Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer

Mannan, Mohammad; Oorschot, Paul C. van

doi:10.1007/978-3-540-77366-5_11

Cited by 83 publications

(56 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In [18], the authors discussed an empirical design called MP-Auth which uses mobile phones to protect online banking. Without any use of hardware supports, it is regarded as a typical example of using PKI in mobile payment.…”

Section: Other Solutionsmentioning

confidence: 99%

Mobile Electronic Identity: Securing Payment on Mobile Phones

Chen¹,

Roscoe²

2011

Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication

View full text Add to dashboard Cite

Abstract. The pervasive use of mobile phones has created a dynamic computing platform that a large percentage of the population carries routinely. There is a growing trend of integrating mobile phones with electronic identity, giving the phone the ability to prove or support the identity of the owner by containing, for example, a tuple of name, ID, photo and public key. While this helps phone owners prove who they are, it does not prove to them that they are giving their identities to intended parties. This is important in its own right for reasons of privacy and avoiding cases of "identity theft", but all the more important when identity is being provided to support the transfer of value (e.g. in mobile payment) or information. In this paper we show how Human Interactive Security Protocols can support this type of authentication in cases where PKIs are inappropriate, misunderstood or too expensive, concentrating on the case of payment.

show abstract

Section: Other Solutionsmentioning

confidence: 99%

Mobile Electronic Identity: Securing Payment on Mobile Phones

Chen¹,

Roscoe²

2011

Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication

View full text Add to dashboard Cite

show abstract

“…However, the idea of using a personal (mobile) device to improve security in practice has been studied in several previous papers. In [18], Parno et al use a mobile phone to set up secure SSL/TLS connections and in [15], Mannan and Oorschot use a personal device to improve security of password authentication. Both solutions basically aim to do user authentication with improved security, in particular to protect against key-logging and phising.…”

Section: Related Workmentioning

confidence: 99%

“…All communication between the used PC and the server is routed through this trusted device, where the user has to accept sensitive transactions. [15,20] also contains a good overview of other existing anti-phising techniques and their properties. Finally, there are many examples of using secure devices for transaction authentication, see [2,13], for instance.…”

Section: Related Workmentioning

confidence: 99%

On the Theory and Practice of Personal Digital Signatures

Damgård

Mikkelsen

2009

Public Key Cryptography – PKC 2009

View full text Add to dashboard Cite

Abstract. We take a step towards a more realistic modeling of personal digital signatures, where a human user, his mobile equipment, his PC and a server are all considered as independent players in the protocol, and where only the human user is assumed incorruptible. We then propose a protocol for issuing digital signatures on behalf of the user. This protocol is proactively UC-secure assuming at most one player is corrupted in every operational phase. In more practical terms, this means that one can securely sign using terminals (PC's) that are not necessarily trusted, as long as the mobile unit and the PC are not both corrupted at the same time. In other words, our solution cannot be broken by phising or key-logging via the PC. The protocol allows for mobile units with very small computing power by securely outsourcing computation to the PC and also allows usage of any PC that can communicate properly. Finally, we report on the results of a prototype implementation of our solution.

show abstract

“…Mannan and van Oorschot [21] propose an authentication protocol involving an independent personal device, and survey related schemes.…”

Section: Idf Detection Via Location Corroboration and Personal Devicesmentioning

confidence: 99%

CROO: A Universal Infrastructure and Protocol to Detect Identity Fraud

Nali

Oorschot

2008

Computer Security - ESORICS 2008

Self Cite

View full text Add to dashboard Cite

Abstract. Identity fraud (IDF) may be defined as unauthorized exploitation of credential information through the use of false identity. We propose CROO, a universal (i.e. generic) infrastructure and protocol to either prevent IDF (by detecting attempts thereof), or limit its consequences (by identifying cases of previously undetected IDF). CROO is a capture resilient one-time password scheme, whereby each user must carry a personal trusted device used to generate one-time passwords (OTPs) verified by online trusted parties. Multiple trusted parties may be used for increased scalability. OTPs can be used regardless of a transaction's purpose (e.g. user authentication or financial payment), associated credentials, and online or on-site nature; this makes CROO a universal scheme. OTPs are not sent in cleartext; they are used as keys to compute MACs of hashed transaction information, in a manner allowing OTP-verifying parties to confirm that given user credentials (i.e. OTPkeyed MACs) correspond to claimed hashed transaction details. Hashing transaction details increases user privacy. Each OTP is generated from a PIN-encrypted non-verifiable key; this makes users' devices resilient to off-line PIN-guessing attacks. CROO's credentials can be formatted as existing user credentials (e.g. credit cards or driver's licenses).

show abstract

Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer

Cited by 83 publications

References 11 publications

Mobile Electronic Identity: Securing Payment on Mobile Phones

Mobile Electronic Identity: Securing Payment on Mobile Phones

On the Theory and Practice of Personal Digital Signatures

CROO: A Universal Infrastructure and Protocol to Detect Identity Fraud

Contact Info

Product

Resources

About