SGX-Cube: An SGX-Enhanced Single Sign-On System Against Server-Side Credential Leakage

User authentication systems enforce the access control of critical resources over Internet services. The pair of username and password is still the most commonly used user authentication credential for online login systems. Since the credential database has consistently been a main target for attackers, it is critical to protect the security and privacy of credential databases on the servers. In this paper, we propose SGX-Cube, an SGX-enhanced secure Single Sign-On (SSO) login system, to prevent credential leakage directly from the server memory and via brute-force attacks against a stolen credential database. When leveraging Intel SGX to develop a scalable secure SSO system, we solve two main SGX challenges, namely, small secure memory size and the limited number of running threads, by developing a record-based database encrypted scheme and placing only authentication-related functions in the enclave, respectively. We implement an SGX-Cube prototype on a real SGX platform. The experimental results show that SGX-Cube can effectively protect the confidentiality of user credentials on the server side with a small performance overhead.