We propose a new method for shared RSA signing between the user and the server so that: (a) the server alone is unable to create valid signatures; (b) having the client's share, it is not possible to create a signature without the server; (c) the server detects cloned client's shares and blocks the service; (d) having the password-encrypted client's share, the dictionary attacks cannot be performed without alerting the server; (e) the composite RSA signature "looks like" an ordinary RSA signature and verifies with standard crypto-libraries. We use a modification of the four-prime RSA scheme of Damgard, Mikkelsen and Skeltved from 2015, where the client and the server have independent RSA private keys. As their scheme is vulnerable to dictionary attacks, in our scheme, the client's RSA private exponent is additively shared between server and client. Our scheme has been deployed and has over 200,000 users.
展开▼
