Skip to main content
SpringerLink
Log in

SplitPass: A Mutually Distrusting Two-Party Password Manager

  • Regular Paper
  • Published:
Journal of Computer Science and Technology Aims and scope Submit manuscript

Abstract

Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users’ awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users’ passwords, while incurring little performance overhead and power consumption.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bonneau J, Herley C, van Oorschot P C, Stajano F. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. IEEE Symp. Security and Privacy (SP), July 2012, pp.553-567.

  2. Silver D, Jana S, Boneh D, Chen E, Jackson C. Password managers: Attacks and defenses. In Proc. the 23rd USENIX Conf. Security Symp., August 2014, pp.449-464.

  3. Li Z W, He W, Akhawe D, Song D. The emperor’s new password manager: Security analysis of web-based password managers. In Proc. the 23rd USENIX Conf. Security Symp., August 2014, pp.465-479.

  4. McCarney D, Barrera D, Clark J, Chiasson S, van Oorschot P C. Tapas: Design, implementation, and usability evaluation of a password manager. In Proc. the 28th Annual Computer Security Applications Conf., December 2012, pp.89-98.

  5. Tang Y, Ames P, Bhamidipati S, Bijlani A, Geambasu R, Sarda N. Cleanos: Limiting mobile data exposure with idle eviction. In Proc. the 10th USENIX Conf. Operating Systems Design and Implementation, October 2012, pp.77-91.

  6. Müller T, Spreitzenbarth M. FROST. In Applied Cryptography and Network Security, Jacobson M, Locasto M, Mohassel P, Safavi-Naini R (eds.), Springer 2013, pp.373-388.

  7. Zhang F Z, Chen J, Chen H B, Zang B Y. Cloudvisor: Retrofitting protection of virtual machines in multitenant cloud with nested virtualization. In Proc. the 23rd ACM Symp. Operating Systems Principles, October 2011, pp.203-216.

  8. Das A, Bonneau J, Caesar M, Borisov N, Wang X F. The tangled web of password reuse. In Network and Distributed System Security Symp., February 2014, pp.23-26.

  9. Alves T, Felton D. Trustzone: Integrated hardware and software security. ARM White Paper, 2004, 3(4): 18-24.

    Google Scholar 

  10. Li W H, Ma M Y, Han J C, Xia Y B, Zang B Y, Chu C K, Li T Y. Building trusted path on untrusted device drivers for mobile devices. In Proc. the 5th Asia-Pacific Workshop on Systems, June 2014.

  11. Fahl S, Harbach M, Muders T, Baumgärtner L, Freisleben B, Smith M. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In Proc. the ACM Conf. Computer and Communications Security, October 2012, pp.50-61.

  12. Mantin I, Shamir A. A practical attack on broadcast RC4. In Fast Software Encryption, Matsui M (ed.), Springer, 2002, pp.152-164.

  13. Morris R, Thompson K. Password security: A case history. Communications of the ACM, 1979, 22(11): 594-597.

    Article  Google Scholar 

  14. Zhang Y Q, Monrose F, Reiter M K. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proc. the 17th ACM Conf. Computer and Communications Security, October 2010, pp.176-186.

  15. Saxena N, Voris J. Exploring mobile proxies for better password authentication. In Information and Communications Security, Chim T W, Yuen T H (eds.), Springer, 2012, pp.293-302.

  16. Czeskis A, Dietz M, Kohno T, Wallach D, Balfanz D. Strengthening user authentication through opportunistic cryptographic identity assertions. In Proc. the ACM Conf. Computer and Communications Security, October 2012, pp.404-414.

  17. Satyanarayanan M, Bahl P, Caceres R, Davies N. The case for VM-based cloudlets in mobile computing. IEEE Pervasive Computing, 2009, 8(4): 14-23.

    Article  Google Scholar 

  18. Gordon M S, Jamshidi D A, Mahlke S, Mao Z M, Chen X. COMET: Code offload by migrating execution transparently. In Proc. the 10th USENIX Conf. Operating Systems Design and Implementation, October 2012, pp.93-106.

  19. Geambasu R, John J P, Gribble S D, Kohno T, Levy H M. Keypad: An auditing file system for theft-prone devices. In Proc. the 6th Conf. Computer Systems, April 2011.

  20. MacKenzie P, Reiter M K. Networked cryptographic devices resilient to capture. Int. Journal of Information Security, 2003, 2(1): 1-20.

    Article  Google Scholar 

  21. Cheng J, Wong S H Y, Yang H, Lu S W. SmartSiren: Virus detection and alert for smartphones. In Proc. the 5th Int. Conf. Mobile Systems, Applications and Services, June 2007, pp.258-271.

  22. Oberheide J, Cooke E, Jahanian F. CloudAV: N-version antivirus in the network cloud. In Proc. the 17th Conf. Security Symposium, August 2008, pp.91-106.

  23. Jarabek C, Barrera D, Aycock J. ThinAV: Truly lightweight mobile cloud-based anti-malware. In Proc. the 28th Annual Computer Security Applications Conf., December 2012, pp.209-218.

  24. Puttaswamy K P N, Kruegel C, Zhao B Y. Silverline: Toward data confidentiality in storage-intensive cloud applications. In Proc. the 2nd ACM Symp. Cloud Computing, October 2011.

  25. Satyanarayanan M, Lewis G, Morris E, Simanta S, Boleng J, Ha K. The role of cloudlets in hostile environments. IEEE Pervasive Computing, 2013, 12(4): 40-49.

    Article  Google Scholar 

  26. Portokalidis G, Homburg P, Anagnostakis K, Bos H. Paranoid Android: Versatile protection for smartphones. In Proc. the 26th Annual Computer Security Applications Conf., December 2010, pp.347-356.

  27. Xia Y B, Liu Y T, Tan C, Ma M Y, Guan H B, Zang B Y, Chen H B. TinMan: Eliminating confidential mobile data exposure with security oriented offloading. In Proc. the 10th European Conf. Computer Systems, April 2015, Article No. 27.

  28. Zhu S W, Lu L, Singh K. CASE: Comprehensive application security enforcement on COTS mobile devices. In Proc. the 14th Annual Int. Conf. Mobile Systems, Applications, and Services, June 2016, pp.375-386.

  29. Huang Y, Chapman P, Evans D. Privacy-preserving applications on smartphones. In Proc. the 6th USENIX Workshop on Hot Topics in Security, August 2011.

  30. Lee S, Wong E L, Goel D, Dahlin M, Shmatikov V. πBox: A platform for privacy-preserving apps. In Proc. the 10th USENIX Conf. Networked Systems Design and Implementation, April 2013, pp.501-514.

  31. Cox L P, Gilbert P, Lawler G, Pistol V, Razeen A, Wu B, Cheemalapati S. SpanDex: Secure password tracking for Android. In Proc. the 23rd USENIX Conf. Security Symposium, August 2014, pp.481-494.

  32. Spahn R, Bell J, Lee M Z, Bhamidipati S, Geambasu R, Kaiser G. Pebbles: Fine-grained data management abstractions for modern operating systems. In Proc. the 11th USENIX Conf. Operating Systems Design and Implementation, October 2014, pp.113-129.

  33. Li X L, Hu H, Bai G D, Jia Y Q, Liang Z K, Saxena P. DroidVault: A trusted data vault for Android devices. In Proc. the 19th Int. Conf. Engineering of Complex Computer Systems (ICECCS), August 2014, pp.29-38.

  34. Peterson P A H. Cryptkeeper: Improving security with encrypted RAM. In Proc. IEEE Int Conf. Technologies for Homeland Security (HST), November 2010, pp.120-126.

Download references

Author information

Authors and Affiliations

  1. Institute of Parallel and Distributed Systems, Shanghai Jiao Tong University, Shanghai, 200240, China

    Yu-Tao Liu, Dong Du, Yu-Bin Xia, Hai-Bo Chen & Bin-Yu Zang

  2. School of Computing, National University of Singapore, Singapore, 117417, Singapore

    Zhenkai Liang

Authors
  1. Yu-Tao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dong Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yu-Bin Xia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hai-Bo Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bin-Yu Zang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhenkai Liang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yu-Bin Xia.

Electronic supplementary material

Below is the link to the electronic supplementary material.

ESM 1

(PDF 94 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, YT., Du, D., Xia, YB. et al. SplitPass: A Mutually Distrusting Two-Party Password Manager. J. Comput. Sci. Technol. 33, 98–115 (2018). https://doi.org/10.1007/s11390-018-1810-y

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11390-018-1810-y

Keywords

Search

Navigation