Password-authenticated identities, where users establish username-password pairs with individual servers and use them later on for authentication, is the most widespread user authentication method over the Internet. Although they are simple, user-friendly, and broadly adopted, they offer insecure authentication and position server operators as trusted parties, giving them full control over users' identities. To mitigate these limitations, many identity systems have embraced public-key cryptography and the concept of decentralization. All these systems, however, require users to create and manage public-private keypairs. Unfortunately, users usually do not have the required knowledge and resources to properly handle their cryptographic secrets, which arguably contributed to failures of many end-user-focused public-key infrastructures (PKIs). In fact, as for today, no end-user PKI, able to authenticate users to web servers, has a significant adoption rate. In this paper, we propose Password-authenticated Decentralized Identities (PDIDs), an identity and authentication framework where users can register their self-sovereign username-password pairs and use them as universal credentials. Our system provides global namespace, human-meaningful usernames, and resilience against username collision attacks. A user's identity can be used to authenticate the user to any server without revealing that server anything about the password, such that no offline dictionary attacks are possible against the password. We analyze PDIDs and implement it using existing infrastructures and tools. We report on our implementation and evaluation.
翻译:密码- 密码- 密码- 验证身份, 用户在其中建立用户名- 密码配对和单个服务器并随后使用它们进行认证, 是互联网上最广泛的用户认证方法。 虽然用户简单、方便用户和广泛采用,但它们提供不安全的认证,并将服务器操作员定位为信任方, 给予他们对用户身份的充分控制。 为了减轻这些限制, 许多身份系统都采用了公用钥匙加密和权力下放概念。 然而, 所有这些系统都要求用户创建和管理公用- 私用密钥。 不幸的是, 用户通常没有所需的知识和资源来正确处理他们的加密秘密, 这可能导致许多以用户为重点的公用钥匙基础设施(PKIS)的失败。 事实上, 与今天一样, 没有能够验证用户身份服务器用户身份的最终用户 PKI, 我们建议了密码- 公用分权化的识别码(PIDs), 一个身份和认证框架, 用户可以注册自己的用户用户名配对, 并使用它们作为通用的用户端口码。