Skip to main content
SpringerLink
Log in

TruWalletM: Secure Web Authentication on Mobile Platforms

  • Conference paper
Trusted Systems (INTRUST 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6802))

Included in the following conference series:

Abstract

Mobile phones are increasingly used as general purpose computing devices with permanent Internet connection. This imposes several threats as the phone operating system (OS) is typically derived from desktop counterparts and, hence, inherits the same or similar security shortcomings. In particular, the protection of login credentials when accessing web services becomes crucial under phishing and malware attacks. On the other hand many modern mobile phones provide hardware-supported security mechanisms currently unused by most phone OSs.

In this paper, we show how to use these mechanisms, in particular trusted execution environments, to protect the user’s login credentials. We present the design and implementation proposal (based on Nokia N900 mobile platform) of TruWalletM, a wallet-like password manager and authentication agent towards the protection of login credentials on a mobile phone without the need to trust the whole OS software. We preserve compatibility to existing standard web authentication mechanisms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Gajek, S., Löhr, H., Sadeghi, A.R., Winandy, M.: TruWallet: trustworthy and migratable wallet-based web authentication. In: STC 2009: Proceedings of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 19–28. ACM, New York (2009)

    Chapter  Google Scholar 

  2. Gajek, S., Sadeghi, A.R., Stüble, C., Winandy, M.: Compartmented security for browsers – or how to thwart a phisher with trusted computing. In: 2nd International Conference on Availability, Reliability and Security (ARES 2007), pp. 120–127. IEEE Computer Society, Los Alamitos (2007)

    Chapter  Google Scholar 

  3. Jackson, C., Boneh, D., Mitchell, J.: Spyware resistant web authentication using virtual machines (2006), http://www.crypto.stanford.edu/spyblock/

  4. Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K.E., Venkasubramanian, N.: Delegate: A proxy based architecture for secure website access from an untrusted machine. In: 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 57–66. IEEE Computer Society, Los Alamitos (2006)

    Chapter  Google Scholar 

  5. Kwan, P.C.S., Durfee, G.: Practical uses of virtual machines for protection of sensitive user data. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 145–161. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  6. Selhorst, M., Stüble, C., Feldmann, F., Gnaida, U.: Towards a trusted mobile desktop. In: Acquisti, A., Smith, S.W., Sadeghi, A.-R. (eds.) TRUST 2010. LNCS, vol. 6101, pp. 78–94. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  7. Kostiainen, K., Ekberg, J.E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: Proc. of the 4th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2009). ACM, New York (2009)

    Google Scholar 

  8. Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. Texas Instruments White Paper (2008), http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf

  9. Alves, T., Felton, D.: TrustZone: Integrated hardware and software security. Information Quaterly 3 (2004)

    Google Scholar 

  10. Heise Security: Hacker extracts crypto key from TPM chip (2010), http://www.h-online.com/security/news/item/Hacker-extracts-crypto-key-from-TPM-chip-927077.html .

  11. Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: Root kits for web. In: 2nd USENIX Workshop on Hot Topics in Security (HotSec 2007), pp. 1–4. USENIX Association (2007)

    Google Scholar 

  12. Ristic, I.: Internet SSL server survey. In: BlackHat, USA (2010)

    Google Scholar 

  13. Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: SOUPS 2005: Proceedings of the 2005 Symposium on Usable Privacy and Security, pp. 77–88. ACM, New York (2005)

    Chapter  Google Scholar 

  14. Bank of America: Identity Theft Fraud Protection from Bank of America (2010), http://www.bankofamerica.com/privacy/sitekey

  15. Itoi, N., Arbaugh, W.A., Pollack, S.J., Reeves, D.M.: Personal secure booting. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 130–144. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  16. Network Working Group: The transport layer security (TLS) protocol. version 1.2. Standards track (2008), http://tools.ietf.org/html/rfc5246

  17. Wu, M., Miller, R.C., Little, G.: Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In: 2nd Symposium on Usable Privacy and Security (SOUPS 2006), pp. 102–113. ACM, New York (2006)

    Google Scholar 

  18. Maemo: Project website (2010), http://maemo.org

  19. Paros: Project website (2010), http://www.parosproxy.org

  20. Gajek, S., Sadeghi, A.R., Stuble, C., Winandy, M.: Compartmented security for browsers - or how to thwart a phisher with trusted computing. In: ARES 2007: Proceedings of the The Second International Conference on Availability, Reliability and Security, pp. 120–127. IEEE Computer Society, Washington, DC, USA (2007)

    Google Scholar 

  21. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: SP 2007: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Washington, DC, USA (2007)

    Google Scholar 

  22. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th USENIX Security Symposium, USENIX, pp. 179–194 (2004)

    Google Scholar 

  23. Baiardi, F., Cilea, D., Sgandurra, D., Ceccarelli, F.: Measuring semantic integrity for remote attestation. In: Chen, L., Mitchell, C.J., Martin, A. (eds.) Trust 2009. LNCS, vol. 5471, pp. 81–100. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  24. Trusted Computing Group: TPM Main Specification, Version 1.2 rev. 103 (2007)

    Google Scholar 

  25. Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: IEEE Symposium on Security and Privacy (S&P 1992), pp. 72–84 (1992)

    Google Scholar 

  26. Jablon, D.P.: Strong password-only authenticated key exchange. Computer Communication Review 26, 5–26 (1996)

    Article  Google Scholar 

  27. Wu, T.: The secure remote password protocol. In: Network and Distributed System Security Symposium (NDSS 1998), pp. 97–111. The Internet Society, San Diego (1998)

    Google Scholar 

  28. Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: RFC5054: Using the secure remote password (SRP) protocol for TLS authentication (2007), http://www.ietf.org/rfc/rfc5054

Download references

Author information

Authors and Affiliations

  1. Fraunhofer-Institut SIT Darmstadt, Technische Universität Darmstadt, Germany

    Sven Bugiel & Ahmad-Reza Sadeghi

  2. System Security Lab, Ruhr-University Bochum, Germany

    Alexandra Dmitrienko & Marcel Winandy

  3. Nokia Research Center, Helsinki, Finland

    Kari Kostiainen

Authors
  1. Sven Bugiel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandra Dmitrienko
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kari Kostiainen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Marcel Winandy
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Hewlett-Packard Labs, Long Down Avenue, Stoke Gifford, BS34 8QZ, Bristol, UK

    Liqun Chen

  2. Google Inc. and Department of Computer Science, Columbia University, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bugiel, S., Dmitrienko, A., Kostiainen, K., Sadeghi, AR., Winandy, M. (2011). TruWalletM: Secure Web Authentication on Mobile Platforms. In: Chen, L., Yung, M. (eds) Trusted Systems. INTRUST 2010. Lecture Notes in Computer Science, vol 6802. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25283-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25283-9_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25282-2

  • Online ISBN: 978-3-642-25283-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation