Improving Web Security Using Trusted Hardware

Loading...
Thumbnail Image
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Date
2017-08-28
Department
Major/Subject
Security and Mobile Computing
Mcode
T3011
Degree programme
Master's Degree Programme in Security and Mobile Computing (NordSecMob)
Language
en
Pages
74+5
Series
Abstract
Web servers that utilize password-based authentication have become large centralized password repositories. Consequently, these servers have also become attractive targets for cyber criminals. When the adversary compromises a web server, he usually obtains access to a database file that contains stored passwords and salts. By using pre-computed hash tables (e.g. rainbow tables), the adversary can perform offline password guessing in a relatively short period of time. Thus, securing password databases on web servers is a significant open challenge. We introduce SafeKeeper, a system that is designed to address the challenge of protecting user passwords and other types of sensitive data on the web. This system consists of a hardware-backed password protection service, which applies a keyed one-way cryptographic function to the password. The secret key is protected by a Trusted Execution Environment. SafeKeeper also includes a browser extension that uses remote attestation allow users to verify if their credentials are protected by a web server. We have implemented a prototype of SafeKeeper using Intel Software Guard Extensions (SGX) and integrated it into the WordPress platform. We have also implemented a browser extension for Google Chrome. Our solution does not require utilizing additional servers and introduces less than 2% performance overhead. Our user study with 64 participants demonstrated that users using the SafeKeeper browser extension can correctly identify 87% of websites in the presence of active phishing.
Description
Supervisor
Asokan, N
Thesis advisor
Paverd, Andrew
Keywords
trusted hardware, trusted execution environment, password databases, web authentication, Intel SGX, Google Chrome browser extension
Other note
Citation