The Zurich Trusted Information Channel – An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks

  • Thomas Weigold
  • Thorsten Kramp
  • Reto Hermann
  • Frank Höring
  • Peter Buhler
  • Michael Baentsch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4968)

Abstract

This paper introduces the Zurich Trusted Information Channel (ZTIC, for short), a cost-efficient and easy-to-use approach to defend online services from man-in-the-middle and malicious software attacks. A small, cheap to manufacture and zero-installation USB device with a display runs a highly efficient security software stack providing the communications endpoint between server and customer. The insecure user PC is used solely to relay IP packets and display non-critical transaction information. All critical information is parsed out of the mutually-authenticated SSL/TLS connections that the ZTIC establishes to the server and shown on the display for explicit user approval.

Keywords

Authentication Malicious Software Man-in-the-middle Secure Token Secure Internet Banking 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Weigold, T., Kramp, T., Baentsch, M.: Remote Client Authentication. IEEE Security & Privacy journal (accepted, 2008) (to be published) Google Scholar
  2. 2.
    Federal Office of Police, Swiss Reporting and Analysis Centre for Information Assurance MELANI. Semi-annual report 2007/1, http://www.melani.admin.ch/
  3. 3.
    RSA SecurityID Token, RSA Security (2007), http://www.rsa.com/node.aspx?id=1156
  4. 4.
    Schneier, B.: Two-Factor Authentication: Too Little, Too Late. Comm. ACM 48(4), 136 (2005)CrossRefGoogle Scholar
  5. 5.
    Schneier, B.: Fighting Fraudulent Transactions (November 27, 2006), http://www.schneier.com/blog/archives/2006/11/fighting_fraudu.html
  6. 6.
    Federal Office for Information Security. The IT Security Situation in Germany (2007), http://www.bsi.de/english/publications/securitysituation/Lagebericht_2007_englisch.pdf
  7. 7.
    The FINREAD (FINancial Transactional IC Card READer) project,http://www.finread.comGoogle Scholar
  8. 8.
    Hiltgen, A., Kramp, T., Weigold, T.: Secure Internet Banking Authentication. IEEE Security & Privacy 4(2), 21–29 (2006)CrossRefGoogle Scholar
  9. 9.
    AXSionics AG. The Internet Passport, http://www.axsionics.ch
  10. 10.
    Giesecke & Devrient GmbH. Internet Smart Card Technologie, http://www.gi-de.com/portal/page?_pageid=36,53930&_dad=portal&_schema=PORTAL
  11. 11.
  12. 12.
    Hines, M.: Malware flood driving new AV: InfoWorld (December 14, 2007), http://www.infoworld.com/article/07/12/14/Malware-flood-driving-new-AV_1.html

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Thomas Weigold
    • 1
  • Thorsten Kramp
    • 1
  • Reto Hermann
    • 1
  • Frank Höring
    • 1
  • Peter Buhler
    • 1
  • Michael Baentsch
    • 1
  1. 1.IBM Zurich Research Laboratory 

Personalised recommendations