Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2012: Detection of Intrusions and Malware, and Vulnerability Assessment pp 184–203Cite as

SmartProxy: Secure Smartphone-Assisted Login on Compromised Machines

  • Conference paper

  • 1848 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7591))

Abstract

In modern attacks, the attacker’s goal often entails illegal gathering of user credentials such as passwords or browser cookies from a compromised web browser. An attacker first compromises the computer via some kind of attack, and then uses the control over the system to steal interesting data that she can utilize for other kinds of attacks (e.g., impersonation attacks). Protecting user credentials from such attacks is a challenging task, especially if we assume to not have trustworthy computer systems. While users may be inclined to trust their personal computers and smartphones, they might not invest the same confidence in the external machines of others, although they sometimes have no choice but to rely on them, e.g., in their co-workers’ offices.

To relieve the user from the trust he or she has to grant to these computers, we propose a privacy proxy called SmartProxy, running on a smartphone. The point of this proxy is that it can be accessed from untrusted or even compromised machines via a WiFi or a USB connection, so as to enable secure logins, while at the same time preventing the attacker (who is controlling the machine) from seeing crucial data like user credentials or browser cookies. SmartProxy is capable of handling both HTTP and HTTPS connections and uses either the smartphone’s Internet connection, or the fast connection provided by the computer it is linked to. Our solution combines the security benefits of a trusted smartphone with the comfort of using a regular, yet untrusted, computer, i.e., this functionality is especially appealing to those who value the use of a full-sized screen and keyboard.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. SPDY, http://www.chromium.org/spdy (accessed November 04, 2011)

  2. One, A.: Smashing the Stack for Fun and Profit. Phrack Magazine 49(14) (1996)

    Google Scholar 

  3. Balfanz, D., Felten, E.W.: Hand-Held Computers Can Be Better Smart Cards. In: USENIX Security Symposium (1999)

    Google Scholar 

  4. Clarke, D., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.: The Untrusted Computer Problem and Camera-Based Authentication. In: Mattern, F., Naghshineh, M. (eds.) PERVASIVE 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  5. Drew, C., (The New York Times): Stolen Data Is Tracked to Hacking at Lockheed, http://www.nytimes.com/2011/06/04/technology/04security.html (accessed November 04, 2011)

  6. Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security Symposium (2006)

    Google Scholar 

  7. Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, Consumer-Friendly Web Authentication and Payments with a Phone. In: Gris, M., Yang, G. (eds.) MobiCASE 2010. LNICST, vol. 76, pp. 17–38. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  8. EMC Corporation. RSA SecurID, http://www.rsa.com/node.aspx?id=1156 (accessed November 04, 2011)

  9. Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: ACM Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

  10. Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: How to Make Personalized Web Browsing Simple, Secure, and Anonymous. In: Luby, M., Rolim, J.D.P., Serna, M. (eds.) FC 1997. LNCS, vol. 1318, pp. 17–31. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  11. gera: Advances in Format String Exploitation. Phrack Magazine 59(12) (2002)

    Google Scholar 

  12. Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 91–98 (2009)

    Article  Google Scholar 

  13. Hallsteinsen, S., Jorstad, I., Van Thanh, D.: Using the mobile phone as a security token for unified authentication. In: Proceedings of the Second International Conference on Systems and Networks Communications, ICSNC (2007)

    Google Scholar 

  14. Henecka, W., May, A., Meurer, A.: Correcting Errors in RSA Private Keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Holz, T., Engelberth, M., Freiling, F.: Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  16. Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: root kits for web. In: USENIX Workshop on Hot Topics in Security, HotSec (2007)

    Google Scholar 

  17. Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K.E., Venkasubramanian, N.: Delegate: A Proxy Based Architecture for Secure Website Access from an Untrusted Machine. In: Annual Computer Security Applications Conference, ACSAC (2006)

    Google Scholar 

  18. Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0 (2000), http://tools.ietf.org/html/rfc2898

  19. Langley, A.: Transport Layer Security (TLS) Next Protocol Negotiation Extension (2010), https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00

  20. Langley, A.: Transport Layer Security (TLS) Snap Start (2010), http://tools.ietf.org/html/draft-agl-tls-snapstart-00

  21. Langley, A., Modadugu, N., Moeller, B.: Transport Layer Security (TLS) False Start (2010), https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00

  22. Mannan, M., van Oorschot, P.C.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  23. Nergal: The Advanced return-into-lib(c) Exploits: PaX Case Study. Phrack Magazine 58(4) (2001)

    Google Scholar 

  24. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security Symposium (2005)

    Google Scholar 

  25. Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In: ACM Conference on Computer and Communications Security, CCS (2007)

    Google Scholar 

  26. Wu, M., Garfinkel, S., Miller, R.: Secure Web Authentication with Mobile Phones. In: DIMACS Workshop on Usable Privacy and Security Systems (2004)

    Google Scholar 

  27. Yubico. YubiKey - The key to the cloud, http://www.yubico.com/products-250 (accessed November 04, 2011)

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute (HGI), Ruhr-University Bochum, Germany

    Johannes Hoffmann, Sebastian Uellenbeck & Thorsten Holz

Authors
  1. Johannes Hoffmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Uellenbeck
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Holz
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department C, HFT Stuttgart, Schellingstr. 24, 70174, Stuttgart, Germany

    Ulrich Flegel

  2. Department of Computer Science, Foundation for Research and Technology – Hellas (FORTH), 100 Plastira Ave, Vassilika Vouton, 70013, Heraklion, Crete, Greece

    Evangelos Markatos

  3. College of Computer and Information Science, Northeastern University, 360 Huntington Ave, 02115, Boston, MA, USA

    William Robertson

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hoffmann, J., Uellenbeck, S., Holz, T. (2013). SmartProxy: Secure Smartphone-Assisted Login on Compromised Machines. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37300-8_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37299-5

  • Online ISBN: 978-3-642-37300-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation