security

The Sibyl

The Sibyl is a project invented and implemented by Pedro (pfortuny) and me (rafacas). Although I have to admit that it was Pedro’s idea.

It started with the goal of secure storage of the shadow file and, in general, of any database of secret authentication tokens (think of passwords -actually hashes of passwords- of users of a Web-based service, for example). We consider it addresses the main concern on those databases: dictionary attacks and rainbow tables, which have become available at negligible cost: there is a cloud-based service for doing dictionary attacks on a WPA key.

Our approach for storing shadow files is to use a separate server for checking the correctness of the password introduced by the user, taking advantage of asymmetric key encryption.

Instead of keeping the hash (as crypt(3) does, or SHA1) of the password in the shadow file, we store an OAEP RSA-cyphertext of the hashed password (using a public encryption key) and, each time the user tries to log in, ask via TCP someone (the owner of the private key) if another OAEP-encryption of the hash of the password issued by the logging user matches the stored token. That is: use an”oracle” to check if the user has entered the correct password or not. This “oracle”, which is a standalone machine, is the Sibyl and the device we use to implement it is a Bifferboard.

The details are on the web of the Sibyl project. We hope you like it and use it.

1 Comment

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*Required Fields