Tunneled TLS for multi-factor authentication
Pages 31 - 40
Abstract
When logging onto a remote server, s, from a distrusted terminal, c, one can leak secrets such as passwords and account data to malware. To address this problem, we rely on a trusted personal device, p, as the interface available to users for entering their login credentials. In our proposal, p would send the credentials to s using a tunneled TLS session routed via c. The tunneling would be done within an existing TLS session established between c and s. Upon validating the credentials, s would enable c to access the user account. Consequently, c would never see in plain-text user's credentials. As a powerful application, we show that p could use our protocol to execute a credit-card-like payment at a point-of-sale terminal, c, using an account managed by the card-issuing bank, s.
References
[1]
D.V. Klein. Foiling the Cracker; A Survey of, and Improvements to Unix Password Security. USENIX Security Workshop, 1990.
[2]
Wikipedia. Identity theft.http://en.wikipedia.org/wiki/Identity_theft#Spread_and_impact
[3]
J. Rafail. Cross-Site Scripting Vulnerabilities. CERT Coordination Center, Carnegie Mellon University, 2001. http://www.cert.org/archive/pdf/cross_site_scripting.pdf
[4]
S. Christey and R.A Martin. Vulnerability Type Distributions in CVE (version 1.1). MITRE Corporation, May 22, 2007. http://cwe.mitre.org/documents/vuln-trends/index.html
[5]
B. Cundiff, et al. Online Banking. Jupiter research report, BNK05-C03, April 1, 2005.
[6]
A.K. Jain, et al. Handbook of Biometrics. Springer, 2007.
[7]
T. Matsumoto, et al. Impact of artificial gummy fingers on fingerprint systems. SPIE, Vol.4677, 2002.
[8]
D. Balfanz and E. Felten. Hand-held computers can be bettersmart cards. USENIX Security Symposium, 1999.
[9]
M. Mannan and P.C. van Oorschot. Using a personal device tostrengthen password authentication from untrusted computer.FC, 2007.
[10]
RSA SecurID: Securing Your Future with Two-FactorAuthentication. http://www.rsa.com/node.aspx?id=1156
[11]
T. Dierke and E. Rescorla. The Transport Layer Security (TLS) Protocol, Version 1.2. IETF draft TLS-RFC5246, 2008. http://tools.ietf.org/html/rfc5246
[12]
C. Jackson, et al.Transaction generators: root kits for the web. USENIX Workshop onHot Topics in Security, 2007.
[13]
P. Lucistnik. Advanced Networking. FreeBSD Handbook, Chapter 31.4, http://www.freebsd.org/doc/en/books/handbook/network-bluetooth.html.
[14]
P. England, et al. Loading and identifying a digital rights management operating system. US Patent no.6,327,652, issued December 4, 2001.
[15]
A. Armando, et al. The AVISPA Tool for the automated validation of internet security protocols and applications. International Conference on Computer Aided Verification, Vol.3576, pp.281--285, 2005.
[16]
T. Dierks and C. Allen. RFC 2246: The TLS ProtocolVersion 1.0, January 1999. Status: Proposed Standard.
[17]
L.C. Paulson. Inductive analysis of the internet protocol TLS. ACM Trans. on Computer and System Security, Vol.2, no.3, pp.332--351, 1999.
[18]
G.S. Kc, et al.Countering code-injection attacks with instruction-setrandomization. ACM Conference on Computer and CommunicationsSecurity, pp.272--280, 2003.
[19]
D. Kirovski and M. Drinic. A Hardware-SoftwarePlatform for Intrusion Prevention. IEEE MICRO 37, 2004.
[20]
N. Leavitt. Mobile phones: the next frontier for hackers? Computer, Vol.38, no.4, pp.20--23, 2005.
[21]
Wikipedia: RSA SecurID.http://en.wikipedia.org/wiki/SecurID
[22]
The High Level ProtocolSpecification Language. AVISPA project, 2003. http://www.avispa-project.org/delivs/2.1/d2-1.pdf
[23]
Avispa, a tool for Automated Validation of Internet Security Protocols. http://www.avispa-project.org/package/user-manual.pdf.
[24]
D.A. Basin, et al.Ofmc: A symbolic model checker for security protocols. International Journal on Information Security, Vol.4, no.3, pp.181--208, 2005.
[25]
M. Turuani. The cl-atse protocol analyser. RTA, Vol.4098, pp.277--286, 2006.
[26]
A. Biryukov, et al Cryptanalysis of thealleged SecurID hash function. SAC, 2003.
[27]
A. Biryukov, et al. Recent attacks on allegedSecurID and their practical implications. Computers & Security,Vol.24, no.5, pp.364--370, 2005.
[28]
S. Contini and Y.L. Yin. Fast software-based attacks onSecurID. Fast Software Encryption Workshop, pp.454--471, 2004.
[29]
Netcraft. Phishing attacks continue to grow in sophistication,January 2007. http://news.netcraft.com/archives/2007/01/15/phishingattacks continue to grow in sophistication.html.
[30]
G.G. Xie, et al. Quantifying effect ofnetwork latency and clock drift on time-driven key sequencing. ICDCS, 2002.
[31]
L. Lamport. Password Authentication with InsecureCommunication. Communications of the ACM, Vol.24, no.11,pp.770--772, 1981.
[32]
B. Parno, et al. Authentication and frauddetection: Phoolproof phishing prevention. FC, 2006.
[33]
M. Wu, et al. Secure web authenticationwith mobile phones. DIMACS Workshop on Usable Privacy and SecuritySoftware, 2004.
[34]
D. Florencio and C. Herley.One-time Password Access to Any Server Without Changing the Server. ISC 2008.
[35]
D. Kirovski and C.A. Meek. Login Authentication using a Trusted Device. US Patent Application (no.20100058064), filed August 27, 2008.
[36]
S. Li, et al. hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers. FC 2010.
[37]
E. Cesena, et al. Anonymous Authentication with TLS and DAA. TRUST 2010.
[38]
A. Filyanov, et al. Uni-directional Trusted Path:Transaction Confirmation on Just One Device. DSN 2011.
Index Terms
- Tunneled TLS for multi-factor authentication
Recommendations
Hunting Malicious TLS Certificates with Deep Neural Networks
AISec '18: Proceedings of the 11th ACM Workshop on Artificial Intelligence and SecurityEncryption is widely used across the internet to secure communications and ensure that information cannot be intercepted and read by a third party. However, encryption also allows cybercriminals to hide their messages and carry out successful malware ...
SSL/TLS session-aware user authentication revisited
Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications. In Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle. Computer Communications ...
Client certificate and IP address based multi-factor authentication for J2EE web applications
CASCON '07: Proceedings of the 2007 conference of the center for advanced studies on Collaborative researchSecure and encrypted authentication is an important aspect of J2EE web application security. SSL client certificate authentication provides an encrypted log-on mechanism and a single sign-on capability that does not involve the use of passwords. Unlike ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2011
70 pages
ISBN:9781450310055
DOI:10.1145/2046631
- General Chair:
- Yan Chen,
- Program Chairs:
- Stefan Katzenbeisser,
- Ahmad-Reza Sadeghi
Copyright © 2011 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 October 2011
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS'11
Sponsor:
CCS'11: the ACM Conference on Computer and Communications Security
October 21, 2011
Illinois, Chicago, USA
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 321Total Downloads
- Downloads (Last 12 months)10
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in