SafeKeeper: Protecting Web Passwords using Trusted Execution Environments
Loading...
Access rights
openAccess
URL
Journal Title
Journal ISSN
Volume Title
A4 Artikkeli konferenssijulkaisussa
This publication is imported from Aalto University research portal.
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)
View publication in the Research portal (opens in new window)
View/Open full text file from the Research portal (opens in new window)
Date
2018-04-23
Department
Major/Subject
Mcode
Degree programme
Language
en
Pages
349-358
Series
WWW '18 : Proceedings of the 2018 World Wide Web Conference
Abstract
Passwords are by far the most widely-used mechanism for authenticating users on the web, out-performing all competing solutions in terms of deployability (e.g. cost and compatibility). However, two critical security concerns are phishing and theft of password databases. These are exacerbated by users» tendency to reuse passwords across different services. Current solutions typically address only one of the two concerns, and do not protect passwords against rogue servers. Furthermore, they do not provide any verifiable evidence of their (server-side) adoption to users, and they face deployability challenges in terms of ease-of-use for end users, and/or costs for service providers. We present SafeKeeper, a novel and comprehensive solution to ensure secrecy of passwords in web authentication systems. Unlike previous approaches, SafeKeeper protects users» passwords against very strong adversaries, including external phishers as well as corrupted (rogue) servers. It is relatively inexpensive to deploy as it (i) uses widely available hardware-based trusted execution environments like Intel SGX, (ii) requires only minimal changes for integration into popular web platforms like WordPress, and (iii) imposes negligible performance overhead. We discuss several challenges in designing and implementing such a system, and how we overcome them. Via an 86-participant user study, systematic analysis and experiments, we show the usability, security and deployability of SafeKeeper, which is available as open-source.Description
Keywords
Passwords, Phishing, Intel SGX, Trusted Execution Environme
Other note
Citation
Krawiecka, K, Kurnikov, A, Paverd, A, Mannan, M & Asokan, N 2018, SafeKeeper: Protecting Web Passwords using Trusted Execution Environments . in WWW '18 : Proceedings of the 2018 World Wide Web Conference . ACM, pp. 349-358, The Web Conference, Lyon, France, 23/04/2018 . https://doi.org/10.1145/3178876.3186101