SESS: A Security-Enhanced Secret Storage Scheme for Password Managers

Password-based authentication mechanism is used widely for its simplicity. However, due to the rapidly growth of computation power nowadays, low-entropy passwords and data protected by such passwords become more and more easy to attack. For against offline dictionary attacks with memorizable passwords, one may use interactive protocols, making offline guessing impossible. Then only online guessing, of which the times can be limited, remains for the attacker. In this paper we propose such a scheme, for securely storing high-entropy keys and other secret data shared in local storage and servers in the cloud, employing only low-entropy password. Even if one of the two parties in the protocol is cracked, the security of valuable data is still guaranteed. Our scheme is merely based on the assumption that one-way function exists, and is also easy to implement.