Dominik Ziegler, Mattias Rauter, Christof Stromberger, Peter Teufl, Daniel M. Hein
{"title":"你认为你的密码安全吗?","authors":"Dominik Ziegler, Mattias Rauter, Christof Stromberger, Peter Teufl, Daniel M. Hein","doi":"10.1109/PRISMS.2014.6970600","DOIUrl":null,"url":null,"abstract":"Many systems rely on passwords for authentication. Due to numerous accounts for different services, users have to choose and remember a significant number of passwords. Password-Manager applications address this issue by storing the user's passwords. They are especially useful on mobile devices, because of the ubiquitous access to the account passwords. Password-Managers often use key derivation functions to convert a master password into a cryptographic key suitable for encrypting the list of passwords, thus protecting the passwords against unauthorized, off-line access. Therefore, design and implementation flaws in the key derivation function impact password security significantly. Design and implementation problems in the key derivation function can render the encryption on the password list useless, by for example allowing efficient bruteforce attacks, or - even worse - direct decryption of the stored passwords. In this paper, we analyze the key derivation functions of popular Android Password-Managers with often startling results. With this analysis, we want to raise the awareness of developers of security critical apps for security, and provide an overview about the current state of implementation security of security-critical applications.","PeriodicalId":272766,"journal":{"name":"2014 International Conference on Privacy and Security in Mobile Systems (PRISMS)","volume":"40 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-05-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"Do you think your passwords are secure?\",\"authors\":\"Dominik Ziegler, Mattias Rauter, Christof Stromberger, Peter Teufl, Daniel M. Hein\",\"doi\":\"10.1109/PRISMS.2014.6970600\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Many systems rely on passwords for authentication. Due to numerous accounts for different services, users have to choose and remember a significant number of passwords. Password-Manager applications address this issue by storing the user's passwords. They are especially useful on mobile devices, because of the ubiquitous access to the account passwords. Password-Managers often use key derivation functions to convert a master password into a cryptographic key suitable for encrypting the list of passwords, thus protecting the passwords against unauthorized, off-line access. Therefore, design and implementation flaws in the key derivation function impact password security significantly. Design and implementation problems in the key derivation function can render the encryption on the password list useless, by for example allowing efficient bruteforce attacks, or - even worse - direct decryption of the stored passwords. In this paper, we analyze the key derivation functions of popular Android Password-Managers with often startling results. With this analysis, we want to raise the awareness of developers of security critical apps for security, and provide an overview about the current state of implementation security of security-critical applications.\",\"PeriodicalId\":272766,\"journal\":{\"name\":\"2014 International Conference on Privacy and Security in Mobile Systems (PRISMS)\",\"volume\":\"40 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-05-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 International Conference on Privacy and Security in Mobile Systems (PRISMS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/PRISMS.2014.6970600\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 International Conference on Privacy and Security in Mobile Systems (PRISMS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PRISMS.2014.6970600","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Many systems rely on passwords for authentication. Due to numerous accounts for different services, users have to choose and remember a significant number of passwords. Password-Manager applications address this issue by storing the user's passwords. They are especially useful on mobile devices, because of the ubiquitous access to the account passwords. Password-Managers often use key derivation functions to convert a master password into a cryptographic key suitable for encrypting the list of passwords, thus protecting the passwords against unauthorized, off-line access. Therefore, design and implementation flaws in the key derivation function impact password security significantly. Design and implementation problems in the key derivation function can render the encryption on the password list useless, by for example allowing efficient bruteforce attacks, or - even worse - direct decryption of the stored passwords. In this paper, we analyze the key derivation functions of popular Android Password-Managers with often startling results. With this analysis, we want to raise the awareness of developers of security critical apps for security, and provide an overview about the current state of implementation security of security-critical applications.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
