Passwords are undoubtedly the most dominant user authentication mechanism on the web today. Although they are inexpensive and easy-to-use, security concerns of password-based authentication are serious. Phishing and theft of password databases are two critical concerns. The tendency of users to re-use passwords across different services exacerbates the impact of these two concerns. Current solutions addressing these concerns are not fully satisfactory: they typically address only one of the two concerns; they do not protect passwords from rogue servers; they do not provide any verifiable evidence of their (server-side) adoption to users; and they face deployability challenges in terms of the cost for service providers and/or ease-of-use for end users.

We present SafeKeeper, a comprehensive approach to protect the confidentiality of passwords in web authentication systems. Unlike previous approaches, SafeKeeper protects user passwords against very strong adversaries, including rogue servers and sophisticated external phishers. It is relatively inexpensive to deploy as it (i) uses widely available hardware security mechanisms like Intel SGX, (ii) is integrated into popular web platforms like WordPress, and (iii) has small performance overhead. We describe a variety of challenges in designing and implementing such a system, and how we overcome them. Through an 86-participant user study, and systematic analysis and experiments, we demonstrate the usability, security and deployability of SafeKeeper, which is available as open-source.

News

• SafeKeeper has been noticed and summarized by The Morning Paper.
• SafeKeeper has been accepted for presentation and publication at The Web Conference (WWW) 2018.
• Our SafeKeeper demo paper has also been accepted for presentation at The Web Conference 2018.
• Klaudia Krawiecka’s masters thesis Improving Web Security Using Trusted Hardware has been selected as the best Information Security masters thesis in Finland for 2016-17. See press releases from Aalto, Tietoturva, and Tivia.

Technical Papers

SafeKeeper: Protecting Web Passwords using Trusted Execution Environments (arXiv report)
Klaudia Krawiecka, Arseny Kurnikov, Andrew Paverd, Mohammad Mannan, N. Asokan
WWW ’18 Proceedings of The Web Conference 2018

Using SafeKeeper to Protect Web Passwords (Demo paper)
Arseny Kurnikov, Klaudia Krawiecka, Andrew Paverd, Mohammad Mannan, N. Asokan
WWW ’18 Companion of the The Web Conference 2018

Protecting Password Databases using Trusted Hardware (Short paper)
Klaudia Krawiecka, Andrew Paverd, N. Asokan
SysTEX ’16 Proceedings of the 1st Workshop on System Software for Trusted Execution, 2016

Masters Thesis

• Klaudia Krawiecka, Improving Web Security Using Trusted Hardware, Aalto University, 2017.

Source Code

• https://github.com/safekeeper

Poster

• SafeKeeper: Protecting Web Passwords using Trusted Execution Environments (April 2018)

Video

Team Members

• Klaudia Krawiecka (Aalto University & University of Oxford)
• Arseny Kurnikov (Aalto University)
• Dr Andrew Paverd (Aalto University)
• Prof. Mohammad Mannan (Concordia University)
• Prof. N. Asokan (Aalto University)