TruWallet: Trustworthy and migratable wallet-based web authentication

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 19-28

  Gajek, Sebastian ^a   Löhr, Hans ^b   Sadeghi, Ahmad Reza ^b   Winandy, Marcel ^b  

^a TEL AVIV UNIVERSITY   (Israel)

^b RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

Identity theft; Password wallet; Phishing; Secure migration; Trusted computing

Indexed keywords

AUTHENTICATION SOLUTIONS; IDENTITY THEFT; MALWARES; MIGRATION PROTOCOLS; OPERATING SYSTEMS; PHISHING; SECURITY KERNEL; SECURITY PROBLEMS; SENSITIVE DATAS; TRUSTED COMPUTING; TRUSTED COMPUTING TECHNOLOGY; VIRTUALIZATIONS; WEB APPLICATION; WEB AUTHENTICATION;

AUTHENTICATION; COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; CRIME; INTERNET PROTOCOLS; SPACE TIME ADAPTIVE PROCESSING; WEB BROWSERS; WORLD WIDE WEB;

NETWORK SECURITY;

EID: 74049088125     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1655108.1655112     Document Type: Conference Paper

References (52)

1. Paros website. http://www.parosproxy.org.
2. ID theft ring hits 50 banks, security firm says, 2005. http: //news.cnet.com/2100-7349-3-5823591.html.
3. New Trojans plunder bank accounts, 2006. http: //news.cnet.com/2100-7349- 3-6041173.html.
4. AMD. AMD64 architecture programmer's manual volume 2: System programming. Technical Report Publication Number 24593, Revision 3.14, AMD, Sept. 2007.
5. Anti Phishing Working Group. Phishing Activity Trends Report(s), 2005-2008. http://www.antiphishing.org.
6. W. A. Arbaugh, D. J. Farber, and J. M. Smith. A secure and reliable bootstrap architecture. In IEEE Symposium on Security and Privacy (S&P'97), pages 65-71, Oakland, CA, May 1997. IEEE Computer Society.
7. A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. T. Abad. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In 6th ACM Workshop on Formal Methods in Security Engineering (FMSE'08), pages 1-10, Hilton Alexandria Mark Center, Virginia, USA, 2008. ACM.
8. N. Asokan, J.-E. Ekberg, A.-R. Sadeghi, C. Stüble, and M. Wolf. Enabling fairer digital rights management with trusted computing. In 10th Information Security Conference (ISC'07), LNCS vol. 4779, pages 53-70. Springer, 2007.
9. S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In IEEE Symposium on Security and Privacy (S&P'92), pages 72-84, 1992.
10. R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In IEEE Symposium on Security and Privacy (S&P'06), pages 350-364. IEEE Computer Society, 2006.
11. R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing Works. In Conference on Human Factors in Computing Systems (CHI'06), pages 581-590. ACM, 2006.
12. B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer. Xen and the art of virtualization. In ACM Symposium on Operating Systems Principles (SOSP'03), pages 164-177. ACM, October 2003.
13. N. Feske and C. Helmuth. A Nitpicker's guide to a minimal-complexity secure GUI. In 21st Annual Computer Security Applications Conference (ACSAC'05), pages 85-94. IEEE Computer Society, 2005.
14. S. Gajek, A.-R. Sadeghi, C. Stüble, and M. Winandy. Compartmented security for browsers - or how to thwart a phisher with trusted computing. In 2nd International Conference on Availability, Reliability and Security (ARES'07), pages 120-127. IEEE Computer Society, 2007.
15. S. Gajek, J. Schwenk, and X. Chen. On the insecurity of microsoft's identity metasystem cardspace. Technical Report HGI TR-2008-004, Horst Görtz Institute for IT-Security, Ruhr-University Bochum, 2008.
16. T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A virtual machine-based platform for trusted computing. In 19th ACM Symposium on Operating Systems Principles (SOSP'03), pages 193-206. ACM, 2003.
17. R. P. Goldberg. Architectural Principles for Virtual Computer Systems. PhD thesis, Harvard University, 1972.
18. K. Goldman, R. Perez, and R. Sailer. Linking remote attestation to secure tunnel endpoints. In First ACM Workshop on Scalable Trusted Computing (STC'06), pages 21-24. ACM, November 2006.
19. C. Grier, S. Tang, and S. T. King. Secure web browsing with the OP web browser. In IEEE Symposium on Security and Privacy (S&P'08), pages 402-416, Washington, DC, USA, 2008. IEEE Computer Society.
20. T. Groß and B. Pfitzmann. SAML artifact information flow revisited. In IEEE Web Services Security Symposium (WSSS'06), pages 84-100. CERIAS, 2006.
21. Intel Corporation. Intel trusted execution technology software development guide. Technical Report Document Number: 315168-005, Intel Corporation, June 2008.
22. Internet Crime Complaint Center. 2008 Internet Crime Report. http://www.ic3.gov/media/annualreport/2008-IC3Report.pdf, 2008.
23. S. Ioannidis and S. M. Bellovin. Building a secure web browser. In FREENIX Track: 2001 USENIX Annual Technical Conference, pages 127-134, Berkeley, CA, USA, 2001. USENIX Association.
24. D. P. Jablon. Strong password-only authenticated key exchange. Computer Communication Review, 26(5):5-26, 1996.
25. C. Jackson, D. Boneh, and J. Mitchell. Spyware resistant web authentication using virtual machines. http://crypto.stanford.edu/spyblock/, 2006.
26. C. Jackson, D. Boneh, and J. Mitchell. Transaction generators: Root kits for web. In 2nd USENIX Workshop on Hot Topics in Security (HotSec'07), pages 1-4. USENIX Association, 2007.
27. R. C. Jammalamadaka, T. W. van der Horst, S. Mehrotra, K. E. Seamons, and N. Venkasubramanian. Delegate: A proxy based architecture for secure website access from an untrusted machine. In 22nd Annual Computer Security Applications Conference (ACSAC'06), pages 57-66. IEEE Computer Society, 2006.
28. S. Jiang, S. Smith, and K. Minami. Securing web servers against insider attack. In 17th Annual Computer Security Applications Conference (ACSAC'01), pages 265-276. IEEE Computer Society, 2001.
29. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm'06). IEEE, 2006.
30. E. Kirda, C. Krügel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In ACM Symposium on Applied Computing (SAC), pages 330-337. ACM, 2006.
31. D. Kormann and A. Rubin. Risks of the passport single signon protocol. Computer Networks, 33(1-6):51-58, 2000.
32. K. Kostiainen, J.-E. Ekberg, N. Asokan, and A. Rantala. On-board credentials with open provisioning. In 4th International Symposium on Information, Computer, and Communications Security (ASIACCS'09), pages 104-115. ACM, 2009.
33. B. Krebs. The new face of phishing. Washington Post, 2006. http: //blog.washingtonpost.com/securityfix/2006/02/the-new-face-of-phishing-1.html.
34. P. C. S. Kwan and G. Durfee. Practical uses of virtual machines for protection of sensitive user data. In Information Security Practice and Experience Conference (ISPEC'07), pages 145-161. Springer, 2007.
35. J. Liedtke. On micro-kernel construction. In 15th ACM Symposium on Operating System Principles (SOSP'95), pages 237-250. ACM, 1995.
36. R. Macdonald, S. Smith, J. Marchesini, and O. Wild. Bear: An open-source virtual secure coprocessor based on TCPA. Technical Report TR2003-471, Department of Computer Science, Dartmouth College, 2003.
37. J. M. McCune, B. Parno, A. Perrig, M. K. Reiter, and A. Seshadri. Minimal TCB code execution. In 2007 IEEE Symposium on Security and Privacy (S&P'07), pages 267-272. IEEE Computer Society, 2007.
38. R. Oppliger, R. Hauser, and D. A. Basin. SSL/TLS session-aware user authentication revisited. Computers & Security, 27(3-4):64-70, 2008.
39. B. Pfitzmann and M. Waidner. Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing, 7(6):38-44, 2003.
40. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In First Workshop on Hot Topics in Understanding Botnets (HotBots'07), pages 4-4, Berkeley, CA, USA, 2007. USENIX Association.
41. C. Reis, S. D. Gribble, and H. M. Levy. Architectural principles for safe web programs. In 6th Workshop on Hot Topics in Networks (HotNets'07). ACM, November 2007.
42. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In 14th USENIX Security Symposium. USENIX Association, 2005.
43. R. Sailer, T. Jaeger, E. Valdez, R. Perez, S. Berger, J. L. Griffin, and L. van Doorn. Building a MAC-based security architecture for the Xen open-source hypervisor. In 21st Annual Computer Security Applications Conference (ACSAC'05), pages 276-285. IEEE Computer Society, 2005.
44. R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of a TCG-based integrity measurement architecture. In 13th USENIX Security Symposium, pages 223-238, August 2004.
45. SANS Institute. SANS Top-20 2007 Security Risks. http://www.sans.org/ top20/2007/top20.pdf, November 2007.
46. S. W. Smith and S. Weingart. Building a high-performance, programmable secure coprocessor. Computer Networks, 31(8):831-860, April 1999.
47. A. Sotirov, M. Stevens, J. Appelbaum, A. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger. MD5 considered harmful today - creating a rogue CA certificate. In 25th Chaos Communication Congress (25C3), December 2008. http://www.win.tue.nl/hashclash/rogue-ca.
48. F. Stumpf, O. Tafreschi, P. Rder, and C. Eckert. A robust integrity reporting protocol for remote attestation. In Second Workshop on Advances in Trusted Computing (WATC'06 Fall), Tokyo, December 2006.
49. D. Taylor, T. Wu, N. Mavrogiannopoulos, and T. Perrin. RFC5054: Using the secure remote password (SRP) protocol for TLS authentication, 2007. http://www.ietf.org/rfc/rfc5054.
50. Trusted Computing Group. TPM main specification, version 1.2 rev. 103, July 2007. https://www.trustedcomputinggroup.org.
51. M. Wu, R. C. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In 2nd Symposium on Usable Privacy and Security (SOUPS'06), pages 102-113. ACM, 2006.
52. T. Wu. The secure remote password protocol. In Network and Distributed System Security Symposium (NDSS'98), pages 97-111. The Internet Society, 1998.