Abstract
We present a system that enables secure user authentication by leveraging a portable USB-based trusted device. The heart of our system runs a protocol which guarantees trusted behavior at multiple layers; from the hardware device itself, to the software executing on the hardware, and finally to the application hosted in the remote server. This combination assures end-to-end trust and makes our system resilient to physical attacks (e.g. to the device and wire tapping) as well as logical attacks (e.g. main-in-the-middle attack). Our system utilizes web-based proxy communication using standard HTML tags and JavaScript to coordinate communication amongst different components. This enables our system not having to install any extra drivers typically required for supporting communication in most existing technologies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aladdin eToken, http://www.aladdin.com/etoken
Barth, A., Jackson, C., Mitchell, J.: Securing frame communication in browsers. Communications of the ACM 52(6), 83–91 (2009)
Federal Financial Institutions Examination Council (FFIEC): Authentication in an internet banking environment, http://federalreserve.gov/boarddocs/srletters/2005/SR0519a1.pdf
Frischat, S.: The next generation of USB security tokens. Card Technology Today 20(6), 10–11 (2008)
Fs2pv: A cryptographic-Protocol Verifier for F#, http://research.microsoft.com/en-us/downloads/d54de3ef-085e-47f0-b7dc-8d56c858aba2/default.aspx
F-Secure virus descriptions: Cabir, http://www.f-secure.com/v-descs/cabir.shtml
Redbrowser, A.: F-Secure Trojan information pages, http://www.f-secure.com/v-descs/redbrowser_a.shtml
Gratzer, V., Naccache, D.: Trust on a Nationwide Scale. IEEE Security and Privacy 5(5), 69–71 (2007)
Hiltgen, A., Kramp, T., Weigold, T.: Secure Internet Banking Authentication. IEEE Security and Privacy 4(2), 21–29 (2006)
IronKey, https://www.ironkey.com/
Jackson, C., Wang, H.: Subspace: Secure Cross-Domain Communication for Web Mashups. In: 16th International Conference on World Wide Web (WWW 2007), pp. 611–620 (2007)
Jang, J., Nepal, S., Zic, J.: Establishing a Trust Relationship in Cooperative Information Systems. In: Meersman, R., Tari, Z. (eds.) OTM 2006. LNCS, vol. 4275, pp. 426–443. Springer, Heidelberg (2006)
Kolodgy, C.J.: Identity management in a virtual world. IDC White Paper (2003)
Mannan, M., van Oorschot, P.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2006 and USEC 2006. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)
Marchesini, J., Smith, S.W., Zhao, M.: KeyJacking: The Surprising Insecurity of Client-Side SSL. Computers and Security 24(2), 109–123 (2005)
Moreland, D., Nepal, S., Hwang, H., Zic, J.: A snapshot of trusted personal devices applicable to transaction processing. Jnl. of Personal and Ubiquitous Computing (2009), doi:10.1007/s00779-009-0235-6
Nepal, S., Zic, J., Hwang, H., Moreland, D.: Trust Extension Device: Providing Mobility and Portability of Trust in Cooperative Information Systems. In: Meersman, R., Tari, Z. (eds.) CoopIS 2006. LNCS, vol. 4803, pp. 253–271. Springer, Heidelberg (2007)
Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A.D. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)
ProVerif: Cryptographic Protocol Verifier in Formal Model, www.proverif.ens.fr/
Shelfer, K., Procaccion, J.: Smart Card Evolution. Communications of the ACM 45(7), 83–88 (2002)
Trusted Computing Group, www.trustedcomputinggroup.org
Trusted Platform Module (TPM) Working Group, www.trustedcomputinggroup.org/groups/tpm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Jang, J., Liu, D., Nepal, S., Zic, J. (2010). User Authentication for Online Applications Using a USB-Based Trust Device. In: Schmidt, A.U., Russello, G., Lioy, A., Prasad, N.R., Lian, S. (eds) Security and Privacy in Mobile Information and Communication Systems. MobiSec 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 47. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17502-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-17502-2_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17501-5
Online ISBN: 978-3-642-17502-2
eBook Packages: Computer ScienceComputer Science (R0)