Avoiding Man-in-the-Middle Attacks When Verifying Public Terminals
An individual who intends to engage in sensitive transactions using a public terminal such as an ATM needs to trust that (a) all communications are indeed carried out with the intended terminal, (b) such communications are confidential, and (c) the terminal’s integrity is guaranteed. Satisfying such requirements prevents man-in-the-middle attacks and eavesdropping.
We have analysed several existing transaction schemes and concluded that they tend not to meet all requirements during the entire transaction. We propose a new, generic protocol that provides (a) optional terminal identification, (b) key establishment, and (c) customisable integrity assurance.
KeywordsMobile Phone Secure Channel Trust Platform Module Personal Device Malicious Software
- 2.Brands, S., Chaum, D.: Distance Bounding Protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)Google Scholar
- 4.Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical nfc peer-to-peer relay attack using mobile phones. IACR Eprint archive (April 2010)Google Scholar
- 5.Garriss, S., Cáceres, R., Berger, S., Sailer, R., van Doorn, L., Zhang, X.: Trustworthy and personalized computing on public kiosks. In: Proceeding of the 6th International Conference on Mobile Systems, Applications, and Services, MobiSys 2008, pp. 199–210. ACM, New York (2008)CrossRefGoogle Scholar
- 8.Oprea, A., Balfanz, D., Durfee, G., Smetters, D.K.: Securing a remote terminal application with a mobile trusted device. In: ACSAC, pp. 438–447 (2004)Google Scholar
- 9.Parno, B.: Bootstrapping trust in a “trusted” platform. In: Proceedings of the 3rd Conference on Hot Topics in Security, pp. 9:1–9:6. USENIX Association, Berkeley (2008)Google Scholar
- 10.Pearson, S. (ed.): Trusted computing platforms: TCPA technology in context. HP Professional Series. Prentice Hall PTR (2003)Google Scholar
- 11.Smart, N.P.: Cryptography, An Introduction, 3rd edn. (2011), http://tinyurl.com/yeafjcx
- 12.Stumpf, F., Tafreschi, O., Röder, P., Eckert, C.: A robust integrity reporting protocol for remote attestation. In: Second Workshop on Advances in Trusted Computing (WATC 2006 Fall), Tokyo, Japan, pp. 25–36 (November 2006)Google Scholar