Homomorphic Password Manager Using Multiple-Hash with PUF

In the proposed homomorphic methods, the server authenticates clients without ever knowing their passwords. During enrollment, the users subject their passwords to multiple hashing cycles, typically 1000 times, and communicate the resulting message digests to the server. Rather than storing these message digests, the server uses them to find addresses in the physical unclonable functions, which generate data streams that are stored for future authentication. The authentication cycles use the following steps: i) The users hash their passwords multiple times, at levels lower than the one used during enrollment; ii) The server generates data streams from the physical elements at the address extracted from the message digest and compares it to the data streams stored during enrollment, and iii) The server reiterates the previous step by incrementally hashing the resulting message digest to find a match, or it rejects the password. During subsequent authentication cycles, the users again hash their passwords multiple times, but at levels lower than the ones used during the previous cycles. Thereby it becomes pointless for third parties to intercept previously hashed passwords; they are never used twice. Hacking a database containing the data streams extracted from the physical unclonable functions during enrollment is also pointless without also having access to the devices. In this entire homomorphic protocol, the users are the only ones who know their passwords. This paper presents a prototype demonstrating the functionality of an example of a homomorphic password manager protocol with SHA-3–512 hashing algorithm exploiting the physical randomness of static random-access memories.