SaTC: TTP: Small: SPHINX: A Password Store that Perfectly Hides Passwords from Itself

SaTC：TTP：小型：SPHINX：完美隐藏密码的密码存储

• 批准号: 2152669
• 负责人: Nitesh Saxena
• 金额: $ 45万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-08-15 至 2023-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2152669&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; SPHINX; Password

Password managers represent a security technique that allows a user to store and retrieve passwords for multiple password-protected web services by interacting with a 'manager' (e.g., an online third-party service) on the basis of a single master password. However, current password managers are highly vulnerable to leakage of all passwords in the event the manager is compromised or malicious. This project builds, studies, and deploys a novel approach to online password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the data stored on the manager is information theoretically independent of the user's master password, meaning that an attacker breaking into the manager learns no information about the master password or the user's individual passwords. SPHINX, once deployed, offers an improved level of protection and usability to everyday Internet users. The research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction. The involvement of high school and K-12 students, and minority populations broadens the reach of the project. Collaboration with manufacturers and industrial consortia facilitatws technology transfer and transition to real world use.The technical design and security of SPHINX is based on the device-enhanced PAKE model that provides the theoretical basis for this construction and is backed by cryptographic proofs of security. Overall, the project designs, implements and evaluates the computational/communication performance of a full online SPHINX system offering browser plugins and a service-side (or manager-side) application. As a main component of the design, the project highlights and addresses the challenges associated in building transparent and robust bidirectional manager-browser communication. Usability studies of the SPHINX system are also being conducted in both lab and real-life settings. Further, after refining the system software and UI designs informed by the results of the usability studies, SPHINX will be piloted in the field settings. Upon completion of this pilot deployment, the system will be ready for an eventual full-fledged deployment in the real world.

密码管理器代表一种安全技术，该技术允许用户通过单个主密码与“经理”（例如在线第三方服务）进行交互来存储和检索多个受密码保护的Web服务的密码。但是，如果经理遭到损害或恶意，当前密码管理器非常容易受到所有密码的泄漏。该项目构建，研究和部署了一种新颖的在线密码管理方法，即Sphinx，即使密码管理器本身已被妥协，该方法仍然安全。在Sphinx中，存储在管理器上的数据在理论上独立于用户的主密码，这意味着攻击者闯入管理员的信息不会学习有关主密码或用户个人密码的信息。 Sphinx一旦部署，便为日常互联网用户提供了改进的保护水平和可用性。 这项研究正在以高级课程开发和学生指导的形式与教育活动融合在一起，并在身份验证和人为计算机互动的广泛领域中进行了指导。高中和K-12学生的参与以及少数群体的参与扩大了该项目的影响力。与制造商和工业财团的合作技术转移，并过渡到现实世界的使用。Sphinx的技术设计和安全性基于设备增强的Pake模型，该模型为该构建提供了理论基础，并得到了密码学证明的支持。总体而言，该项目设计，实施和评估完整的在线狮身胸腔系统的计算/通信性能，该系统提供浏览器插件和服务端（或经理端）应用程序。作为设计的主要组成部分，该项目突出并解决了在构建透明和强大的双向经理浏览器通信方面相关的挑战。在实验室和现实生活环境中，也正在对狮身人面像系统进行可用性研究。此外，在完善了由可用性研究结果所告知的系统软件和UI设计之后，将在现场设置中进行试验。该试点部署完成后，该系统将准备好在现实世界中最终进行全面部署。