Back Channels Can Be Useful! – Layering Authentication Channels to Provide Covert Communication
This paper argues the need for providing a covert back-channel communication mechanism in authentication protocols, discusses various practical uses for such a channel, and desirable features for its design and deployment. Such a mechanism would leverage the current authentication channel to carry out the covert communication rather than introducing a separate one. The communication would need to be oblivious to an adversary observing it, possibly as a man-in-the-middle. We discuss the properties that such channels would need to have for the various scenarios in which they would be used. Also, we show their potential for mitigating the effects of a number of security breaches currently occurring in these scenarios.
KeywordsAuthentication Server Impersonation Back-channels Phishing
Unable to display preview. Download preview PDF.
- 1.Clark, J., Hengartner, U.: Panic Passwords: Authenticating Under Duress. In: Proceedings: The 3rd Conference on Hot Topics in Security. USENIX Association (2008)Google Scholar
- 2.Stefanov, E., Atallah, M.: Duress Detection for Authentication Attacks Against Multiple Administrators. In: Proceedings: The 2010 ACM Workshop on Insider Threats, pp. 37–46. ACM (2010)Google Scholar
- 4.Trend Micro, How ZeuS/ZBOT Bypasses Two-Factor Authentication (October 2010), http://community.trendmicro.com/t5/Web-Threat-Spotlight/ZeuS-ZBOT-Variant-Bypasses-Two-Factor-Authentication/ba-p/16514
- 5.The White House, National Strategy for Trusted Identities in Cyberspace, NSTIC (2011)Google Scholar