We present the first general construction of a Multi-Factor Key Derivation Function (MFKDF). Our function expands upon password-based key derivation functions (PBKDFs) with support for using other popular authentication factors like TOTP, HOTP, and hardware tokens in the key derivation process. In doing so, it provides an exponential security improvement over PBKDFs with less than 12 ms of additional computational overhead in a typical web browser. We further present a threshold MFKDF construction, allowing for client-side key recovery and reconstitution if a factor is lost. Finally, by "stacking" derived keys, we provide a means of cryptographically enforcing arbitrarily specific key derivation policies. The result is a paradigm shift toward direct cryptographic protection of user data using all available authentication factors, with no noticeable change to the user experience. We demonstrate the ability of our solution to not only significantly improve the security of existing systems implementing PBKDFs, but also to enable new applications where PBKDFs would not be considered a feasible approach.
翻译:我们展示了第一个基于多要素键导出功能(MFKDF)的总体构建。 我们的功能扩展到基于密码的关键导出功能(PBKDFs), 支持在关键导出过程中使用托TP、 HOPT、 硬件符号等其他流行的认证因素。 这样, 我们的功能比在典型的网络浏览器中额外计算间接费用小于12米的PBKDFs提供了指数性的安全性改进。 我们还展示了MFKDF的构建阈值, 允许客户端关键导出功能的恢复和重组。 最后, 我们通过“ 刷新” 衍生钥匙, 提供了一种在加密上执行任意关键导出政策的手段。 结果是范式的转变, 转向使用所有可用的认证因素直接对用户数据进行加密保护, 用户经验没有明显改变。 我们的解决方案不仅能够大大改善实施PBKDFDF系统的现有系统的安全性, 而且能够在认为PBKDFs不可行的情况下进行新的应用。