Research Article
SGX-Cube: An SGX-Enhanced Single Sign-On System Against Server-Side Credential Leakage
@INPROCEEDINGS{10.1007/978-3-030-63095-9_18, author={Songsong Liu and Qiyang Song and Kun Sun and Qi Li}, title={SGX-Cube: An SGX-Enhanced Single Sign-On System Against Server-Side Credential Leakage}, proceedings={Security and Privacy in Communication Networks. 16th EAI International Conference, SecureComm 2020, Washington, DC, USA, October 21-23, 2020, Proceedings, Part II}, proceedings_a={SECURECOMM PART 2}, year={2020}, month={12}, keywords={SSO SGX Credential leakage}, doi={10.1007/978-3-030-63095-9_18} }- Songsong Liu
Qiyang Song
Kun Sun
Qi Li
Year: 2020
SGX-Cube: An SGX-Enhanced Single Sign-On System Against Server-Side Credential Leakage
SECURECOMM PART 2
Springer
DOI: 10.1007/978-3-030-63095-9_18
Abstract
User authentication systems enforce the access control of critical resources over Internet services. The pair of username and password is still the most commonly used user authentication credential for online login systems. Since the credential database has consistently been a main target for attackers, it is critical to protect the security and privacy of credential databases on the servers. In this paper, we propose SGX-Cube, an SGX-enhanced secure Single Sign-On (SSO) login system, to prevent credential leakage directly from the server memory and via brute-force attacks against a stolen credential database. When leveraging Intel SGX to develop a scalable secure SSO system, we solve two main SGX challenges, namely, small secure memory size and the limited number of running threads, by developing a record-based database encrypted scheme and placing only authentication-related functions in the enclave, respectively. We implement an SGX-Cube prototype on a real SGX platform. The experimental results show that SGX-Cube can effectively protect the confidentiality of user credentials on the server side with a small performance overhead.
