TTP: Medium: Democratizing Secure Password Management

TTP：中：安全密码管理民主化

• 批准号: 1564102
• 负责人: Ari Juels
• 金额: $ 119.77万
• 依托单位: Cornell University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2016
• 资助国家: 美国
• 起止时间: 2016-09-01 至 2020-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1564102&HistoricalAwards=false
• 关键词: TTP; Medium; Democratizing; Secure; Password

The theft of passwords and other user credentials from online services has become an epidemic, with password breaches regularly impacting large user populations and leaving both consumers and businesses vulnerable to attack. A number of research results point the way toward methods that could greatly improve the security of password systems. There is thus both an urgent need and a clear opportunity to transform the general state of industry practice in password management. Toward this end, the researchers build an easy-to-deploy password-protection system called PASS. PASS incorporates recent research on state-of-the-art methods to protect passwords and related user credentials into new innovations. PASS aims to make available to even the smallest organizations a complete, principled, server-side password protection system that offers far stronger security by default than any known existing system. PASS transitions later stage research into practice and develops novel extensions to several of the PIs' recent research innovations, including: (1) Pythia, a service for password hardening. Password hardening is technique that applies a cryptographic transform to stored and user-submitted passwords to render them hard to crack. Pythia incorporates a novel and practical such cryptographic transformation, known as a verifiable partially-oblivious pseudorandom function. This transform not only hardens passwords, but also protects against compromise of the service that applies the cryptographic transform and makes it easy to update stored password data, thereby minimizing the impact of a breach. (2) Honey objects: A well established method for mitigating the damage caused by a breach is to incorporate fake or decoy data or services into a system. These objects, often called 'honey objects', serve to divert or deceive an adversary. PASS will incorporate honey objects such as fake user and administrative accounts, doing so in a way that builds on the PIs' recent research into principled use of such objects. (3) Typo-tolerance: In support of an emerging industry practice that enhances usability for clients, PASS will support the optional acceptance of passwords with certain common typographical errors. PASS will enable deployers to avoid current ad hoc methods for such typo-tolerance and instead leverage recent and ongoing research results to achieve a principled security / usability tradeoff. By offering these novel tools in a mature, modular development ecosystem for engineers and researchers, PASS serves not only as a platform to democratize advances in password-protection technologies but also as a stimulus and proving ground for new, practice-oriented research in the security community.

从在线服务中窃取密码和其他用户凭证已经成为一种流行病，密码泄露经常影响大量用户，使消费者和企业都容易受到攻击。许多研究结果指出了可以大大提高密码系统安全性的方法。因此，改变密码管理行业实践的总体状态是迫切需要和明确的机会。为此，研究人员建立了一个易于部署的密码保护系统，称为PASS。PASS结合了最新研究的最先进的方法，以保护密码和相关的用户凭据到新的创新。PASS旨在为最小的组织提供一个完整的、有原则的服务器端密码保护系统，该系统在默认情况下比任何已知的现有系统提供更强的安全性。PASS将后期研究转化为实践，并对几个pi最近的研究创新进行了新的扩展，包括：(1)密码加固服务Pythia。密码加固是一种对存储的和用户提交的密码进行加密转换以使其难以破解的技术。Pythia结合了一种新颖实用的加密转换，称为可验证的部分遗忘伪随机函数。这种转换不仅可以加固密码，还可以防止应用加密转换的服务受到损害，并使更新存储的密码数据变得容易，从而最大限度地减少泄露的影响。(2)蜜糖对象：减轻违约造成的损害的一种行之有效的方法是将虚假或诱饵数据或服务合并到系统中。这些物品，通常被称为“蜂蜜物品”，用来转移或欺骗对手。PASS将纳入诸如假用户和管理帐户之类的蜂蜜对象，这样做的方式建立在pi最近对这些对象的原则使用的研究基础上。(3)错字容忍：为了支持增强客户可用性的新兴行业实践，PASS将支持可选地接受带有某些常见排版错误的密码。PASS将使部署人员能够避免当前针对此类错别性的临时方法，而是利用最近和正在进行的研究结果来实现原则性的安全性/可用性权衡。通过在成熟的模块化开发生态系统中为工程师和研究人员提供这些新颖的工具，PASS不仅可以作为密码保护技术民主化的平台，还可以作为安全社区中新的、面向实践的研究的刺激和试验场。