Browsing by Author "Krawiecka, Klaudia"
Now showing 1 - 4 of 4
- Results Per Page
- Sort Options
- Improving Web Security Using Trusted Hardware
Perustieteiden korkeakoulu | Master's thesis(2017-08-28) Krawiecka, KlaudiaWeb servers that utilize password-based authentication have become large centralized password repositories. Consequently, these servers have also become attractive targets for cyber criminals. When the adversary compromises a web server, he usually obtains access to a database file that contains stored passwords and salts. By using pre-computed hash tables (e.g. rainbow tables), the adversary can perform offline password guessing in a relatively short period of time. Thus, securing password databases on web servers is a significant open challenge. We introduce SafeKeeper, a system that is designed to address the challenge of protecting user passwords and other types of sensitive data on the web. This system consists of a hardware-backed password protection service, which applies a keyed one-way cryptographic function to the password. The secret key is protected by a Trusted Execution Environment. SafeKeeper also includes a browser extension that uses remote attestation allow users to verify if their credentials are protected by a web server. We have implemented a prototype of SafeKeeper using Intel Software Guard Extensions (SGX) and integrated it into the WordPress platform. We have also implemented a browser extension for Google Chrome. Our solution does not require utilizing additional servers and introduces less than 2% performance overhead. Our user study with 64 participants demonstrated that users using the SafeKeeper browser extension can correctly identify 87% of websites in the presence of active phishing. - Protecting Password Databases Using Trusted Hardware
A4 Artikkeli konferenssijulkaisussa(2016-12) Krawiecka, Klaudia; Paverd, Andrew; Asokan, N. - SafeKeeper: Protecting Web Passwords using Trusted Execution Environments
A4 Artikkeli konferenssijulkaisussa(2018-04-23) Krawiecka, Klaudia; Kurnikov, Arseny; Paverd, Andrew; Mannan, Mohmmad; Asokan, N.Passwords are by far the most widely-used mechanism for authenticating users on the web, out-performing all competing solutions in terms of deployability (e.g. cost and compatibility). However, two critical security concerns are phishing and theft of password databases. These are exacerbated by users» tendency to reuse passwords across different services. Current solutions typically address only one of the two concerns, and do not protect passwords against rogue servers. Furthermore, they do not provide any verifiable evidence of their (server-side) adoption to users, and they face deployability challenges in terms of ease-of-use for end users, and/or costs for service providers. We present SafeKeeper, a novel and comprehensive solution to ensure secrecy of passwords in web authentication systems. Unlike previous approaches, SafeKeeper protects users» passwords against very strong adversaries, including external phishers as well as corrupted (rogue) servers. It is relatively inexpensive to deploy as it (i) uses widely available hardware-based trusted execution environments like Intel SGX, (ii) requires only minimal changes for integration into popular web platforms like WordPress, and (iii) imposes negligible performance overhead. We discuss several challenges in designing and implementing such a system, and how we overcome them. Via an 86-participant user study, systematic analysis and experiments, we show the usability, security and deployability of SafeKeeper, which is available as open-source. - Using SafeKeeper to Protect Web Passwords
A4 Artikkeli konferenssijulkaisussa(2018-04-23) Kurnikov, Arseny; Krawiecka, Klaudia; Paverd, Andrew; Mannan, Mohmmad; Asokan, N.Although passwords are by far the most widely-used user authentication mechanism on the web, their security is threatened by password phishing and password database breaches. SafeKeeper is a system for protecting web passwords against very strong adversaries, including sophisticated phishers and compromised servers. Compared to other approaches, one of the key differentiating aspects of SafeKeeper is that it provides web users with verifiable assurance that their passwords are being protected. In this paper, we demonstrate precisely how SafeKeeper can be used to protect web passwords in real-world systems. We first explain two important deployability aspects: i) how SafeKeeper can be integrated into the popular WordPress platform, and ii) how ordinary web users can use Intel SGX remote attestation to verify that SafeKeeper is running on a particular server. We then describe three demonstrations to illustrate the use of SafeKeeper: i) showing the user experience when visiting a legitimate website; ii) showing the encryption of the password in transit via live packet-capture; and iii) showing how SafeKeeper performs in the presence of phishing.