Abstract
We introduce Kamouflage: a new architecture for building theft-resistant password managers. An attacker who steals a laptop or cell phone with a Kamouflage-based password manager is forced to carry out a considerable amount of online work before obtaining any user credentials. We implemented our proposal as a replacement for the built-in Firefox password manager, and provide performance measurements and the results from experiments with large real-world password sets to evaluate the feasibility and effectiveness of our approach. Kamouflage is well suited to become a standard architecture for password managers on mobile devices.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Boyen, X.: Halting password puzzles: hard-to-break encryption from human-memorable keys. In: 16th USENIX Security Symposium—SECURITY 2007, pp. 119–134 (2007)
Boyen, X.: Hidden credential retrieval from a reusable password. In: ACM Symp. on Information, Computer & Communication Security—ASIACCS 2009, pp. 228–238 (2009)
Das, V.V.: Honeypot scheme for distributed denial-of-service. In: International Conference on Advanced Computer Control, pp. 497–501 (2009)
Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: SOUPS 2005: Proceedings of the 2005 Symposium on Usable Privacy and Security, pp. 77–88 (2005)
Feldmeier, D., Karn, P.: UNIX password security – 10 years later. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 44–63. Springer, Heidelberg (1990)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM, New York (2007)
Ford, W., Kaliski, B.: Server-assisted generation of a strong secret from a password. In: Proc. 9th IEEE International Workshops on Enabling Technologies, pp. 176–180 (2000)
Glodek, W.: Using a specialized grammar to generate probable passwords. Master’s thesis, Florida state university (2008)
Goldberg, J., Hagman, J., Sazawal, V.: Doodling our way to better authentication. In: Proceedings CHI 2002, pp. 868–869 (2002)
Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: WWW 2005: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM Press, New York (2005)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M., Rubin, A.: The design and analysis of graphical passwords. In: Proc. 8th USENIX Security Symposium, pp. 135–150 (1999)
Kausik, B.: Method and apparatus for cryptographically camouflaged cryptographic key. US patent 6170058 (2001)
Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space trade-off. In: Proc. of ACM CCS 2005, pp. 364–372 (2005)
Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003)
Account lockout attack (2009), http://www.owasp.org/index.php/Account_lockout_attack
Portokalidis, G., Bos, H.: Sweetbait: Zero-hour worm detection and containment using honeypots. Technical report, Journal on Computer Networks, Special Issue on Security through Self-Protecting and Self-Healing Systems, TR IR-CS-015. Technical report, Vrije Universiteit (2005)
Project, O.: John the ripper password cracker (2005), http://www.openwall.com/john
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger password authentication using browser extensions. In: Proceedings of USENIX security (2005)
Sardana, A., Joshi, R.: An auto-responsive honeypot architecture for dynamic resource allocation and qos adaptation in ddos attacked networks. Comput. Commun. 32(12), 1384–1399 (2009)
TechCrunch. One of the 32 million with a rockyou account? you may want to change all your passwords. like now (2009), http://techcrunch.com/2009/12/14/rockyou-hacked/
Verisign. Personal identity portal (2008), https://pip.verisignlabs.com/
Weir, M., Aggarwal, S., Glodek, B., de Medeiros, B.: Password cracking using probabilistic context-free grammars. In: Proceedings of IEEE Security and Privacy (2009)
Yampolskiy, R.: Analyzing user passwords selection behavior for reduction of password space. In: Proc. IEEE Int. Carnahan Conference on Security Technology, pp. 109–115 (2006)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: Empirical results. IEEE Security and Privacy magazine 2(5), 25–31 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bojinov, H., Bursztein, E., Boyen, X., Boneh, D. (2010). Kamouflage: Loss-Resistant Password Management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds) Computer Security – ESORICS 2010. ESORICS 2010. Lecture Notes in Computer Science, vol 6345. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15497-3_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-15497-3_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15496-6
Online ISBN: 978-3-642-15497-3
eBook Packages: Computer ScienceComputer Science (R0)