|
›› 2018,Vol. 33 ›› Issue (1): 98-115.doi: 10.1007/s11390-018-1810-y
所属专题: Computer Architecture and Systems
• Special Section on Selected Paper from NPC 2011 • 上一篇 下一篇
Yu-Tao Liu1, Member, CCF, IEEE, Dong Du1, Yu-Bin Xia1,*, Senior Member, CCF, Member, ACM, IEEE, Hai-Bo Chen1, Distinguished Member, CCF, Senior Member, ACM, IEEE, Bin-Yu Zang1, Distinguished Member, CCF, Member, ACM, IEEE, Zhenkai Liang2, Member, ACM, IEEE
Yu-Tao Liu1, Member, CCF, IEEE, Dong Du1, Yu-Bin Xia1,*, Senior Member, CCF, Member, ACM, IEEE, Hai-Bo Chen1, Distinguished Member, CCF, Senior Member, ACM, IEEE, Bin-Yu Zang1, Distinguished Member, CCF, Member, ACM, IEEE, Zhenkai Liang2, Member, ACM, IEEE
密码管理器使得人们对密码的管理更加方便安全,不过前提是密码管理器本身是安全可信的。然而近期的一些研究发现大部分的密码管理器都存在安全漏洞,使得密码可能在用户不知情的情况被泄露。在本文中,我们提出一套新型的密码管理器SplitPass系统,它将对密码的存储和访问垂直地划分成互不信任的两方。在登录时,双方互相协作将各自的密码部分发送给服务器,同时保证双方都无法得到完整的密码,从而很大程度上提高了攻击者窃取密码的难度。为了保持对应用程序和服务器程序的透明性,SplitPass系统提出了SSL层的会话植入和TCP层的载荷替换技术,使得应用程序和服务器程序在无需修改的前提下完成密码登录过程。我们利用Android手机和云端节点实现了SplitPass系统,并且利用Android官方市场的100个热门应用对其进行实验验证,测试结果表明SplitPass系统能够在引入较小性能和能耗开销的前提下有效地保护用户的密码。
[1] Bonneau J, Herley C, van Oorschot P C, Stajano F. The quest to replace passwords:A framework for comparative evaluation of web authentication schemes. In Proc. IEEE Symp. Security and Privacy (SP), July 2012, pp.553-567.[2] Silver D, Jana S, Boneh D, Chen E, Jackson C. Password managers:Attacks and defenses. In Proc. the 23rd USENIX Conf. Security Symp., August 2014, pp.449-464.[3] Li Z W, He W, Akhawe D, Song D. The emperor's new password manager:Security analysis of web-based password managers. In Proc. the 23rd USENIX Conf. Security Symp., August 2014, pp.465-479.[4] McCarney D, Barrera D, Clark J, Chiasson S, van Oorschot P C. Tapas:Design, implementation, and usability evaluation of a password manager. In Proc. the 28th Annual Computer Security Applications Conf., December 2012, pp.89-98.[5] Tang Y, Ames P, Bhamidipati S, Bijlani A, Geambasu R, Sarda N. Cleanos:Limiting mobile data exposure with idle eviction. In Proc. the 10th USENIX Conf. Operating Systems Design and Implementation, October 2012, pp.77-91.[6] Müller T, Spreitzenbarth M. FROST. In Applied Cryptography and Network Security, Jacobson M, Locasto M, Mohassel P, Safavi-Naini R (eds.), Springer 2013, pp.373-388.[7] Zhang F Z, Chen J, Chen H B, Zang B Y. Cloudvisor:Retrofitting protection of virtual machines in multitenant cloud with nested virtualization. In Proc. the 23rd ACM Symp. Operating Systems Principles, October 2011, pp.203-216.[8] Das A, Bonneau J, Caesar M, Borisov N, Wang X F. The tangled web of password reuse. In Network and Distributed System Security Symp., February 2014, pp.23-26.[9] Alves T, Felton D. Trustzone:Integrated hardware and software security. ARM White Paper, 2004, 3(4):18-24.[10] Li W H, Ma M Y, Han J C, Xia Y B, Zang B Y, Chu C K, Li T Y. Building trusted path on untrusted device drivers for mobile devices. In Proc. the 5th Asia-Pacific Workshop on Systems, June 2014.[11] Fahl S, Harbach M, Muders T, Baumgärtner L, Freisleben B, Smith M. Why Eve and Mallory love Android:An analysis of Android SSL (in) security. In Proc. the ACM Conf. Computer and Communications Security, October 2012, pp.50-61.[12] Mantin I, Shamir A. A practical attack on broadcast RC4. In Fast Software Encryption, Matsui M (ed.), Springer, 2002, pp.152-164.[13] Morris R, Thompson K. Password security:A case history. Communications of the ACM, 1979, 22(11):594-597.[14] Zhang Y Q, Monrose F, Reiter M K. The security of modern password expiration:An algorithmic framework and empirical analysis. In Proc. the 17th ACM Conf. Computer and Communications Security, October 2010, pp.176-186.[15] Saxena N, Voris J. Exploring mobile proxies for better password authentication. In Information and Communications Security, Chim T W, Yuen T H (eds.), Springer, 2012, pp.293-302.[16] Czeskis A, Dietz M, Kohno T, Wallach D, Balfanz D. Strengthening user authentication through opportunistic cryptographic identity assertions. In Proc. the ACM Conf. Computer and Communications Security, October 2012, pp.404-414.[17] Satyanarayanan M, Bahl P, Caceres R, Davies N. The case for VM-based cloudlets in mobile computing. IEEE Pervasive Computing, 2009, 8(4):14-23.[18] Gordon M S, Jamshidi D A, Mahlke S, Mao Z M, Chen X. COMET:Code offload by migrating execution transparently. In Proc. the 10th USENIX Conf. Operating Systems Design and Implementation, October 2012, pp.93-106.[19] Geambasu R, John J P, Gribble S D, Kohno T, Levy H M. Keypad:An auditing file system for theft-prone devices. In Proc. the 6th Conf. Computer Systems, April 2011.[20] MacKenzie P, Reiter M K. Networked cryptographic devices resilient to capture. Int. Journal of Information Security, 2003, 2(1):1-20.[21] Cheng J, Wong S H Y, Yang H, Lu S W. SmartSiren:Virus detection and alert for smartphones. In Proc. the 5th Int. Conf. Mobile Systems, Applications and Services, June 2007, pp.258-271.[22] Oberheide J, Cooke E, Jahanian F. CloudAV:N-version antivirus in the network cloud. In Proc. the 17th Conf. Security Symposium, August 2008, pp.91-106.[23] Jarabek C, Barrera D, Aycock J. ThinAV:Truly lightweight mobile cloud-based anti-malware. In Proc. the 28th Annual Computer Security Applications Conf., December 2012, pp.209-218.[24] Puttaswamy K P N, Kruegel C, Zhao B Y. Silverline:Toward data confidentiality in storage-intensive cloud applications. In Proc. the 2nd ACM Symp. Cloud Computing, October 2011.[25] Satyanarayanan M, Lewis G, Morris E, Simanta S, Boleng J, Ha K. The role of cloudlets in hostile environments. IEEE Pervasive Computing, 2013, 12(4):40-49.[26] Portokalidis G, Homburg P, Anagnostakis K, Bos H. Paranoid Android:Versatile protection for smartphones. In Proc. the 26th Annual Computer Security Applications Conf., December 2010, pp.347-356.[27] Xia Y B, Liu Y T, Tan C, Ma M Y, Guan H B, Zang B Y, Chen H B. TinMan:Eliminating confidential mobile data exposure with security oriented offloading. In Proc. the 10th European Conf. Computer Systems, April 2015, Article No. 27.[28] Zhu S W, Lu L, Singh K. CASE:Comprehensive application security enforcement on COTS mobile devices. In Proc. the 14th Annual Int. Conf. Mobile Systems, Applications, and Services, June 2016, pp.375-386.[29] Huang Y, Chapman P, Evans D. Privacy-preserving applications on smartphones. In Proc. the 6th USENIX Workshop on Hot Topics in Security, August 2011.[30] Lee S, Wong E L, Goel D, Dahlin M, Shmatikov V. πBox:A platform for privacy-preserving apps. In Proc. the 10th USENIX Conf. Networked Systems Design and Implementation, April 2013, pp.501-514.[31] Cox L P, Gilbert P, Lawler G, Pistol V, Razeen A, Wu B, Cheemalapati S. SpanDex:Secure password tracking for Android. In Proc. the 23rd USENIX Conf. Security Symposium, August 2014, pp.481-494.[32] Spahn R, Bell J, Lee M Z, Bhamidipati S, Geambasu R, Kaiser G. Pebbles:Fine-grained data management abstractions for modern operating systems. In Proc. the 11th USENIX Conf. Operating Systems Design and Implementation, October 2014, pp.113-129.[33] Li X L, Hu H, Bai G D, Jia Y Q, Liang Z K, Saxena P. DroidVault:A trusted data vault for Android devices. In Proc. the 19th Int. Conf. Engineering of Complex Computer Systems (ICECCS), August 2014, pp.29-38.[34] Peterson P A H. Cryptkeeper:Improving security with encrypted RAM. In Proc. IEEE Int Conf. Technologies for Homeland Security (HST), November 2010, pp.120-126. |
No related articles found! |
|
版权所有 © 《计算机科学技术学报》编辑部 本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn 总访问量: |