SafetyPin: Encrypted Backups with Human-Memorable Secrets

TL;DR

SafetyPin is a secure, scalable system for encrypted mobile backups that decentralizes trust across multiple hardware security modules, protecting user data even under extensive compromise scenarios.

Contribution

It introduces a novel trust decentralization approach for encrypted backups using multiple HSMs, enhancing security without sacrificing scalability or fault tolerance.

Findings

Recovery time per backup is approximately 1 second.

A deployment with 3,100 HSMs can handle 1 billion recoveries annually.

SafetyPin effectively defends against adaptive compromise of HSMs.

Abstract

We present the design and implementation of SafetyPin, a system for encrypted mobile-device backups. Like existing cloud-based mobile-backup systems, including those of Apple and Google, SafetyPin requires users to remember only a short PIN and defends against brute-force PIN-guessing attacks using hardware security protections. Unlike today's systems, SafetyPin splits trust over a cluster of hardware security modules (HSMs) in order to provide security guarantees that scale with the number of HSMs. In this way, SafetyPin protects backed-up user data even against an attacker that can adaptively compromise many of the system's constituent HSMs. SafetyPin provides this protection without sacrificing scalability or fault tolerance. Decentralizing trust while respecting the resource limits of today's HSMs requires a synthesis of systems-design principles and cryptographic tools. We evaluate SafetyPin on a cluster of 100 low-cost HSMs and show that a SafetyPin-protected recovery takes 1.01 seconds. To process 1B recoveries a year, we estimate that a SafetyPin deployment would need 3,100 low-cost HSMs.