<div class="csl-bib-body">
<div class="csl-entry">Jofen, P. (2020). <i>Hashiko: a generative hybrid password manager for android : design, implementation and security analysis</i> [Diploma Thesis, Technische Universität Wien]. reposiTUm. http://hdl.handle.net/20.500.12708/78420</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/78420
-
dc.description.abstract
Unlike traditional password managers, generative password managers do not store the passwords in encrypted files, but use one-way functions like hash functions or key derivation functions (KDFs) to derive passwords on-the-fly. For each master password and account/username combination as input values to these one-way functions, a unique website password is generated. Such generated passwords, are certainly not immune to brute-force or dictionary attacks if the algorithm is computationally cheap or the master password is easy to guess. The winner of the Password Hashing Competition (PHC), Argon2, belongs to a relatively new generation of KDFs which require an considerable amount of memory for an efficient computation. Such memory-hard functions (MHFs) may be considered a security best practice for key derivation nowadays. In this thesis, we assess the practicability of Argon2 with different parameters, and compare its runtime behaviour with PBKDF2 and common hash functions (MD5, SHA) on three different Android smartphones: OnePlus 6, OnePlus 3T, Moto G. The results suggest, that Argon2 is certainly practicable in terms of derivation time on all tested smartphones (around 0.5 s to 3 s), but only with low memory settings (m < 1 GiB) and/or low iterations (t ∈ {1, 2}). The conducted benchmark also shows, that the performance gap between older and newer phones is smaller with Argon2 than with PBKDF2. Moreover, we analyze the security of the password generation algorithms of three generative password managers for Android: Salasana, Privacy Friendly Password Generator,Master Password. In this process, eight different types of issues of varying severity were identified, such as no salt is used, low cost factors in key derivation, and so forth. Each of the tested applications are affected by at least one of these problems. Furthermore, we present a new generative password manager Hashikō for Android. This prototypical implementation 1. employs Argon2 for password generation, 2. tries to avoid the issues found in the derivation algorithms of other password managers and 3. allows easy transition to new algorithms and migration of passwords through a flexible, modular password derivation concept.
en
dc.format
xv, 96 Seiten
-
dc.language
English
-
dc.language.iso
en
-
dc.subject
Generativer Passwort Manager
de
dc.subject
Android
de
dc.subject
Hashfunktion
de
dc.subject
Schlüsselableitungsfunktion
de
dc.subject
Argon2
de
dc.subject
PBKDF2
de
dc.subject
Generative Password Manager
en
dc.subject
Android
en
dc.subject
Hash Function
en
dc.subject
Key Derivation Function
en
dc.subject
Argon2
en
dc.subject
PBKDF2
en
dc.title
Hashiko: a generative hybrid password manager for android : design, implementation and security analysis
en
dc.type
Thesis
en
dc.type
Hochschulschrift
de
dc.contributor.affiliation
TU Wien, Österreich
-
dc.publisher.place
Wien
-
tuw.thesisinformation
Technische Universität Wien
-
tuw.publication.orgunit
E194 - Institut für Information Systems Engineering