Contextual OTP: Mitigating Emerging Man-in-the-Middle Attacks with Wireless Hardware Tokens
- Assaf Ben-DavidAffiliated withThe Hebrew University
- , Omer BerkmanAffiliated withThe Academic College of Tel Aviv Jaffa
- , Yossi MatiasAffiliated withGoogle Inc.
- , Sarvar PatelAffiliated withGoogle Inc.
- , Cem PayaAffiliated withGoogle Inc.
- , Moti YungAffiliated withGoogle Inc.Columbia University
OTP (One Time Password) devices are highly deployed trust enhancing (password entropy increasing) devices which are used to authenticate a user with a second factor (a pseudorandom sequence of digits produced by a device the user owns) and to cope with off-line phishing of password information. Wireless connection adds usability to OTP protocols in an obvious way: instead of the person copying the information between machines, the wireless (say, Bluetooth) mechanism can transfer the value directly. Indeed, OTP devices implemented in a smartphone and communicating with the browser over Bluetooth can act in usable fashion (and this extension was implemented in our organization and got very positive usability feedback). What we then noticed as a key observation is that this mode of OTP wireless transfer has turned the “man to machine” nature of the OTP tokens to a “(mobile) device to machine (the browser on the computer)” method, so we can now employ protocols between the two interacting computers. Thus, we asked what can this new mode contribute to security (rather than to usability only) and cope with increased set of attacks. Specifically, the question we are dealing with is whether wireless OTP devices (i.e., smartphones) can be hardened at a reasonable cost (i.e., without costly OTP infrastructural changes, public-key infrastructure/ operations, and with small modification to browsers) so as to be useful against one type of interesting and currently growing and highly publicized Man in the Middle (MITM) attacks. The work herein summarizes our study which is based on our proposed new notion of Contextual OTP (XOTP for short), which exploits session contexts to break the symmetry between the “user-MITM” and the “MITM-server” sessions.
- Contextual OTP: Mitigating Emerging Man-in-the-Middle Attacks with Wireless Hardware Tokens
- Book Title
- Applied Cryptography and Network Security
- Book Subtitle
- 10th International Conference, ACNS 2012, Singapore, June 26-29, 2012. Proceedings
- pp 30-47
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Industry Sectors
- eBook Packages
- Editor Affiliations
- 16. Institute for Infocomm Research
- 17. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano
- Author Affiliations
- 19. The Hebrew University, Jerusalem, Israel
- 20. The Academic College of Tel Aviv Jaffa, Tel Aviv, Israel
- 18. Google Inc., Israel
- 21. Columbia University, NY, USA
To view the rest of this content please follow the download PDF link above.