Leveraging personal devices for stronger password authentication from untrusted computers

Journal of Computer Security

Volumn 19, Issue 4, 2011, Pages 703-750

  Mannan, Mohammad ^a   Van Oorschot, P C ^b  

^a UNIVERSITY OF TORONTO   (Canada)

^b CARLETON UNIVERSITY   (Canada)

Author keywords

Password authentication; personal device; phishing; session hijacking; untrusted computers

Indexed keywords

PASSWORD AUTHENTICATION; PERSONAL DEVICES; PHISHING; SESSION HIJACKING; UNTRUSTED COMPUTERS;

AUTHENTICATION; COMPUTER CRIME; EQUIPMENT; INTERNET PROTOCOLS; PUBLIC KEY CRYPTOGRAPHY; SURVEYS; USER INTERFACES;

PERSONAL COMPUTERS;

EID: 79960801872     PISSN: 0926227X     EISSN: None     Source Type: Journal    
DOI: 10.3233/JCS-2010-0412     Document Type: Article

References (77)

1. M. Abadi, M. Burrows, C. Kaufman and B. Lampson, Authentication and delegation with smartcards, Science of Computer Programming 21(2) (1993), 91-113.
2. M. AlZomai, B. AlFayyadh, A. Jøsang and A. McCullag, An experimental investigation of the usability of transaction authorization in online bank security systems, in: Australasian Information Security Conference (AISC'08), Wollongong, Australia, January 2008, pp. 65-73.
3. Anti-Phishing Working Group, Phishing Activity Trends Report Q4/2009, available at: http://www. antiphishing.org/reports/apwg-report-Q4-2009.pdf.
4. A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P.H. Drielsma, P. Heám, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò and L. Vigneron, The AVISPA tool for the automated validation of Internet security protocols and applications, in: Computer Aided Verification (CAV), Edinburgh, Scotland, UK, July 2005, LNCS, Vol. 3576, Springer-Verlag, 2005, pp. 281-285, available at: http://www.avispa-project.org. (Pubitemid 41431740)
5. K. Bailey, A. Kapadia, L. Vongsathorn and S.W. Smith, TwoKind authentication: Protecting private information in untrustworthy environments, in: ACM Workshop on Privacy in the Electronic Society (WPES'08), Alexandria, VA, USA, October 2008, pp. 39-44.
6. D. Balfanz and E. Felten, Hand-held computers can be better smart cards, in: USENIX Security Symposium, Washington, DC, USA, August 1999, pp. 15-24.
7. M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology 21(4) (2008), 469-491.
8. M. Bellare and P. Rogaway, Entity authentication and key distribution, in: Advances in Cryptology - CRYPTO'93, Santa Barbara, CA, USA, August 1993, LNCS, Vol. 773, Springer-Verlag, 1993, pp. 232-249.
9. A. Biryukov, J. Lano and B. Preneel, Cryptanalysis of the alleged SecurID hash function, in: Selected Areas in Cryptography (SAC), Ottawa, Canada, August 2003, LNCS, Vol. 3006, Springer-Verlag, 2003, pp. 130-144.
10. CA Virus Information Center, Win32.Grams.I, February 2005.
11. S. Chiasson, P. van Oorschot and R. Biddle, A usability study and critique of two password managers, in: USENIX Security Symposium, Vancouver, Canada, August 2006, pp. 1-16.
12. D.E. Clarke, B. Gassend, T. Kotwal, M. Burnside, M. van Dijk, S. Devadas and R.L. Rivest, The untrusted computer problem and camera-based authentication, in: Pervasive Computing, Zurich, Switzerland, August 2002, LNCS, Vol. 2414, Springer-Verlag, 2002, pp. 114-124.
13. Computerworld.com, Malware count blows past 1M mark, News article, April 8, 2008.
14. D. Dagon, M. Antonakakis, X. Luo, C.P. Lee, W. Lee and K. Day, Recursive dns architectures and vulnerability implications, in: Network and Distributed System Security Symposium (NDSS'09), San Diego, CA, USA, February 2009.
15. A. Datta, A. Derek, J.C. Mitchell and A. Roy, Protocol composition logic (PCL), Electronic Notes in Theoretical Computer Science (ENTCS) 172 (2007), 311-358.
16. R. Dhamija, J. Tygar and M. Hearst, Why phishing works, in: CHI, Montreal, Canada, April 2006, pp. 581-590. (Pubitemid 44032146)
17. W. Diffie, P.C. van Oorschot and M.J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography 2(2) (1992), 107-125.
18. W. Enck,M. Ongtang and P. McDaniel, Understanding Android security, IEEE Security and Privacy Magazine 7(1) (2009), 50-57.
19. Eweek.com, Tax scam preys on refund-hungry public with real gov site, News article, November 30, 2005, available at: http://www.eweek.com/article2/0, 1895,1894746,00.asp.
20. F-Secure, F-Secure virus descriptions: Cabir, June 2004.
21. F-Secure, F-Secure trojan information pages: Redbrowser.A, March 2006.
22. Federal Financial Institutions Examination Council (FFIEC), FFIEC guidance: Authentication in an Internet banking environment, October 2005, available at: http://www.fdic.gov/news/news/ financial/2005/fil10305.html.
23. E.W. Felten, D. Balfanz, D. Dean and D.S. Wallach, Web spoofing: An Internet con game, in: National Information Systems Security Conference, Baltimore, MD, USA, October 1997.
24. Finjan Malicious Code Research Center, Cybercrime intelligence report: Cybercriminals use Trojans & money mules to rob online banking accounts. Online article (issue no. 3, 2009), available at: http://www.finjan.com/ GetObject.aspx?ObjId=679.
25. Finjan Malicious Code Research Center, Web security trends Report Q3/2007, available at: http://www.finjan.com/GetObject.aspx?ObjId=506.
26. V.D. Gligor and P. Donescu, Fast encryption and authentication: XCBC encryption and XECB authentication modes, in: Workshop on Fast Software Encryption (FSE'01), Yokohama, Japan, April 2001, LNCS, Vol. 2355, Springer-Verlag, 2001, pp. 1-20.
27. A. Gostev and A. Shevchenko, Kaspersky security bulletin, January-June 2006: Malicious programs for mobile devices, September 2006, available at: http://www.viruslist.com.
28. S. Halevi and H. Krawczyk, Public-key cryptography and password protocols, ACM Transactions on Information and Systems Security (TISSEC) 2(3) (1999), 230-268.
29. C. He,M. Sundararajan, A. Datta, A. Derek and J.C.Mitchell, A modular correctness proof of IEEE 802.11i and TLS, in: ACM Computer and Communications Security (CCS'05), Alexandria, VA, USA, November 2005, pp. 2-15.
30. ICANN Security and Stability Advisory Committee, Domain name hijacking: Incidents, threats, risks, and remedial actions, July 2005, available at: http://www.icann.org.
31. IDG News Service, Investigators replicate Nokia 1100 online banking hack, News article, May 21, 2009, available at: http://www.thestandard.com/news/2009/ 05/21/investigators-replicate-nokia- 1100-online-banking-hack.
32. C. Jackson, D. Boneh and J. Mitchell, Spyware resistant web authentication using virtual machines, Technical report, 2006, available at: http://crypto.stanford.edu/spyblock.
33. C. Jackson, D. Boneh and J. Mitchell, Transaction generators: Root kits for web, in: USENIX Workshop on Hot Topics in Security (HotSec'07), Boston, MA, USA, August 2007.
34. R.C. Jammalamadaka, T. van der Horst, S. Mehrotra, K. Seamons and N. Venkatasuramanian, Delegate: A proxy based architecture for secure website access from an untrusted machine, in: Annual Computer Security Applications Conference (ACSAC'06),Miami Beach, FL, USA, December 2006, pp. 57-66. (Pubitemid 351232902)
35. D. Kaminsky, Black Ops 2008 - It's the end of the cache as we know it, in: Black Hat USA, Las Vegas, NV, USA, August 2008.
36. D. Kuhlman, R. Moriarty, T. Braskich, S. Emeott and M. Tripunitara, A correctness proof of a mesh security architecture, in: IEEE Computer Security Foundations Symposium (CSF), Pittsburgh, PA, USA, June 2008, pp. 315-330.
37. K. Kursawe and S. Katzenbeisser, Computing under occupation, in: New Security Paradigms Workshop (NSPW'07), New Hampshire, USA, September 2007, pp. 81-88.
38. B. Laurie and A. Singer, Choose the red pill and the blue pill, in: New Security Paradigms Workshop (NSPW'08), Lake Tahoe, CA, USA, September 2008, pp. 127-133.
39. M. Mannan, Authentication and securing personal information in an untrusted internet, PhD thesis, Carleton University, Canada, 2009.
40. M. Mannan and P. van Oorschot, Using a personal device to strengthen password authentication from an untrusted computer, in: Financial Cryptography and Data Security (FC'07), Lowlands, Scarborough, Trinidad and Tobago, February 2007, LNCS, Vol. 4886, Springer-Verlag, 2007, pp. 88-103. (Pubitemid 351153046)
41. M. Mannan and P. van Oorschot, Digital objects as passwords, in: USENIX Workshop on Hot Topics in Security (HotSec'08), San Jose, CA, USA, July 2008.
42. N.B. Margolin, M.K. Wright and B.N. Levine, Guardian: A framework for privacy control in untrusted environments, Technical Report 04-37, University of Massachusetts, Amherst, June 2004.
43. J.M. McCune, B. Parno, A. Perrig, M.K. Reiter and H. Isozaki, Flicker: An execution infrastructure for TCB minimization, in: The European Conference on Computer Systems (EuroSys'08), Glasgow, Scotland, UK, April 2008, pp. 315-328.
44. J.M. McCune, A. Perrig and M.K. Reiter, Seeing-is-believing: Using camera phones for humanverifiable authentication, in: IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2005, pp. 110-124. (Pubitemid 41543650)
45. J.M. McCune, A. Perrig and M.K. Reiter, Bump in the Ether: A framework for securing sensitive user input, in: USENIX Annual Technical Conference, Boston, MA, USA, 2006, pp. 185-198.
46. J.M. McCune, A. Perrig and M.K. Reiter, Safe passage for passwords and other sensitive data, in: Network and Distributed System Security Symposium (NDSS'09), San Diego, CA, USA, February 2009.
47. Mobile Antivirus Researchers Association, Analyzing the crossover virus: The first PC to Windows handheld cross-infector, 2006, available at: http://www.informit.com.
48. Mobile electronic Transactions (MeT) Ltd., Personal Transaction Protocol Version 1.0 (Draft Specification), January 2002, available at: http://www.mobiletransaction.org/.
49. Mobile Phone Work Group, TCG mobile trusted module specification, Specification Version 1.0, Revision 6, June 26, 2008.
50. A. Moshchuk, T. Bragin, S.D. Gribble and H. Levy, A crawler-based study of spyware in the web, in: Network and Distributed System Security (NDSS'06), San Diego, CA, USA, February 2006.
51. Netcraft.com, Fraudsters attack two-factor authentication, July 2006, available at: http://news. netcraft.com.
52. Netcraft.com, More than 450 phishing attacks used SSL in 2005, available at: http://news. netcraft.com/archives/2005/12/28/more-than-450-phishing- attacks-used-ssl-in-2005. html.
53. Netcraft.com, Phishers hack bank sites, redirect customers, News article, March 27, 2006, available at: http://news.netcraft.com/archives/2006/03/27/ phishers-hack-bank-sites-redirect-customers. html.
54. B. O'Connor, Greater than 1: Defeating "strong" authentication in web applications, in: Defcon 15, Las Vegas, NV, USA, August 2007.
55. A. Oprea, D. Balfanz, G. Durfee and D. Smetters, Securing a remote terminal application with a mobile trusted device, in: Annual Computer Security Applications Conference (ACSAC'04), Tucson, AZ, USA, December 2004, pp. 438-447. (Pubitemid 40931099)
56. B. Parno, C. Kuo and A. Perrig, Phoolproof phishing prevention, in: Financial Cryptography and Data Security (FC'06), Anguilla, British West Indies, February 2006, LNCS, Vol. 4107, Springer- Verlag, 2006, pp. 1-19. (Pubitemid 44577274)
57. A. Perrig and D. Song, Hash visualization: A new technique to improve real-world security, in: Cryptographic Techniques and E-Commerce (CrypTEC'99), Hong Kong, July 1999, pp. 131-138.
58. B. Pinkas and T. Sander, Securing passwords against dictionary attacks, in: ACM Computer and Communications Security (CCS'02), Washington, DC, USA, November 2002, pp. 161-170.
59. N. Provos, P.Mavrommatis,M.A. Rajab and F. Monrose, All your iFRAMEs point to us, in: USENIX Security Symposium, San Jose, CA, USA, July 2008, pp. 1-15.
60. Redmondmag.com, Coreflood Trojan stole 500G of personal financial data. News article, August 7, 2008, available at: http://redmondmag.com/news/article. asp?editorialsid=10111.
61. B. Ross, C. Jackson, N. Miyake, D. Boneh and J. Mitchell, Stronger password authentication using browser extensions, in: USENIX Security Symposium, Baltimore, MD, USA, 2005, pp. 17-32.
62. V. Roth, K. Richter and R. Freidinger, A PIN-entry method resilient against shoulder surfing, in: ACM Computer and communications Security (CCS'04), Washington, DC, USA, October 2004, pp. 236-245. (Pubitemid 40338205)
63. A. Roy, A. Datta, A. Derek, J.C. Mitchell and J.-P. Seifert, Secrecy analysis in protocol composition logic, in: Formal Logical Methods for System Security and Correctness, IOS Press, 2008.
64. M. Shackman, Platform security - a technical overview, November 2006, Symbian Developer Network article, available at: http://developer.symbian.com/ main/downloads/papers/plat-sec-tech-overview/platform-security-a-technical- overview.pdf.
65. SpamFo.co.uk, Has MasterCard gone on a phishing trip, leaving the back door wide open, News article, July 19, 2004, available at: http://spamfo.co.uk/ 2004/07.
66. Symantec Security Response, Banking in silence, News article, January 14, 2008, available at: http://www.securityfocus.com/blogs/485.
67. The Sydney Morning Herald, NZ bank adds security online, News article, November 8, 2004, available at: http://www.smh.com.au/.
68. TheRegister.com, Phishing attack targets one-time passwords, News article, October 12, 2005, available at: http://www.theregister.co.uk/2005/10/ 12/outlaw-phishing/.
69. E. Uzun, K. Karvonen and N. Asokan, Usability analysis of secure pairing methods, in:Workshop on Usable Security (USEC'07), Lowlands, Scarborough, Trinidad and Tobago, February 2007, LNCS, Vol. 4886, Springer-Verlag, 2007, pp. 307-327.
70. P. van Oorschot, Message authentication by integrity with public corroboration, in: New Security Paradigms Workshop (NSPW'05), Lake Arrowhead, CA, USA, September 2005, pp. 57-63.
71. P. van Oorschot and S. Stubblebine, On countering online dictionary attacks with login histories and humans-in-the-loop, ACM Transactions on Information and System Security (TISSEC) 9(3) (2006), 235-258. (Pubitemid 44728674)
72. WashingtonPost.com, Hackers zero in on online stock accounts, News article, October 24, 2006.
73. T. Weigold, T. Kramp, R. Hermann, F. Hörin, P. Buhle and M. Baentsch, The Zurich trusted information channel - an efficient defence against man-in-the-middle and malicious software attacks, in: Conference on Trusted Computing and Trust in Information Technologies (TRUST'08), Villach, Austria, March 2008, pp. 75-91.
74. I. Wiener, Sample SecurID token emulator with token secret import, 2000, BugTraq post, available at: http://archives.neohapsis.com/archives/bugtraq/2000- 12/0428.html.
75. M. Wu, S. Garfinkel and R. Miller, Secure web authentication with mobile phones, in: DIMACS Workshop on Usable Privacy and Security Systems, Piscataway, NJ, USA, July 2004.
76. G.G. Xie, C.E. Irvine and T.E. Levin, Quantifying effect of network latency and clock drift on time-driven key sequencing, in: IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW'02), Vienna, Austria, July 2002, pp. 35-42.
77. Y. Zhang, S. Egelman, L.F. Cranor and J. Hong, Phinding phish: An evaluation of anti-phishing toolbars, in: Network and Distributed System Security Symposium (NDSS'07), San Diego, CA, USA, February 2007.