Distributed cipher chaining for increased security in password storage

Abstract: As more services move on to the web and more people use the cloud for storage of important information, it is important that providers of such services can guarantee that information is kept safe. The most common way of protecting that data is to make it impossible to access without being authenticated as the user owning the data. The most common way for a user to authenticate and thereby becoming authorized to access the data, or service, is by making use of a password. The one trying to safeguard that password must make sure that it is not easy to come by for someone trying to attack the system. The most common way to store a password is by first running that password through a one way function, known as a hash function, that obfuscates it into something that does not at all look related to the password itself. Whenever a user tries to authenticate, they type in their password and it goes through the same function and the results are compared. While this model makes sure that the password is not stored in plain text it contains no way of taking action in case the database of hashed passwords is leaked. Knowing that it is nearly impossible to be fully protected from malevolent users, the ones trying to safe guard information always need to try to make sure that it is difficult to extract information about users' passwords. Since the 70s the password storage has to a large extent looked the same. What is researched and implemented in this thesis is a different way of handling passwords, where the main focus is on making sure there are countermeasures in case the database leaks. The model described and implemented consist of software that make use of the current best practices, with the addition of encrypting the passwords with a symmetric cipher. This is all done in a distributed way to move towards a paradigm where a service provider does not need to rely on one point of security. The end result of this work is a working proof-of-concept software that runs in a distributed manner to derive users' passwords to an obfuscated form. The system is at least as secure as best current practice for storing users passwords but introduces the notion of countermeasures once information has found its way into an adversary's hands.