Skip to main content
Springer Nature Link
Log in

GPASS: A Password Manager with Group-Based Access Control

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10674))

Included in the following conference series:

  • 1236 Accesses

Abstract

Password managers make it easy for users to choose stronger and more random passwords without the burden of memorizing them. While the majority of our passwords should be kept secret, sharing passwords and access codes is necessary in some cases. In this paper, we present GPASS—a password manager architecture that allows groups to share passwords via an untrusted server. GPASS provides its own cryptographic access control mechanism in which all the information is transparent to the clients so that they can detect any misbehavior of the server. We implemented a proof-of-concept prototype to demonstrate the feasibility and effectiveness of the architecture.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.dashlane.com/features/password-changer.

  2. 2.

    https://blog.lastpass.com/2014/12/introducing-auto-password-changing-with.html/.

  3. 3.

    https://github.com/Legrandin/pycryptodome.

  4. 4.

    http://www.alexa.com/topsites.

  5. 5.

    https://www.statista.com/statistics/264671/top-20-companies-based-on-number-of-employees/.

References

  1. 1Password, December 2016. https://agilebits.com/onepassword

  2. F-secure key, December 2016. https://www.f-secure.com/en/web/home_global/key

  3. LastPass: Password manager, autoform filter, random password generator & secure digital wallet app, December 2016. https://lastpass.com/

  4. Basin, D., Cremers, C., Kim, T.H.J., Perrig, A., Sasse, R., Szalachowski, P.: ARPKI: attack resilient public-key infrastructure. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 382–393. ACM (2014)

    Google Scholar 

  5. Blaze, M.: A cryptographic file system for UNIX. In: Proceedings of the 1st ACM conference on Computer and communications security, pp. 9–16. ACM (1993)

    Google Scholar 

  6. Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15497-3_18

    Chapter  Google Scholar 

  7. Bonneau, J.: Guessing human-chosen secrets. Ph.D. thesis, University of Cambridge (2012)

    Google Scholar 

  8. Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: IEEE Symposium on Security and Privacy, pp. 481–498. IEEE (2015)

    Google Scholar 

  9. Electronic Frontier Foundation: National security letters, July 2016. https://www.eff.org/issues/national-security-letters

  10. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI certificate theory. RFC 2693, IETF (1999)

    Google Scholar 

  11. Ellison, C.M.: The nature of a usable PKI. Elsevier Comput. Netw. 31(9), 823–830 (1999)

    Article  Google Scholar 

  12. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)

    Google Scholar 

  13. Fu, K.E.: Group sharing and random access in cryptographic storage file systems. Ph.D. thesis, Massachusetts Institute of Technology (1999)

    Google Scholar 

  14. Gellman, B.: The FBI’s secret scrutiny, July 2015. http://www.washingtonpost.com/wp-dyn/content/article/2005/11/05/AR2005110501366.html

  15. Goh, E.J., Shacham, H., Modadugu, N., Boneh, D.: SiRiUS: securing remote untrusted storage. NDSS 3, 131–145 (2003)

    Google Scholar 

  16. Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: Proceedings of the 23rd ACM Conference on Computer and Communications Security. ACM (2016)

    Google Scholar 

  17. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and communications security, pp. 89–98. ACM (2006)

    Google Scholar 

  18. Housley, R., Ford, W., Polk, W., Solo, D.: Internet X. 509 public key infrastructure certificate and CRL profile. RFC 2459, IETF (1998)

    Google Scholar 

  19. Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: Plutus: scalable secure file sharing on untrusted storage. In: Fast, vol. 3, pp. 29–42 (2003)

    Google Scholar 

  20. Kim, T.H.J., Huang, L.S., Perring, A., Jackson, C., Gligor, V.: Accountable key infrastructure (AKI): a proposal for a public-key validation infrastructure. In: Proceedings of the 22nd International Conference on World Wide Web, pp. 679–690. International World Wide Web Conferences Steering Committee (2013)

    Google Scholar 

  21. Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962 (2013)

    Google Scholar 

  22. Li, J., Krohn, M.N., Mazières, D., Shasha, D.: Secure untrusted data repository (SUNDR). In: OSDI, vol. 4, p. 9 (2004)

    Google Scholar 

  23. Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: USENIX Security, pp. 465–479 (2014)

    Google Scholar 

  24. Lichtblau, E.: Judge tells Apple to help unlock iPhone used by San Bernardino Gunman, July 2016. http://www.nytimes.com/2016/02/17/us/judge-tells-apple-to-help-unlock-san-bernardino-gunmans-iphone.html

  25. Mazires, D., Shasha, D.: Don’t trust your file server. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, pp. 113–118. IEEE (2001)

    Google Scholar 

  26. McCarney, D., Barrera, D., Clark, J., Chiasson, S., van Oorschot, P.C.: Tapas: design, implementation, and usability evaluation of a password manager. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 89–98. ACM (2012)

    Google Scholar 

  27. Miller, E., Long, D., Freeman, W., Reed, B.: Strong security for distributed file systems. In: IEEE International Conference on Performance, Computing, and Communications, pp. 34–40. IEEE (2001)

    Google Scholar 

  28. Silver, D., Jana, S., Boneh, D., Chen, E.Y., Jackson, C.: Password managers: attacks and defenses. In: Usenix Security, pp. 449–464 (2014)

    Google Scholar 

  29. Vigo, M.: Even the LastPass will be stolen, deal with it! February 2017. http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/

  30. Whitney, L.: LastPass CEO reveals details on security breach, December 2016. http://www.cnet.com/news/lastpass-ceo-reveals-details-on-security-breach/

  31. Yu, J., Cheval, V., Ryan, M.: DTKI: a new formalized PKI with no trusted parties. IACR Cryptol. ePrint Arch. 2014, 600 (2014)

    Google Scholar 

  32. Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM, 2010 Proceedings IEEE, pp. 1–9. IEEE (2010)

    Google Scholar 

  33. Zadok, E., Badulescu, I., Shender, A.: Cryptfs: A stackable vnode level encryption file system. Technical report, Technical report CUCS-021-98, Computer Science Department, Columbia University (1998)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Aalto University, Espoo, Finland

    Thanh Bui & Tuomas Aura

Authors
  1. Thanh Bui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tuomas Aura
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thanh Bui .

Editor information

Editors and Affiliations

  1. University of Tartu, Tartu, Estonia

    Helger Lipmaa

  2. Chalmers University of Technology, Gothenburg, Sweden

    Aikaterini Mitrokotsa

  3. University of Tartu, Tartu, Estonia

    Raimundas Matulevičius

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bui, T., Aura, T. (2017). GPASS: A Password Manager with Group-Based Access Control. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds) Secure IT Systems. NordSec 2017. Lecture Notes in Computer Science(), vol 10674. Springer, Cham. https://doi.org/10.1007/978-3-319-70290-2_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-70290-2_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-70289-6

  • Online ISBN: 978-3-319-70290-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics