SplitPass: A Mutually Distrusting Two-Party Password Manager |
| |
Authors: | Yu-Tao Liu Dong Du Yu-Bin Xia Hai-Bo Chen Bin-Yu Zang Zhenkai Liang |
| |
Affiliation: | 1.Institute of Parallel and Distributed Systems,Shanghai Jiao Tong University,Shanghai,China;2.School of Computing,National University of Singapore,Singapore,Singapore |
| |
Abstract: | Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users’ awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users’ passwords, while incurring little performance overhead and power consumption. |
| |
Keywords: | |
本文献已被 SpringerLink 等数据库收录! |
|