SaTC: TTP: Small: SPHINX: A Password Store that Perfectly Hides Passwords from Itself

SaTC：TTP：小型：SPHINX：完美隐藏密码的密码存储

• 批准号: 1714807
• 负责人: Nitesh Saxena
• 金额: $ 45万
• 依托单位: University of Alabama at Birmingham
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-08-15 至 2021-10-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1714807&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; SPHINX; Password

Password managers represent a security technique that allows a user to store and retrieve passwords for multiple password-protected web services by interacting with a 'manager' (e.g., an online third-party service) on the basis of a single master password. However, current password managers are highly vulnerable to leakage of all passwords in the event the manager is compromised or malicious. This project builds, studies, and deploys a novel approach to online password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the data stored on the manager is information theoretically independent of the user's master password, meaning that an attacker breaking into the manager learns no information about the master password or the user's individual passwords. SPHINX, once deployed, offers an improved level of protection and usability to everyday Internet users. The research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction. The involvement of high school and K-12 students, and minority populations broadens the reach of the project. Collaboration with manufacturers and industrial consortia facilitatws technology transfer and transition to real world use.The technical design and security of SPHINX is based on the device-enhanced PAKE model that provides the theoretical basis for this construction and is backed by cryptographic proofs of security. Overall, the project designs, implements and evaluates the computational/communication performance of a full online SPHINX system offering browser plugins and a service-side (or manager-side) application. As a main component of the design, the project highlights and addresses the challenges associated in building transparent and robust bidirectional manager-browser communication. Usability studies of the SPHINX system are also being conducted in both lab and real-life settings. Further, after refining the system software and UI designs informed by the results of the usability studies, SPHINX will be piloted in the field settings. Upon completion of this pilot deployment, the system will be ready for an eventual full-fledged deployment in the real world.

密码管理器表示允许用户通过与“管理器”（例如，在线第三方服务）。然而，当前的密码管理器在管理器被破坏或恶意的情况下非常容易泄漏所有密码。该项目构建、研究和部署了一种新的在线密码管理方法，称为SPHINX，即使密码管理器本身受到损害，该方法仍然是安全的。在SPHINX中，存储在管理器上的数据是理论上独立于用户主密码的信息，这意味着入侵管理器的攻击者不会了解到有关主密码或用户个人密码的信息。SPHINX一旦部署，将为日常互联网用户提供更高级别的保护和可用性。 这项研究正在与教育活动相结合，以先进的课程开发和学生指导的形式在认证和人机交互的广泛领域。高中和K-12学生以及少数民族的参与扩大了该项目的范围。SPHINX的技术设计和安全性基于设备增强的PAKE模型，该模型为这种构建提供了理论基础，并得到了加密安全性证明的支持。总体而言，该项目设计，实现和评估的计算/通信性能的一个完整的在线SPHINX系统提供浏览器插件和服务端（或管理端）的应用程序。作为设计的一个主要组成部分，该项目强调并解决了与构建透明和强大的双向管理器-浏览器通信相关的挑战。SPHINX系统的可用性研究也正在实验室和现实环境中进行。此外，在根据可用性研究的结果改进系统软件和用户界面设计后，SPHINX将在现场环境中试用。在完成这一试点部署后，该系统将准备好在真实的世界中进行最终的全面部署。