skip to main content
10.1145/2557547.2557593acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
short-paper

TrustID: trustworthy identities for untrusted mobile devices

Published: 03 March 2014 Publication History

Abstract

Identity theft has deep impacts in today's mobile ubiquitous environments. At the same time, digital identities are usually still protected by simple passwords or other insufficient security mechanisms. In this paper, we present the TrustID architecture and protocols to improve this situation. Our architecture utilizes a Secure Element (SE) to store multiple context-specific identities securely in a mobile device, e.g., a smartphone. We introduce protocols for securely deriving identities from a strong root identity into the SE inside the smartphone as well as for using the newly derived IDs. Both protocols do not require a trustworthy smartphone operating system or a Trusted Execution Environment. In order to achieve this, our concept includes a secure combined PIN entry mechanism for user authentication, which prevents attacks even on a malicious device. To show the feasibility of our approach, we implemented a prototype running on a Samsung Galaxy SIII smartphone utilizing a microSD card SE. The German identity card nPA is used as root identity to derive context-specific identities.

References

[1]
A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge Attacks on Smartphone Touch Screens. In WOOT'10: Proceedings of the 4th USENIX conference on Offensive technologies. USENIX Association, Aug. 2010.
[2]
BeID - Berlin electronic IDentity laboratory. eIDClientCore, July 2013. Retrieved July 19, 2013 from http://sar.informatik.hu-berlin.de/BeID-lab/eIDClientCore/.
[3]
S. Bellovin and M. Merritt. Encrypted Key Exchange: Password-based Protocols Secure Against Dictionary Attacks. In Research in Security and Privacy, 1992. Proceedings, 1992 IEEE Computer Society Symposium on, pages 72--84, 1992.
[4]
V. Boyko, P. MacKenzie, and S. Patel. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman. In Advances in Cryptology - EUROCRYPT 2000, pages 156--171. Springer Berlin Heidelberg, May 2000.
[5]
W.-D. Chen, K. E. Mayes, Y.-H. Lien, and J.-H. Chiu. NFC mobile payment with Citizen Digital Certificate. In Next Generation Information Technology (ICNIT), 2011 The 2nd International Conference on, pages 120--126, 2011.
[6]
L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege Escalation Attacks on Android. In ISC'10: Proceedings of the 13th international conference on Information security. Springer Berlin Heidelberg, Oct. 2010.
[7]
A. Dmitrienko, A.-R. Sadeghi, S. Tamrakar, and C. Wachsmann. SmartTokens: Delegable Access Control with NFC-Enabled Smartphones. In Trust and Trustworthy Computing, volume 7344 of Lecture Notes in Computer Science, pages 219--238. Springer Berlin Heidelberg, 2012.
[8]
A. Emigh. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures. ITTC Report on Online Identity Theft Technology and Countermeasures, Oct. 2005.
[9]
Federal Office for Information Security (BSI). BSI TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents, Mar. 2012.
[10]
O. Goldreich and Y. Lindell. Session-Key Generation Using Human Passwords Only. In Advances in Cryptology - CRYPTO 2001, pages 408--432. Springer Berlin Heidelberg, Aug. 2001.
[11]
K. Hyppöonen. An Open Mobile Identity Tool: An Architecture for Mobile Identity Management. In EuroPKI '08: Proceedings of the 5th European PKI workshop on Public Key Infrastructure: Theory and Practice. Springer Berlin Heidelberg, June 2008.
[12]
A. Leicher, A. Schmidt, and Y. Shah. Smart OpenID: A Smart Card Based OpenID Protocol. In Information Security and Privacy Research, volume 376 of IFIP Advances in Information and Communication Technology, pages 75--86. Springer Berlin Heidelberg, 2012.
[13]
P. Urien, E. Marie, and C. Kiennert. A New Convergent Identity System Based on EAP-TLS Smart Cards. In Network and Information Systems Security (SAR-SSI), 2011 Conference on, 2011.

Cited By

View all
  • (2017)On the use of TEE for mission critical public safety use cases2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC)10.1109/PIMRC.2017.8292646(1-5)Online publication date: Oct-2017

Index Terms

  1. TrustID: trustworthy identities for untrusted mobile devices

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CODASPY '14: Proceedings of the 4th ACM conference on Data and application security and privacy
    March 2014
    368 pages
    ISBN:9781450322782
    DOI:10.1145/2557547
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 March 2014

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. android
    2. combined pin entry
    3. identity derivation
    4. identity provider
    5. mobile security
    6. npa
    7. secure element
    8. smartphone

    Qualifiers

    • Short-paper

    Conference

    CODASPY'14
    Sponsor:

    Acceptance Rates

    CODASPY '14 Paper Acceptance Rate 19 of 119 submissions, 16%;
    Overall Acceptance Rate 149 of 789 submissions, 19%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)2
    • Downloads (Last 6 weeks)1
    Reflects downloads up to 13 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2017)On the use of TEE for mission critical public safety use cases2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC)10.1109/PIMRC.2017.8292646(1-5)Online publication date: Oct-2017

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media