Skip to main content

A substantial fraction of the effort of running an application service is consumed by addressing the risks posed by untrusted clients. These risks include client account takeovers, denial-of-service attacks, and exploit attempts on the server itself. We see numerous opportunities to leverage the cloud’s massive resources and elastic scaling capabilities to help tenant services defend against these risks. We outline several examples below.

Authenticating clients of tenant services

For a web client driven by a human user, authenticating that user is central to virtually every web transaction. Overwhelmingly the most common way to do this today is using passwords. Passwords are by no means a perfect protection, however, in that they can be guessed by an attacker or stolen by breaching the application server and cracking password hashes stored there, a far too common occurrence. Indeed, password database breaches have become an industry pandemic. Here we describe two approaches by which a cloud operator can aid tenants in authenticating clients more securely. The solutions we describe aim specifically at minimizing the risk of a password database breach going undetected or leading to impersonation of user credentials.

Pythia. A system we have developed called Pythia [3] allows a cloud operator to harden passwords on an application server, protecting them against compromise during a breach. Pythia is transparent to the users of the application service, imposes minimal additional latency, and requires only minor modifications to the application server.

Pythia relies on a PRF server, potentially run by the cloud operator. The PRF server applies a pseudorandom function (PRF), a deterministic cryptographic operation involving a secret key, to a password p that the application server submits for registration (storage) or verification, yielding a corresponding output x. The PRF server thereby “hardens” passwords: Unlike a password hash, which is vulnerable to brute-force cracking if the underlying password is weak, the PRF-hardened value x is computationally infeasible for an adversary to crack.

Pythia provides some important additional security features. It is partially oblivious: Passwords submitted to the PRF server are cryptographically concealed and thus not directly revealed to the cloud operator, yet Pythia still enables the cloud operator to perform account-level monitoring of authentication attempts. Pythia also supports efficient key updates, meaning that the PRF server can send a compact update token to the application server that permits every user’s hardened password representation x on the application server to be updated to match the new PRF key. Such key rotation nullifies the effects of a breach of the application server (or the PRF server).

Honeywords. One limitation of Pythia is that to detect a breach, it must rely on anomaly detection, an error-prone approach. In contrast, a scheme we have developed called honeywords [1] aims specifically to detect breaches of password systems.

A honeyword is a fake but plausible-looking password. The honeywords scheme involves storing for each user in the password database on an application server not just the user’s real (hashed) password p, but also a set of n − 1 (hashed) honeywords. An adversary that breaches the server faces the challenge of distinguishing the unique true password from the honeywords. If the adversary guesses incorrectly, and attempts to authenticate using a honeyword, an alarm is triggered. Given good honeyword selection, an adversary will evade detection with probability only 1/n.

To give further detail, the full set of n passwords, real and fake, is stored on the application server in a randomly permuted list. When an authentication attempt occurs using a password in the list associated with a given user, the associated index is passed to a system maintained by the cloud operator called a honeychecker. The honeychecker stores the index (position) of the unique true password for every user; it is the honeychecker that is responsible for distinguishing between true password and honeyword submissions. Thus, the honeyword system (like Pythia) achieves breach resistance through distribution across the tenant and the cloud operator environments.

Fending off denial-of-service attacks against tenant services

A second threat that administrators of application servers must address is denial-of-service (DoS) attacks against their servers. The damage that DoS attacks cause to organizations in terms of lost revenue and customer trust is well documented. DoS defense of application servers today comes primarily in two forms, namely proprietary solutions that scale to massive load but that are expensive (e.g., Akamai) or hardware appliances that will have difficulty keeping up with the adversary’s ability to dynamically change the type, volume, and locations of their attacks.

As part of the Silver project, we envision a cloud-based DoS defense architecture that provides the flexibility to seamlessly place defense mechanisms where they are needed and the elasticity to launch defenses as needed depending on the type and scale of the attack. As a proof-of-concept, we developed the Bohatei system [4] that leverages several of the advanced software-defined-networking and network-function-virtualization capabilities we described. Specifically, Bohatei leverages these capabilities to elastically adapt the scale and type of defenses needed, and to steer suspicious traffic through the defenses deployed at suitable cloud locations.

Detecting exploit traffic against tenant services

Another threat that administrators of application servers need to constantly fend off are exploit attempts against their servers. Sometimes these exploit attempts target logic vulnerabilities in the application servers themselves; in others, they target component protocols that the application servers employ. In many cases, exploits against such vulnerabilities involve clients sending traffic that no legitimate client implementation would send. Examples of such exploits include ten CVEs since 2014 for OpenSSL alone, including the well known Heartbleed vulnerability (CVE-2014-0160).

To detect such exploit attempts, we are developing a technique by which a cloud-resident verifier that observes the messages between a cloud-resident application server and a client, can detect messaging behavior from the client that is inconsistent with the expected client software. For example, our verifier can detect a client’s deviation from an OpenSSL implementation of TLS within seconds from when the deviation occurs [5]. Since such deviations are typically characteristic of maliciously crafted packets to exploit server vulnerabilities, this type of verification capability could reduce the delay to detect exploit attempts on zero-day vulnerabilities and, if used as an inline defense, could prevent those exploits from succeeding. In particular, this technique could have detected Heartbleed packets within seconds of the first attempted exploit, with no Heartbleed-specific configuration.


  1. Honeywords: Making password-cracking detectable
    A. Juels and R. L. Rivest
    In 20th ACM Conference on Computer and Communications Security, November 2013.
  2. Cracking-resistant password vaults using natural language encoders
    R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart
    In IEEE Symposium on Security and Privacy, May 2015.
  3. The Pythia PRF service
    A. Everspaugh, R. Chaterjee, S. Scott, A. Juels, and T. Ristenpart
    In 24th USENIX Security Symposium, August 2015.
  4. Flexible and elastic DDoS defense using Bohatei
    S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey
    In 24th USENIX Security Symposium, August 2015.
  5. Server-side verification of client behavior in cryptographic protocols
    A. Chi, R. Cochran, M. Nesfield, M. K. Reiter, and C. Sturton
    arXiv preprint 1603.04085, March 2016.
  6. Honey encryption beyond message recovery security
    Joseph Jaeger, Thomas Ristenpart, and Qiang Tang
    Advances in Cryptology – Eurocrypt, May 2016.
  7. pASSWORD tYPOS and how to correct them securely
    R. Chatterjee, A. Athayle, D. Akawhe, A. Juels, and T. Ristenpart
    In IEEE Symposium on Security and Privacy, May 2016.
  8. Stealing machine learning models via prediction APIs
    F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart
    In 25th USENIX Security Symposium, Aug 2016.
  9. The ring of gyges: Investigating the future of criminal smart contracts
    A. Juels, A. Kosba, and E. Shi
    In 23rd ACM Conference on Computer and Communications Security, October 2016.
  10. Town crier: An authenticated data feed for smart contracts
    F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi
    In 23rd ACM Conference on Computer and Communications Security, October 2016.
  11. A system to verify network behavior of known cryptographic clients
    A. Chi, R. A. Cochran, M. Nesfield, M. K. Reiter, and C. Sturton
    In 14th USENIX Symposium on Networked Systems Design and Implementation, March 2017.
  12. Differentially private access patterns for searchable symmetric encryption
    G. Chen, T.-H. Lai, M. K. Reiter, and Y. Zhang
    In IEEE International Conference on Computer Communications, April 2018.


  • Pythia: A verifiable, cryptographic protocol that hardens passwords with the help of a remote service
  • NoCrack: Cracking-resistant password vaults using natural language encoders
  • pASSWORD tYPOS: How to correct them securely
  • Bohatei: Flexible and elastic DDoS defense