? 基于互不信任双方协作机制的密码管理器
Journal of Computer Science and Technology
Quick Search in JCST
 Advanced Search 
      Home | PrePrint | SiteMap | Contact Us | Help
 
Indexed by   SCIE, EI ...
Bimonthly    Since 1986
Journal of Computer Science and Technology 2018, Vol. 33 Issue (1) :98-115    DOI: 10.1007/s11390-018-1810-y
Computer Architecture and Systems << Previous Articles | Next Articles >>
基于互不信任双方协作机制的密码管理器
Yu-Tao Liu1, Member, CCF, IEEE, Dong Du1, Yu-Bin Xia1,*, Senior Member, CCF, Member, ACM, IEEE, Hai-Bo Chen1, Distinguished Member, CCF, Senior Member, ACM, IEEE, Bin-Yu Zang1, Distinguished Member, CCF, Member, ACM, IEEE, Zhenkai Liang2, Member, ACM, IEEE
1 Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai 200240, China;
2 School of Computing, National University of Singapore, Singapore 117417, Singapore
SplitPass: A Mutually Distrusting Two-Party Password Manager
Yu-Tao Liu1, Member, CCF, IEEE, Dong Du1, Yu-Bin Xia1,*, Senior Member, CCF, Member, ACM, IEEE, Hai-Bo Chen1, Distinguished Member, CCF, Senior Member, ACM, IEEE, Bin-Yu Zang1, Distinguished Member, CCF, Member, ACM, IEEE, Zhenkai Liang2, Member, ACM, IEEE
1 Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai 200240, China;
2 School of Computing, National University of Singapore, Singapore 117417, Singapore

摘要
参考文献
相关文章
Download: [PDF 925KB]  
摘要 密码管理器使得人们对密码的管理更加方便安全,不过前提是密码管理器本身是安全可信的。然而近期的一些研究发现大部分的密码管理器都存在安全漏洞,使得密码可能在用户不知情的情况被泄露。在本文中,我们提出一套新型的密码管理器SplitPass系统,它将对密码的存储和访问垂直地划分成互不信任的两方。在登录时,双方互相协作将各自的密码部分发送给服务器,同时保证双方都无法得到完整的密码,从而很大程度上提高了攻击者窃取密码的难度。为了保持对应用程序和服务器程序的透明性,SplitPass系统提出了SSL层的会话植入和TCP层的载荷替换技术,使得应用程序和服务器程序在无需修改的前提下完成密码登录过程。我们利用Android手机和云端节点实现了SplitPass系统,并且利用Android官方市场的100个热门应用对其进行实验验证,测试结果表明SplitPass系统能够在引入较小性能和能耗开销的前提下有效地保护用户的密码。
关键词密码管理器   隐私保护   移动云系统     
Abstract: Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.
Keywordspassword manager   privacy protection   mobile-cloud system     
Received 2017-02-24;
本文基金:

This work was supported by the National Key Research and Development Program of China under Grant No. 2016YFB1000104, the National Natural Science Foundation of China under Grant Nos. 61572314 and 61525204, and the Young Scientists Fund of the National Natural Science Foundation of China under Grant No. 61303011.

通讯作者: Yu-Bin Xia     Email: xiayubin@sjtu.edu.cn
About author: Yu-Tao Liu received his B.S. degree in computer science from Fudan University, Shanghai, in 2012. He is currently a Ph.D. candidate of the Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai. He is a member of CCF and IEEE. His research interests include virtualization, system security, and mobile security.
引用本文:   
Yu-Tao Liu, Dong Du, Yu-Bin Xia, Hai-Bo Chen, Bin-Yu Zang, Zhenkai Liang.基于互不信任双方协作机制的密码管理器[J]  Journal of Computer Science and Technology , 2018,V33(1): 98-115
Yu-Tao Liu, Dong Du, Yu-Bin Xia, Hai-Bo Chen, Bin-Yu Zang, Zhenkai Liang.SplitPass: A Mutually Distrusting Two-Party Password Manager[J]  Journal of Computer Science and Technology, 2018,V33(1): 98-115
链接本文:  
http://jcst.ict.ac.cn:8080/jcst/CN/10.1007/s11390-018-1810-y
Copyright 2010 by Journal of Computer Science and Technology