Security Protocols 2011. Lecture Notes in Computer Science, vol 7114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25867-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-25867-1_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25866-4
Online ISBN: 978-3-642-25867-1
eBook Packages: Computer ScienceComputer Science (R0)