Improving Web Security Using Trusted Hardware

Abstract

Web servers that utilize password-based authentication have become large centralized password repositories. Consequently, these servers have also become attractive targets for cyber criminals. When the adversary compromises a web server, he usually obtains access to a database file that contains stored passwords and salts. By using pre-computed hash tables (e.g. rainbow tables), the adversary can perform offline password guessing in a relatively short period of time. Thus, securing password databases on web servers is a significant open challenge.

We introduce SafeKeeper, a system that is designed to address the challenge of protecting user passwords and other types of sensitive data on the web. This system consists of a hardware-backed password protection service, which applies a keyed one-way cryptographic function to the password. The secret key is protected by a Trusted Execution Environment. SafeKeeper also includes a browser extension that uses remote attestation allow users to verify if their credentials are protected by a web server. We have implemented a prototype of SafeKeeper using Intel Software Guard Extensions (SGX) and integrated it into the WordPress platform. We have also implemented a browser extension for Google Chrome. Our solution does not require utilizing additional servers and introduces less than 2% performance overhead. Our user study with 64 participants demonstrated that users using the SafeKeeper browser extension can correctly identify 87% of websites in the presence of active phishing.