Skip to main content
SpringerLink
Log in

User Authentication for Online Applications Using a USB-Based Trust Device

  • Conference paper
Security and Privacy in Mobile Information and Communication Systems (MobiSec 2010)

Abstract

We present a system that enables secure user authentication by leveraging a portable USB-based trusted device. The heart of our system runs a protocol which guarantees trusted behavior at multiple layers; from the hardware device itself, to the software executing on the hardware, and finally to the application hosted in the remote server. This combination assures end-to-end trust and makes our system resilient to physical attacks (e.g. to the device and wire tapping) as well as logical attacks (e.g. main-in-the-middle attack). Our system utilizes web-based proxy communication using standard HTML tags and JavaScript to coordinate communication amongst different components. This enables our system not having to install any extra drivers typically required for supporting communication in most existing technologies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aladdin eToken, http://www.aladdin.com/etoken

  2. Barth, A., Jackson, C., Mitchell, J.: Securing frame communication in browsers. Communications of the ACM 52(6), 83–91 (2009)

    Article  Google Scholar 

  3. Federal Financial Institutions Examination Council (FFIEC): Authentication in an internet banking environment, http://federalreserve.gov/boarddocs/srletters/2005/SR0519a1.pdf

  4. Frischat, S.: The next generation of USB security tokens. Card Technology Today 20(6), 10–11 (2008)

    Article  Google Scholar 

  5. Fs2pv: A cryptographic-Protocol Verifier for F#, http://research.microsoft.com/en-us/downloads/d54de3ef-085e-47f0-b7dc-8d56c858aba2/default.aspx

  6. F-Secure virus descriptions: Cabir, http://www.f-secure.com/v-descs/cabir.shtml

  7. Redbrowser, A.: F-Secure Trojan information pages, http://www.f-secure.com/v-descs/redbrowser_a.shtml

  8. Gratzer, V., Naccache, D.: Trust on a Nationwide Scale. IEEE Security and Privacy 5(5), 69–71 (2007)

    Article  Google Scholar 

  9. Hiltgen, A., Kramp, T., Weigold, T.: Secure Internet Banking Authentication. IEEE Security and Privacy 4(2), 21–29 (2006)

    Article  Google Scholar 

  10. IronKey, https://www.ironkey.com/

  11. Jackson, C., Wang, H.: Subspace: Secure Cross-Domain Communication for Web Mashups. In: 16th International Conference on World Wide Web (WWW 2007), pp. 611–620 (2007)

    Google Scholar 

  12. Jang, J., Nepal, S., Zic, J.: Establishing a Trust Relationship in Cooperative Information Systems. In: Meersman, R., Tari, Z. (eds.) OTM 2006. LNCS, vol. 4275, pp. 426–443. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Kolodgy, C.J.: Identity management in a virtual world. IDC White Paper (2003)

    Google Scholar 

  14. Mannan, M., van Oorschot, P.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2006 and USEC 2006. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)

    Google Scholar 

  15. Marchesini, J., Smith, S.W., Zhao, M.: KeyJacking: The Surprising Insecurity of Client-Side SSL. Computers and Security 24(2), 109–123 (2005)

    Article  Google Scholar 

  16. Moreland, D., Nepal, S., Hwang, H., Zic, J.: A snapshot of trusted personal devices applicable to transaction processing. Jnl. of Personal and Ubiquitous Computing (2009), doi:10.1007/s00779-009-0235-6

    Google Scholar 

  17. Nepal, S., Zic, J., Hwang, H., Moreland, D.: Trust Extension Device: Providing Mobility and Portability of Trust in Cooperative Information Systems. In: Meersman, R., Tari, Z. (eds.) CoopIS 2006. LNCS, vol. 4803, pp. 253–271. Springer, Heidelberg (2007)

    Google Scholar 

  18. Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A.D. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  19. ProVerif: Cryptographic Protocol Verifier in Formal Model, www.proverif.ens.fr/

  20. Shelfer, K., Procaccion, J.: Smart Card Evolution. Communications of the ACM 45(7), 83–88 (2002)

    Article  Google Scholar 

  21. Trusted Computing Group, www.trustedcomputinggroup.org

  22. Trusted Platform Module (TPM) Working Group, www.trustedcomputinggroup.org/groups/tpm

Download references

Author information

Authors and Affiliations

  1. CSIRO ICT Centre, PO Box 76, Epping NSW, 1710, Australia

    Julian Jang, Dongxi Liu, Surya Nepal & John Zic

Authors
  1. Julian Jang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dongxi Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Surya Nepal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John Zic
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. novalyst IT, Robert-Bosch Str. 38, 61184, Karben, Germany

    Andreas U. Schmidt

  2. Create-Net Research Consortium, 38123, Povo, Trento, Italy

    Giovanni Russello

  3. Politecnico di Torino, Dipartimento di Automatica e Informatica, 10129, Torino, Italy

    Antonio Lioy

  4. Center for TeleInFrastruktur, Aalborg University, 9220, Aalborg East, Denmark

    Neeli R. Prasad

  5. France Telecom R&D (Orange Labs) , Haidian District, 100080, Beijing, China

    Shiguo Lian

Rights and permissions

Reprints and permissions

Copyright information

© 2010 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Jang, J., Liu, D., Nepal, S., Zic, J. (2010). User Authentication for Online Applications Using a USB-Based Trust Device. In: Schmidt, A.U., Russello, G., Lioy, A., Prasad, N.R., Lian, S. (eds) Security and Privacy in Mobile Information and Communication Systems. MobiSec 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 47. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17502-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17502-2_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17501-5

  • Online ISBN: 978-3-642-17502-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation