
NSF Org: |
CNS Division Of Computer and Network Systems |
Recipient: |
|
Initial Amendment Date: | July 25, 2017 |
Latest Amendment Date: | July 25, 2017 |
Award Number: | 1714807 |
Award Instrument: | Standard Grant |
Program Manager: |
Rob Beverly
CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
Start Date: | August 15, 2017 |
End Date: | October 31, 2021 (Estimated) |
Total Intended Award Amount: | $450,000.00 |
Total Awarded Amount to Date: | $450,000.00 |
Funds Obligated to Date: |
|
History of Investigator: |
|
Recipient Sponsored Research Office: |
701 S 20TH STREET BIRMINGHAM AL US 35294-0001 (205)934-5266 |
Sponsor Congressional District: |
|
Primary Place of Performance: |
AL US 35294-0001 |
Primary Place of
Performance Congressional District: |
|
Unique Entity Identifier (UEI): |
|
Parent UEI: |
|
NSF Program(s): | Secure &Trustworthy Cyberspace |
Primary Program Source: |
|
Program Reference Code(s): |
|
Program Element Code(s): |
|
Award Agency Code: | 4900 |
Fund Agency Code: | 4900 |
Assistance Listing Number(s): | 47.070 |
ABSTRACT
Password managers represent a security technique that allows a user to store and retrieve passwords for multiple password-protected web services by interacting with a 'manager' (e.g., an online third-party service) on the basis of a single master password. However, current password managers are highly vulnerable to leakage of all passwords in the event the manager is compromised or malicious. This project builds, studies, and deploys a novel approach to online password management, called SPHINX, which remains secure even when the password manager itself has been compromised. In SPHINX, the data stored on the manager is information theoretically independent of the user's master password, meaning that an attacker breaking into the manager learns no information about the master password or the user's individual passwords. SPHINX, once deployed, offers an improved level of protection and usability to everyday Internet users. The research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction. The involvement of high school and K-12 students, and minority populations broadens the reach of the project. Collaboration with manufacturers and industrial consortia facilitatws technology transfer and transition to real world use.
The technical design and security of SPHINX is based on the device-enhanced PAKE model that provides the theoretical basis for this construction and is backed by cryptographic proofs of security. Overall, the project designs, implements and evaluates the computational/communication performance of a full online SPHINX system offering browser plugins and a service-side (or manager-side) application. As a main component of the design, the project highlights and addresses the challenges associated in building transparent and robust bidirectional manager-browser communication. Usability studies of the SPHINX system are also being conducted in both lab and real-life settings. Further, after refining the system software and UI designs informed by the results of the usability studies, SPHINX will be piloted in the field settings. Upon completion of this pilot deployment, the system will be ready for an eventual full-fledged deployment in the real world.
Please report errors in award information by writing to: awardsearch@nsf.gov.