Leveraging Personal Devices for Stronger Password Authentication from Untrusted Computers
Date: December 2011
Publication: Journal of Computer Security, Vol. 19, No. 4
Page(s): 703 - 750
Publisher: IOS Press
Source 1: http://people.scs.carleton.ca/~paulv/papers/mpauth-jcs-revised.pdf
Source 2: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.158.5942
Internet authentication for popular end-user transactions, such as online banking and e-commerce, continues to be dominated by passwords entered through end-user personal computers (PCs). Most users continue to prefer (typically untrusted) PCs over smaller personal devices for actual transactions, due to usability features related to keyboard and screen size. However most such transactions and their existing underlying protocols are vulnerable to attacks including keylogging, phishing, and pharming, which can extract user identity and sensitive account information allowing account access. We propose a simple approach to counter such attacks, which cryptographically separates a userís long-term secret input (typically low-entropy password) from the client PC. The latter continues to be used for most of the interaction and computations but has access only to temporary secrets, while the userís long-term secret is input through an independent personal trusted device such as a cellphone which makes it available to the PC only after encryption under the intended far-end recipientís public key. Our proposal is intended to safeguard passwords from the attacks mentioned above, as well as to provide transaction security to foil session hijacking. To facilitate a comparison to our proposal, we also provide a comprehensive survey of web authentication techniques that use an additional factor of authentication such as a cellphone, PDA (personal digital assistant) or hardware token; this survey may be of independent interest. A proof sketch of MP-Auth using the Protocol Composition Logic (PCL) is also provided.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.