Award Abstract # 1714807
SaTC: TTP: Small: SPHINX: A Password Store that Perfectly Hides Passwords from Itself

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: UNIVERSITY OF ALABAMA AT BIRMINGHAM
Initial Amendment Date: July 25, 2017
Latest Amendment Date: July 25, 2017
Award Number: 1714807
Award Instrument: Standard Grant
Program Manager: Rob Beverly
CNS
 Division Of Computer and Network Systems
CSE
 Directorate for Computer and Information Science and Engineering
Start Date: August 15, 2017
End Date: October 31, 2021 (Estimated)
Total Intended Award Amount: $450,000.00
Total Awarded Amount to Date: $450,000.00
Funds Obligated to Date: FY 2017 = $196,959.00
History of Investigator:
  • Nitesh Saxena (Principal Investigator)
    nsaxena@tamu.edu
Recipient Sponsored Research Office: University of Alabama at Birmingham
701 S 20TH STREET
BIRMINGHAM
AL  US  35294-0001
(205)934-5266
Sponsor Congressional District: 07
Primary Place of Performance: University of Alabama at Birmingham
AL  US  35294-0001
Primary Place of Performance
Congressional District:
07
Unique Entity Identifier (UEI): YND4PLMC9AN7
Parent UEI:
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001718DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 9150, 025Z, 7923, 7434
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

Password managers represent a security technique that allows a user to store and retrieve passwords for multiple password-protected web services by interacting with a 'manager' (e.g., an online third-party service) on the basis of a single master password. However, current password managers are highly vulnerable to leakage of all passwords in the event the manager is compromised or malicious. This project builds, studies, and deploys a novel approach to online password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the data stored on the manager is information theoretically independent of the user's master password, meaning that an attacker breaking into the manager learns no information about the master password or the user's individual passwords. SPHINX, once deployed, offers an improved level of protection and usability to everyday Internet users. The research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction. The involvement of high school and K-12 students, and minority populations broadens the reach of the project. Collaboration with manufacturers and industrial consortia facilitatws technology transfer and transition to real world use.

The technical design and security of SPHINX is based on the device-enhanced PAKE model that provides the theoretical basis for this construction and is backed by cryptographic proofs of security. Overall, the project designs, implements and evaluates the computational/communication performance of a full online SPHINX system offering browser plugins and a service-side (or manager-side) application. As a main component of the design, the project highlights and addresses the challenges associated in building transparent and robust bidirectional manager-browser communication. Usability studies of the SPHINX system are also being conducted in both lab and real-life settings. Further, after refining the system software and UI designs informed by the results of the usability studies, SPHINX will be piloted in the field settings. Upon completion of this pilot deployment, the system will be ready for an eventual full-fledged deployment in the real world.

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page