PUFPass: A password management mechanism based on software/hardware codesign

Abstract Secure passwords need high entropy, but are difficult for users to remember. Password managers minimize the memory burden by storing site passwords locally or generating secure site passwords from a master password through hashing or key stretching. Unfortunately, they are threatened by the single point of failure introduced by the master password which is vulnerable to various attacks such as offline attack and shoulder surfing attack. To handle these issues, this paper proposes the PUFPass, a secure password management mechanism based on software/hardware codesign. By introducing the hardware primitive, Physical Unclonable Function (PUF), into PUFPass, the random physical disorder is exploited to strengthen site passwords. An illustration of PUFPass in the Android operating system is given. PUFPass is evaluated from aspects of both security and preliminary usability. The security of the passwords is evaluated using a compound heuristic algorithm based PUF attack software and an open source password cracking software, respectively. Finally, PUFPass is compared with other password management mechanisms using the Usability-Deployability-Security (UDS) framework. The results show that PUFPass has great advantages in security while maintaining most benefits in usability.

[1]  Ingrid Verbauwhede,et al.  PUFKY: A Fully Functional PUF-Based Cryptographic Key Generator , 2012, CHES.

[2]  Christopher N. Gutierrez,et al.  ErsatzPasswords: Ending Password Cracking and Detecting Password Leakage , 2015, ACSAC 2015.

[3]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[4]  G. Edward Suh,et al.  Extracting Device Fingerprints from Flash Memory by Exploiting Physical Variations , 2011, TRUST.

[5]  Yu Hu,et al.  VPUF: Voter based physical unclonable function with high reliability and modeling attack resistance , 2017, 2017 IEEE 23rd International Symposium on On-Line Testing and Robust System Design (IOLTS).

[6]  Jeremiah Blocki,et al.  Client-CASH: Protecting Master Passwords against Offline Attacks , 2016, AsiaCCS.

[7]  Berk Sunar,et al.  A tamper-proof and lightweight authentication scheme , 2008, Pervasive Mob. Comput..

[8]  Gang Qu,et al.  HCIC: Hardware-Assisted Control-Flow Integrity Checking , 2018, IEEE Internet of Things Journal.

[9]  Lejla Batina,et al.  RFID-Tags for Anti-counterfeiting , 2006, CT-RSA.

[10]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[11]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[12]  Tim Kerins,et al.  Public-Key Cryptography for RFID-Tags , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[13]  Georg T. Becker,et al.  The Gap Between Promise and Reality: On the Insecurity of XOR Arbiter PUFs , 2015, CHES.

[14]  Miodrag Potkonjak,et al.  Lightweight secure PUFs , 2008, ICCAD 2008.

[15]  Yu Hu,et al.  Efficient Attack on Non-linear Current Mirror PUF with Genetic Algorithm , 2016, 2016 IEEE 25th Asian Test Symposium (ATS).

[16]  Elizabeth Stobert,et al.  A Password Manager that Doesn't Remember Passwords , 2014, NSPW '14.

[17]  A. A. Ivaniuk,et al.  Multi-valued Arbiters for quality enhancement of PUF responses on FPGA implementation , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[18]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[19]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[20]  Nitesh Saxena,et al.  Authentication technologies for the blind or visually impaired , 2009 .

[21]  Yu Hu,et al.  POSTER: Attack on Non-Linear Physical Unclonable Function , 2016, CCS.

[22]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[23]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[24]  Ulrich Rührmair,et al.  Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results , 2012, IACR Cryptol. ePrint Arch..

[25]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[26]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[27]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[28]  Bruce Schneier,et al.  Secure Applications of Low-Entropy Keys , 1997, ISW.

[29]  Paul C. van Oorschot,et al.  Digital Objects as Passwords , 2008, HotSec.

[30]  Alan F. Blackwell,et al.  The memorability and security of passwords – some empirical results , 2000 .

[31]  Srinivas Devadas,et al.  FPGA PUF using programmable delay lines , 2010, 2010 IEEE International Workshop on Information Forensics and Security.

[32]  Subramanian S. Iyer,et al.  A Self-Authenticating Chip Architecture Using an Intrinsic Fingerprint of Embedded DRAM , 2013, IEEE Journal of Solid-State Circuits.

[33]  Chip-Hong Chang,et al.  Statistical analysis and design of 6T SRAM cell for physical unclonable function with dual application modes , 2015, 2015 IEEE International Symposium on Circuits and Systems (ISCAS).

[34]  Jeroen Delvaux,et al.  Key-recovery attacks on various RO PUF constructions via helper data manipulation , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[35]  Ahmad-Reza Sadeghi,et al.  Memristor PUFs: A new generation of memory-based Physically Unclonable Functions , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[36]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[37]  Srinivas Devadas,et al.  Robust and Reverse-Engineering Resilient PUF Authentication and Key-Exchange by Substring Matching , 2014, IEEE Transactions on Emerging Topics in Computing.

[38]  Dong Kyue Kim,et al.  Towards Zero Bit-Error-Rate Physical Unclonable Function: Mismatch-Based vs. Physical-Based Approaches in Standard CMOS Technology , 2015, 2015 Euromicro Conference on Digital System Design.

[39]  Mark Ciampa,et al.  A comparison of password feedback mechanisms and their impact on password entropy , 2013, Inf. Manag. Comput. Secur..

[40]  Y. Srinivas Towards the Implementation of IoT for Environmental Condition Monitoring in Homes , 2014 .

[41]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[42]  G. Edward Suh,et al.  Extracting secret keys from integrated circuits , 2005, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[43]  Gang Qu,et al.  A highly flexible ring oscillator PUF , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[44]  Srinivas Devadas,et al.  Modeling attacks on physical unclonable functions , 2010, CCS '10.