Tapas

Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, Paul C. van Oorschot
2012 Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC '12  
Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, we evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas, a concrete implementation of dual-possession
more » ... authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes to websites, no master password, and protects all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen. To evaluate the viability of Tapas as an alternative to traditional password managers, we perform a 30 participant user study comparing Tapas to two configurations of Firefox's built-in password manager. We found users significantly preferred Tapas. We then improve Tapas by incorporating feedback from this study, and reevaluate it with an additional 10 participants. Protocol 1: Pairing Manager and Wallet User action: Upon a user choosing to set-up a new Wallet, the following protocol is initiated by the Manager. Communication channel: A one-way authenticated and secret out-of-band (AS-OOB) channel from the Manager to the Wallet. The Manager generates an authentication key pair for itself pkm, skm and sends its public key pkm to the Wallet. 2. The Manager generates an authentication key pair for the Wallet pkw, skw and sends the pair to the Wallet. 3. The Manager generates a secret key k for a symmetric key authenticated encryption scheme Enc k (). Output: The Manager stores pkm, pkw, skm, k and erases skw. The Wallet stores pkm, pkw, skw . Protocol 2: Storing a Password User action: Upon a user choosing to save a password pi, the following protocol is initiated by the Manager. Communication channel: A mutually-authenticated secure channel with perfect forward secrecy between the Manager and the Wallet. The participants, respectively, identify themselves with pkm and pkw. 1. The Manager takes user password pi (entered by user) and site information si and computes ci = Enc k (pi si). 2. The Manager sends ci, si to the Wallet. 3. The Wallet prompts the user to create a tag ti for referencing the site, using si to suggest a value for the tag. Output: The Manager erases pi, si, ci . The Wallet stores ti, ci and erases si. Protocol 3: Retrieving a Password User action: Upon a user choosing a password for retrieval, the following protocol is initiated by the Wallet. Communication channel: A mutually-authenticated secure channel with perfect forward secrecy between the Manager and the Wallet. The participants, respectively, identify themselves with pkm and pkw.
doi:10.1145/2420950.2420964 dblp:conf/acsac/McCarneyBCCO12 fatcat:afy6zbmxd5ejrcvskzt57gf4re