Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.1.17

Security Vulnerabilities of Client-Server Communications of Password Managers  

Hong, Seunghui (Sogang University)
So, Jaewoo (Sogang University)
Jeong, Hyera (Sogang University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.1, 2020 , pp. 17-27 More about this Journal
Abstract
Many users are using password managers in order to conveniently manage several usernames and passwords needed to access the web sites. The password manager encrypts and stores several passwords on the server, and the user accesses the server to receive the password information. Thus, if an attacker can sniff a message between the password manager and the server and decrypt the message content, or if an attacker can steal the computer's memory and decrypt the message content, then all the passwords will be exposed to the attacker. In this paper, we analyze the client-server communications and encryption process of password mangers and show there is a serious vulnerability in memory attack.
Keywords
Password Manager; Client-Server Communications; Password Vault; Memory Attack; Password Decryption;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes," in Proc. IEEE Symposium on Security and Privacy, pp. 553-567, May 2012.
2 ResearchAndMarcket, "Global password management market to 2024," https://www.researchandmarkets.com/reports/4773624, Jun. 2019.
3 P. Gasti and K. B. Rasmussen, "On the security of password manager database formats," in Proc. European Symposium on Research in Computer Security, pp. 770-787, Sep. 2012.
4 S. Kim and H. Kim, "Security analysis of password managers," Review of Korea Institute of Information Security and Cryptology, vol. 28, no. 1, pp. 36-42, Feb. 2018.
5 H. Jeong and J. So, "Security of password vaults of password managers," Journal of the Korea Institute of Information Security and Cryptology, vol. 28, no. 5, pp. 1047-1057, Oct. 2018.   DOI
6 M. Golla, B. Beuscher, and M. Durmuth, "On the security of cracking-resistant password vaults," in Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1230-1241, Oct. 2016.
7 D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, "Password managers: Attacks and defenses," in Proc. USENIX Security Symposium, pp. 449-464, Aug. 2014.
8 Z. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," in Proc. USENIX Security Symposium, pp. 465-479, Aug. 2014.
9 X. Li and Y. Xue, "A survey on server-side approaches to securing web applications," ACM Computing Surveys, vol. 46, no. 4, pp. 1-29, Apr. 2014.
10 R. Zhao and C. Yue, "All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design," in Proc. ACM conference on Data and Application Security and Privacy, pp. 333-340, Feb. 2013.
11 M. Vigo and A. Garcia, "Even the Last Pass will be gone, deal with it," Black Hat Europe 2015.
12 ResearchAndMarcket, "Password management market - Growth, trends, and forecast (2020-2025)," https://www.mordorintelligence.com/industry-reports/password-management-market, Jan. 2020.
13 J. Gray, V. N. L, Franqueira, and Y. Yu, "Forensically-sound analysis of security risks of using local password managers," in Proc. International Requirements Engineering Conference Workshops, pp. 1-8, Sep. 2016.
14 N. J. Rubenking, "The best password managers for 2020," PC Reviews, https://www.pcmag.com/roundup/300318/the-best-password-managers, Dec. 2019.
15 H. Zhang, J. Hong, and J. Hu, "Analysis of encryption mechanism in KeePass Password Safe 2.30," in Proc. IEEE International Conference on Anti-counterfeiting, Security, and Identification (ASID), pp. 43-46, Sep. 2016.
16 Asecurelife, "Best password manager for stroing, secure passwords," https://www.asecurelife.com/best-password-manager/, Dec. 2019.
17 T. Ferrill, "The 6 best password managers," CSO news, https://www.csoonline.com/article/3198507/the-6-best-password-managers.html, Jul, 2019.
18 Tom's guide, "Best password managers 2020," https://www.tomsguide.com/us/best-password-managers,review-3785.html, Dec. 2019.
19 Google Play, "LastPass password manager," https://play.google.com/store/apps/details?id=com.lastpass.lpandroid&hl=ko, Jan. 2020.
20 LastPass, "LastPass Homepage," https://www.lastpass.com/, Jan. 2020.
21 Chrome Web store, "LastPass: Free password manager," https://chrome.google.com/webstore/detail/lastpass-freepassword-ma/hdokiejnpimakedhajhdlcegeplioahd?hl=ko, Jan. 2020.
22 Statcounter, "Desktop browser market share in republic of korea - December 2019," https://gs.statcounter.com/browser-market-share/desktop/south-korea, Jan. 2020
23 LastPass, "Technical whitepaper," http://enterprise.lastpass.com, pp. 1-20, Mar. 2018.
24 SQLite, "DB browser for SQLite," http://sqlitebrowser.org, Mar. 2018.
25 KeePassHttp, "KeePass plugin to expose password entries securely over HTTP," https://github.com/pfn/keepasshttp/, May 2017.
26 G. McDonald, "Proecess dump," GitHub, https://github.com/glmcdona/Process-Dump, Apr. 2019.
27 KeePass Password Safe, "KeePass password safe," https://keepass.info, Apr. 2018.
28 KeePass, "Awards/ratings - Keepass," http://keepass.info/ratings.html, Sep, 2015.
29 PassIFox and chromeIPass, "Extensions to allow Chrome and Firefox," https://github.com/pfn/passifox, Feb. 2018.
30 KeePassHttp-Connector, "Extension to allow Chrome and Firefox," https://github.com/smorks/keepasshttp-connector, Aug. 2019.
31 Softcows, "Quick memory editor," http://softcows.com, Mar. 2018.
32 mh-nexus, "HxD - Freeware Hex editor and disk editor," https://mh-nexus.de/en/hxd, May 2018.