SplitPass: A Mutually Distrusting Two-Party Password Manager

Yu-Tao Liu; Dong Du; Yu-Bin Xia; Hai-Bo Chen; Bin-Yu Zang; Zhenkai Liang

doi:10.1007/s11390-018-1810-y

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Search articles, authors, keywords, DOl and etc.

Published Date

Reset Search

{{expandStatus?'Exit ':''}}Advanced Search

Journals A - Z

About Us

Publish with Us

Support

Article Link

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Regular Paper

SplitPass: A Mutually Distrusting Two-Party Password Manager

Yu-Tao Liu^¹, Dong Du^¹, Yu-Bin Xia^¹(

), Hai-Bo Chen^¹, Bin-Yu Zang^¹, Zhenkai Liang^²

Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai 200240, China

School of Computing, National University of Singapore, Singapore 117417, Singapore

Show Author Information

Abstract

Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users’ awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users’ passwords, while incurring little performance overhead and power consumption.

Keywords

password manager privacy protection mobile-cloud system

Electronic Supplementary Material

Download File(s)

jcst-33-1-98-Highlights.pdf (94.5 KB)

References

[1]

Bonneau J, Herley C, van Oorschot P C, Stajano F. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. IEEE Symp. Security and Privacy (SP), July 2012, pp.553-567.

Crossref

[2]

Silver D, Jana S, Boneh D, Chen E, Jackson C. Password managers: Attacks and defenses. In Proc. the 23rd USENIX Conf. Security Symp., August 2014, pp.449-464.

[3]

Li Z W, He W, Akhawe D, Song D. The emperor’s new password manager: Security analysis of web-based password managers. In Proc. the 23rd USENIX Conf. Security Symp., August 2014, pp.465-479.

Crossref

[4]

McCarney D, Barrera D, Clark J, Chiasson S, van Oorschot P C. Tapas: Design, implementation, and usability evaluation of a password manager. In Proc. the 28th Annual Computer Security Applications Conf., December 2012, pp.89-98.

Crossref

[5]

Tang Y, Ames P, Bhamidipati S, Bijlani A, Geambasu R, Sarda N. Cleanos: Limiting mobile data exposure with idle eviction. In Proc. the 10th USENIX Conf. Operating Systems Design and Implementation, October 2012, pp.77-91.

[6]

Müller T, Spreitzenbarth M. FROST. In Applied Cryptography and Network Security, Jacobson M, Locasto M, Mohassel P, Safavi-Naini R (eds.), Springer 2013, pp.373-388.

[7]

Zhang F Z, Chen J, Chen H B, Zang B Y. Cloudvisor: Retrofitting protection of virtual machines in multitenant cloud with nested virtualization. In Proc. the 23rd ACM Symp. Operating Systems Principles, October 2011, pp.203-216.

Crossref

[8]

Das A, Bonneau J, Caesar M, Borisov N, Wang X F. The tangled web of password reuse. In Network and Distributed System Security Symp., February 2014, pp.23-26.

Crossref

[9]

Alves T, Felton D. Trustzone: Integrated hardware and software security. ARM White Paper, 2004, 3(4): 18-24.

Google Scholar

[10]

Li W H, Ma M Y, Han J C, Xia Y B, Zang B Y, Chu C K, Li T Y. Building trusted path on untrusted device drivers for mobile devices. In Proc. the 5th Asia-Pacific Workshop on Systems, June 2014.

Crossref

[11]

Fahl S, Harbach M, Muders T, Baumgärtner L, Freisleben B, Smith M. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proc. the ACM Conf. Computer and Communications Security, October 2012, pp.50-61.

Crossref

[12]

Mantin I, Shamir A. A practical attack on broadcast RC₄. In Fast Software Encryption, Matsui M (ed.), Springer, 2002, pp.152-164.

Crossref

[13]

Morris R, Thompson K. Password security: A case history. Communications of the ACM, 1979, 22(11): 594-597.

Crossref Google Scholar

[14]

Zhang Y Q, Monrose F, Reiter M K. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. the 17th ACM Conf. Computer and Communications Security, October 2010, pp.176-186.

Crossref

[15]

Saxena N, Voris J. Exploring mobile proxies for better password authentication. In Information and Communications Security, Chim T W, Yuen T H (eds.), Springer, 2012, pp.293-302.

Crossref

[16]

Czeskis A, Dietz M, Kohno T, Wallach D, Balfanz D. Strengthening user authentication through opportunistic cryptographic identity assertions. In Proc. the ACM Conf. Computer and Communications Security, October 2012, pp.404-414.

Crossref

[17]

Satyanarayanan M, Bahl P, Caceres R, Davies N. The case for VM-based cloudlets in mobile computing. IEEE Pervasive Computing, 2009, 8(4): 14-23.

Crossref Google Scholar

[18]

Gordon M S, Jamshidi D A, Mahlke S, Mao Z M, Chen X. COMET: Code offload by migrating execution transparently. In Proc. the 10th USENIX Conf. Operating Systems Design and Implementation, October 2012, pp.93-106.

[19]

Geambasu R, John J P, Gribble S D, Kohno T, Levy H M. Keypad: An auditing file system for theft-prone devices. In Proc. the 6th Conf. Computer Systems, April 2011.

Crossref

[20]

MacKenzie P, Reiter M K. Networked cryptographic devices resilient to capture. Int. Journal of Information Security, 2003, 2(1): 1-20.

Crossref Google Scholar

[21]

Cheng J, Wong S H Y, Yang H, Lu S W. SmartSiren: Virus detection and alert for smartphones. In Proc. the 5th Int. Conf. Mobile Systems, Applications and Services, June 2007, pp.258-271.

Crossref

[22]

Oberheide J, Cooke E, Jahanian F. CloudAV: N-version antivirus in the network cloud. In Proc. the 17th Conf. Security Symposium, August 2008, pp.91-106.

[23]

Jarabek C, Barrera D, Aycock J. ThinAV: Truly lightweight mobile cloud-based anti-malware. In Proc. the 28th Annual Computer Security Applications Conf., December 2012, pp.209-218.

Crossref

[24]

Puttaswamy K P N, Kruegel C, Zhao B Y. Silverline: Toward data confidentiality in storage-intensive cloud applications. In Proc. the 2nd ACM Symp. Cloud Computing, October 2011.

Crossref

[25]

Satyanarayanan M, Lewis G, Morris E, Simanta S, Boleng J, Ha K. The role of cloudlets in hostile environments. IEEE Pervasive Computing, 2013, 12(4): 40-49.

Crossref Google Scholar

[26]

Portokalidis G, Homburg P, Anagnostakis K, Bos H. Paranoid Android: Versatile protection for smartphones. In Proc. the 26th Annual Computer Security Applications Conf., December 2010, pp.347-356.

Crossref

[27]

Xia Y B, Liu Y T, Tan C, Ma M Y, Guan H B, Zang B Y, Chen H B. TinMan: Eliminating confidential mobile data exposure with security oriented offloading. In Proc. the 10th European Conf. Computer Systems, April 2015, Article No. 27.

[28]

Zhu S W, Lu L, Singh K. CASE: Comprehensive application security enforcement on COTS mobile devices. In Proc. the 14th Annual Int. Conf. Mobile Systems, Applications, and Services, June 2016, pp.375-386.

Crossref

[29]

Huang Y, Chapman P, Evans D. Privacy-preserving applications on smartphones. In Proc. the 6th USENIX Workshop on Hot Topics in Security, August 2011.

[30]

Lee S, Wong E L, Goel D, Dahlin M, Shmatikov V. πBox: A platform for privacy-preserving apps. In Proc. the 10th USENIX Conf. Networked Systems Design and Implementation, April 2013, pp.501-514.

[31]

Cox L P, Gilbert P, Lawler G, Pistol V, Razeen A, Wu B, Cheemalapati S. SpanDex: Secure password tracking for Android. In Proc. the 23rd USENIX Conf. Security Symposium, August 2014, pp.481-494.

[32]

Spahn R, Bell J, Lee M Z, Bhamidipati S, Geambasu R, Kaiser G. Pebbles: Fine-grained data management abstractions for modern operating systems. In Proc. the 11th USENIX Conf. Operating Systems Design and Implementation, October 2014, pp.113-129.

[33]

Li X L, Hu H, Bai G D, Jia Y Q, Liang Z K, Saxena P. DroidVault: A trusted data vault for Android devices. In Proc. the 19th Int. Conf. Engineering of Complex Computer Systems (ICECCS), August 2014, pp.29-38.

Crossref

[34]

Peterson P A H. Cryptkeeper: Improving security with encrypted RAM. In Proc. IEEE Int Conf. Technologies for Homeland Security (HST), November 2010, pp.120-126.

Crossref

Journal of Computer Science and Technology

Volume 33 Issue 1,
January 2018

Pages 98-115

DOI: 10.1007/s11390-018-1810-y

Cite this article:

Liu Y-T, Du D, Xia Y-B, et al. SplitPass: A Mutually Distrusting Two-Party Password Manager. Journal of Computer Science and Technology, 2018, 33(1): 98-115. https://doi.org/10.1007/s11390-018-1810-y

442

Views

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 24 February 2017

Revised: 11 April 2017

Published: 26 January 2018