? SplitPass: A Mutually Distrusting Two-Party Password Manager
Journal of Computer Science and Technology
Quick Search in JCST
 Advanced Search 
      Home | PrePrint | SiteMap | Contact Us | FAQ
 
Indexed by   SCIE, EI ...
Bimonthly    Since 1986
Journal of Computer Science and Technology 2018, Vol. 33 Issue (1) :98-115    DOI: 10.1007/s11390-018-1810-y
Computer Architecture and Systems Current Issue | Archive | Adv Search << Previous Articles | Next Articles >>
SplitPass: A Mutually Distrusting Two-Party Password Manager
Yu-Tao Liu1, Member, CCF, IEEE, Dong Du1, Yu-Bin Xia1,*, Senior Member, CCF, Member, ACM, IEEE, Hai-Bo Chen1, Distinguished Member, CCF, Senior Member, ACM, IEEE, Bin-Yu Zang1, Distinguished Member, CCF, Member, ACM, IEEE, Zhenkai Liang2, Member, ACM, IEEE
1 Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai 200240, China;
2 School of Computing, National University of Singapore, Singapore 117417, Singapore

Abstract
Reference
Related Articles
Download: [PDF 925KB]     Export: BibTeX or EndNote (RIS)  
Abstract Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.
Articles by authors
Keywordspassword manager   privacy protection   mobile-cloud system     
Received 2017-02-24;
Fund:

This work was supported by the National Key Research and Development Program of China under Grant No. 2016YFB1000104, the National Natural Science Foundation of China under Grant Nos. 61572314 and 61525204, and the Young Scientists Fund of the National Natural Science Foundation of China under Grant No. 61303011.

Corresponding Authors: Yu-Bin Xia     Email: xiayubin@sjtu.edu.cn
About author: Yu-Tao Liu received his B.S. degree in computer science from Fudan University, Shanghai, in 2012. He is currently a Ph.D. candidate of the Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai. He is a member of CCF and IEEE. His research interests include virtualization, system security, and mobile security.
Cite this article:   
Yu-Tao Liu, Dong Du, Yu-Bin Xia, Hai-Bo Chen, Bin-Yu Zang, Zhenkai Liang.SplitPass: A Mutually Distrusting Two-Party Password Manager[J]  Journal of Computer Science and Technology, 2018,V33(1): 98-115
URL:  
http://jcst.ict.ac.cn:8080/jcst/EN/10.1007/s11390-018-1810-y
Copyright 2010 by Journal of Computer Science and Technology