Improving Web Security Using Trusted Hardware

Thumbnail Image

Files

master_Krawiecka_Klaudia_2017.pdf (1.33 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2017-08-28

Department

Major/Subject

Security and Mobile Computing

Mcode

T3011

Degree programme

Master's Degree Programme in Security and Mobile Computing (NordSecMob)

Language

en

Pages

74+5

Series

Abstract

Web servers that utilize password-based authentication have become large centralized password repositories. Consequently, these servers have also become attractive targets for cyber criminals. When the adversary compromises a web server, he usually obtains access to a database file that contains stored passwords and salts. By using pre-computed hash tables (e.g. rainbow tables), the adversary can perform offline password guessing in a relatively short period of time. Thus, securing password databases on web servers is a significant open challenge. We introduce SafeKeeper, a system that is designed to address the challenge of protecting user passwords and other types of sensitive data on the web. This system consists of a hardware-backed password protection service, which applies a keyed one-way cryptographic function to the password. The secret key is protected by a Trusted Execution Environment. SafeKeeper also includes a browser extension that uses remote attestation allow users to verify if their credentials are protected by a web server. We have implemented a prototype of SafeKeeper using Intel Software Guard Extensions (SGX) and integrated it into the WordPress platform. We have also implemented a browser extension for Google Chrome. Our solution does not require utilizing additional servers and introduces less than 2% performance overhead. Our user study with 64 participants demonstrated that users using the SafeKeeper browser extension can correctly identify 87% of websites in the presence of active phishing.

Description

Supervisor

Asokan, N

Thesis advisor

Paverd, Andrew

Keywords

trusted hardware, trusted execution environment, password databases, web authentication, Intel SGX, Google Chrome browser extension

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-201709046819

Collections

[dipl] Perustieteiden korkeakoulu / SCI