Mitigating Dictionary Attacks on Password-Protected Local Storage

  • Ran Canetti
  • Shai Halevi
  • Michael Steiner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


We address the issue of encrypting data in local storage using a key that is derived from the user’s password. The typical solution in use today is to derive the key from the password using a cryptographic hash function. This solution provides relatively weak protection, since an attacker that gets hold of the encrypted data can mount an off-line dictionary attack on the user’s password, thereby recovering the key and decrypting the stored data.

We propose an approach for limiting off-line dictionary attacks in this setting without relying on secret storage or secure hardware. In our proposal, the process of deriving a key from the password requires the user to solve a puzzle that is presumed to be solvable only by humans (e.g, a CAPTCHA). We describe a simple protocol using this approach: many different puzzles are stored on the disk, the user’s password is used to specify which of them need to be solved, and the encryption key is derived from the password and the solutions of the specified puzzles. Completely specifying and analyzing this simple protocol, however, raises a host of modeling and technical issues, such as new properties of human-solvable puzzles and some seemingly hard combinatorial problems. Here we analyze this protocol in some interesting special cases.


Security Parameter Legitimate User Cover Number Dictionary Attack Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ADM+99]
    Alon, N., Dietzfelbinger, M., Miltersen, P.B., Petrank, E., Tardos, G.: Linear Hash Functions. J. ACM 46(5), 667–683 (1999)MATHCrossRefMathSciNetGoogle Scholar
  2. [BPR00]
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. [BR93]
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  4. [Can01]
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. In: 42nd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 136–145. IEEE, Los Alamitos (2001)Google Scholar
  5. [CHK+05]
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. [DDN00]
    Dolev, D., Dwork, C., Naor, M.: Non-malleable Cryptography. SIAM J. Comput. 30(2), 391–437 (2000)MATHCrossRefMathSciNetGoogle Scholar
  7. [DN92]
    Dwork, C., Naor, M.: Pricing via Processing or Combatting Junk Mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993)Google Scholar
  8. [Kal00]
    Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (September 2000),
  9. [Naor96]
    Naor, M.: Verification of a human in the loop or identification via the Turing test manuscript, available on-line from:
  10. [NP97]
    Naor, M., Pinkas, B.: Visual Authentication and Identification. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 322–336. Springer, Heidelberg (1997)Google Scholar
  11. [NZ96]
    Nisan, N., Zuckerman, D.: Randomness is Linear in Space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)MATHCrossRefMathSciNetGoogle Scholar
  12. [PS02]
    Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA, November 2002, pp. 161–170. ACM Press, New York (2002)CrossRefGoogle Scholar
  13. [SS04]
    Stubblefield, A., Simon, D.: Inkblot Authentication. Microsoft Research Technical report MSR-TR-2004-85Google Scholar
  14. [vAB+03]
    von Ahn, L., Blum, M., Hopper, N., Langford, J.: CAPTCHA: Using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ran Canetti
    • 1
  • Shai Halevi
    • 1
  • Michael Steiner
    • 1
  1. 1.IBM T.J. Watson Research CenterHawthorneUSA

Personalised recommendations