Abstract
In an on-line transaction, a client usually have to present some authenticators (password, user certificate or both) to the server. However, those authenticators are exposed to client-side malware such that the malware is able to obtain the server-client messages, or impersonate the user to build another “secure” channel with the server.
The present paper aims to patch this client-side security flaw with a novel password-input method. Specifically, it enables a user to input a password by clicking an on-screen CAPTCHA keyboard, rather than a keyboard typing. The CAPTCHA keyboard is designed to greatly increase the difficulty of password eavesdropping and phishing in a malicious environment given that the malware can not monitor the browser secret memory space. Our implementation shows that Firwfox browser incorporated with CAPTCHA Keyboard and smartcard is viable and transparent over HTTPS protocol.
Download to read the full chapter text
Chapter PDF
References
Dierks, T., Rescorla, E.: The TLS Protocol, Version 1.1, IETF Draft, RFC 2246 (2005)
Spalka, A., Cremers, A.B., Langweg, H.: The fairy tale of What You See Is What You Sign - Trojan Horse Attacks on Software for Digital Signatures. In: IFIP Working Conf. on Security and Control of IT in Society-II (2001)
Mori, G., Malik, J.: Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In: CVPR, vol. 1, pp. 134–141 (2003)
Sheffer, Y., Zorn, G., Tschofenig, H., Fluhrer, S.: An EAP Authentication Method Based on the Encrypted Key Exchange (EKE) Protocol, IETF RFC 6124 (2011)
Szydlowski, M., Kruegel, C., Kirda, E.: Secure input for Web applications. In: ACSAC, pp. 375–384 (2007)
Vandenwauver, M., Ashley, P., Claessens, J., Looi, M., Moreau, W.: Using Smart Cards to Integrate SSL/TLS and SESAME. In: IFIP TC6/TC11 International Conference on Communications and Multimedia Security, vol. 152, pp. 303–317 (1999)
Urien, P.: Collaboration of SSL smart cards within the WEB2 landscape. In: Int’l Symposium on Collaborative Technologies and Systems, pp. 187–194 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wu, Y., Zhao, Z. (2012). Enhancing the Security of On-line Transactions with CAPTCHA Keyboard. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_44
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_44
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)