TrustOTP: Transforming smartphones into secure one-time password tokens

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 2015-October, Issue , 2015, Pages 976-988

  Sun, He ^a,b,c   Sun, Kun ^a   Wang, Yuewu ^b   Jing, Jiwu ^b  

^a The College of William and Mary   (United States)

^b INSTITUTE OF GEOLOGY AND GEOPHYSICS   (China)

^c UNIVERSITY OF CHINESE ACADEMY OF SCIENCES   (China)

Author keywords

ARM TrustZone; One time password; Secure GUI

Indexed keywords

AUTHENTICATION; COMPUTER CRIME; COMPUTER HARDWARE; COMPUTER SOFTWARE; CRASHWORTHINESS; DENIAL-OF-SERVICE ATTACK; HARDWARE; MOBILE TELECOMMUNICATION SYSTEMS; NETWORK SECURITY; RECONFIGURABLE HARDWARE; SMARTPHONES; WEB SERVICES;

APPLICATION SCENARIO; ARM TRUSTZONE; FREESCALE; HARDWARE TOKENS; MOBILE USERS; ONE TIME PASSWORDS; SECURITY PROBLEMS; TWO FACTOR AUTHENTICATION;

MOBILE SECURITY;

EID: 84954087999     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2810103.2813692     Document Type: Conference Paper

References (58)

1. AMD Virtualization. http://www.amd.com/en-us/solutions/servers/virtualization.
2. Android OATH Token. https://code:google.com/p/androidtoken/.
3. Antutu Benchmark. http://www.antutu.com/en/Ranking:shtml.
4. ARM. http://www.arm.com/.
5. Booting the Android LXC container. https://wiki.ubuntu.com/Touch/ContainerArchitecture.
6. DIGIPASS GO 6. https://www.vasco.com/products/client-products/single-button-digipass/digipass-go6.aspx.
7. Juno ARM Development Platform. http://www.arm.com/products/tools/development- boards/versatile-express/juno-arm-development- platform:php.
8. OATH Compatible Hardware Tokens. http://www.rcdevs.com/tokens/?type=hardware.
9. Phi phenomenon. http://en.wikipedia.org/wiki/Phi-phenomenon.
10. RFC1760. https://tools.ietf.org/html/rfc1760.
11. RFC2289. https://tools.ietf.org/html/rfc2289.
12. RFC4226. https://tools.ietf.org/html/rfc4226.
13. RFC6238. https://tools.ietf.org/html/rfc6238.
14. Adeneo Embedded. Reference BSPs for Freescale i.MX53 Quick Start Board. http://www.adeneo-embedded.com/en/Products/Board-Support-Packages/Freescale-i:MX53-QSB.
15. T. Alves and D. Felton. Trustzone: Integrated hardware and software security. ARM white paper, 3(4), 2004.
16. S. Arzt, S. Rasthofer, and E. Bodden. Instrumenting android and java applications as easy as abc. In Runtime Verification - 4th International Conference, RV 2013, Rennes, France, September 24-27, 2013. Proceedings, pages 364-381.
17. A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen. Hypervision across worlds: Real-time kernel protection from the ARM trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages 90-102.
18. J. Azema and G. Fayad. M-shield mobile security technology: making wireless secure. Texas Instruments Whitepaper, 2008.
19. O. Board. Origen exynos4 quad evaluation board. http://www.origenboard.org/wiki/index:php/Introduction.
20. C. Dall and J. Nieh. KVM/ARM: the design and implementation of the linux ARM hypervisor. In Architectural Support for Programming Languages and Operating Systems, ASPLOS '14, Salt Lake City, UT, USA, March 1-5, 2014, pages 333-348.
21. A. Dmitrienko, C. Liebchen, C. Rossow, and A. Sadeghi. Security analysis of mobile two-factor authentication schemes. Intel Technology Journal, 18(4), 2014.
22. P. Duc. Secure Mobile Payments - Protecting display data in TrustZone-enabled SoCs with the Evatronix PANTA Family of Display Processors. http://www.design-reuse.com/articles/30675.
23. J. Ekberg, K. Kostiainen, and N. Asokan. Trusted execution environments on mobile devices. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4-8, 2013, pages 1497-1498.
24. EMC2. RSA SecureID Hardware Tokens. http://www.emc.com/security/rsa-securid/rsa- securid-hardware-tokens:htm.
25. Evatronix. Evatronix Launches Display Processor based on Latest ARM Security Technology. http://www.electronicsweekly.com/noticeboard/general/evatronix-launches-display-processor-based-on- latest-arm-security-technology-2012-05/.
26. Fortinet. FortiToken. http://www.fortinet.com/products/fortitoken/index:html.
27. Freescale. Hardware Reference Manual for i.MX53 Quick Start-R. http://cache:freescale.com/files/32bit/doc/ref-manual/IMX53RQSBRM-R.pdf?fr=g.
28. Freescale. i.MX 6Solo/6DualLite Applications Processor Reference Manual. http://cache:freescale.com/files/32bit/doc/ref-manual/IMX6SDLRM.pdf?fpsp=1&WT-TYPE=Reference%20Manuals&WT-VENDOR=FREESCALE&WT-FILE-FORMAT=pdf&WT-ASSET=Documentation.
29. Freescale. i.MX53 Processors. http://www.freescale.com/webapp/sps/site/taxonomy:jsp?code=IMX53-FAMILY.
30. Freescale. i.MX53 Reference Manual with fusemap addendum. http://www.freescale.com/webapp/sps/site/prod-summary:jsp?code=i:MX537&fpsp=1&tab=Documentation-Tab.
31. Freescale. Imx53qsb: i.mx53 quick start board. http://www.freescale.com/webapp/sps/site/prod-summary:jsp?code=IMX53QSB&tid=vanIMXQUICKSTART.
32. Freescale. On Board Diagnose Suit (OBDS). http://www.freescale.com/webapp/sps/download/license:jsp?colCode=IMX53QSBOBDS&location=null&fasp=1.
33. Giesecke & Devrient. MobiCore. http://www.gi-de.com/en/trends-and-insights/mobicore/trusted-mobile-services:jsp.
34. Google. Google Authenticator. http://en:wikipedia.org/wiki/Google-Authenticator.
35. IDC. Worldwide Mobile Worker Population 2011-2015 Forecast. http://cdn:idc:asia/files/5a8911ab- 4c6d-47b3-8a04-01147c3ce06d.pdf, Dec 2011.
36. Intel. Intel identity protection technology with one-time password. http://ipt:intel.com/Home/How- it-works/network-security-identity-management/ipt-with-one-time-password.
37. J. Jang, S. Kong, M. Kim, D. Kim, and B. B. Kang. Ssecret: Secure channel between rich execution environment and trusted execution environment. In 21st Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8-11, 2015.
38. Jeffi Carpenter, EMC. Did You Know: Trends in RSA SecurID Two-Factor Authentication. http://www.emc.com/collateral/rsa/eventpresentations/04-10-12-Two-Factor-Auth.pdf.
39. S. Kalkowski. Virtualization Dungeon on ARM. In Free and Open Source Software Developers' European Meeting, FOSDEM 2014, Brussels, Belgium, February 1-2, 2014.
40. K. Kostiainen, J. Ekberg, N. Asokan, and A. Rantala. On-board credentials with open provisioning. In Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, March 10-12, 2009, pages 104-115.
41. W. Li, H. Li, H. Chen, and Y. Xia. Adattester: Secure online mobile advertisement attestation using trustzone. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2015, Florence, Italy, May 19-22, 2015, pages 75-88.
42. C. Lin, H. Li, X. Zhou, and X. Wang. Screenmilker: How to milk your android screen for secrets. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014.
43. C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun. Smartphones as practical and secure location verification tokens for payments. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014.
44. McAfee. Mcafee one time password. http://www.mcafee.com/us/products/one-time- password.aspx.
45. Monsoon Solutions. Monsoon Power Monitor. https://www.msoon.com/LabEquipment/PowerMonitor/.
46. Open AuTHentication. OATH Toolkit. http://www.nongnu.org/oath-toolkit/.
47. Qualcomm Innovation Center. Vellamo Mobile Benchmark. https://play:google.com/store/apps/details?id=com:quicinc:vellamo&hl=en.
48. Samsung Electronics. White Paper: An Overview of Samsung KNOX. http://www.samsung.com/global/business/business-images/resource/white-paper/2013/06/Samsung-KNOX-whitepaper-June-0.pdf.
49. N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM trustzone to build a trusted language runtime for mobile applications. In Architectural Support for Programming Languages and Operating Systems, ASPLOS '14, Salt Lake City, UT, USA, March 1-5, 2014, pages 67-80.
50. SolidPass. Desktop soft token. http://www.solidpass.com/authentication-methods/one- time-password-generator-otp-token:html.
51. H. Sun, K. Sun, Y. Wang, J. Jing, and S. Jajodia. Trustdump: Reliable memory acquisition on smartphones. In Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7-11, 2014. Proceedings, Part I, pages 202-218.
52. Symantec. Whitepaper: Two-factor Authentication: A TCO Viewpoiont. https://www4.symantec.com/mktginfo/whitepaper/user-authentication/whitepaper-twofactor-authentication.pdf.
53. Trusted Logic. Trusted foundations by trusted logic mobility. http://www.arm.com/community/partners/display-product/rw/ProductId/5393/.
54. R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith. Intel Virtualization Technology. Computer, 38(5):48-56, 2005.
55. J. Winter. Experimenting with ARM trustzone - or: How I met friendly piece of trusted hardware. In 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2012, Liverpool, United Kingdom, June 25-27, 2012, pages 1161-1166.
56. J. Winter, P. Wiegele, M. Pirker, and R. Tögl. A exible software development and emulation framework for arm trustzone. In INTRUST, pages 1-15. 2011.
57. D. You and B. Noh. Android platform based linux kernel rootkit. In 6th International Conference on Malicious and Unwanted Software, MALWARE 2011, Fajardo, Puerto Rico, USA, October 18-19, 2011, pages 79-87.
58. Yubico. Yubikey. https://www.yubico.com/.