Password databases form one of the backbones of nowadays web applications.
Every web application needs to store its users’ credentials (email and password) in
an efficient way, and in popular applications (Google, Facebook, Twitter, etc.) these
databases can grow to store millions of user credentials simultaneously. However,
despite their critical nature and susceptibility to targeted attacks, the techniques
used for securing password databases are still very rudimentary, opening the way to
devastating attacks. Just in the year of 2016, and as far as publicly disclosed, there
were more than 500 million passwords stolen in internet hacking attacks.
To solve this problem we commit to study several schemes like property-preserving
encryption schemes (e.g. deterministic encryption), encrypted data-structures that
support operations (e.g. searchable encryption), partially homomorphic encryption
schemes, and commodity trusted hardware (e.g. TPM and Intel SGX).
In this thesis we propose to make a summary of the most efficient and secure techniques
for password database management systems that exist today and recreating
them to accommodate a new and simple universal API.
We also propose SSPM(Simple Secure Password Management), a new password
database scheme that simultaneously improves efficiency and security of current
solutions existing in literature. SSPM is based on Searchable Symmetric Encryption
techniques, more specifically ciphered data structures, that allow efficient queries
with the minimum leak of access patterns. SSPM adapts these structures to work
with the necessary operation of password database schemes preserving the security
guarantees.
Furthermore, SSPM explores the use of trusted hardware to minimize the revelation
of access patterns during the execution of operations and protecting the storage
of cryptographic keys. Experimental results with real password databases shows us
that SSPM has a similar performance compared with the solutions used today in
the industry, while simultaneous increasing the offered security conditions
