Abstract
In modern attacks, the attacker’s goal often entails illegal gathering of user credentials such as passwords or browser cookies from a compromised web browser. An attacker first compromises the computer via some kind of attack, and then uses the control over the system to steal interesting data that she can utilize for other kinds of attacks (e.g., impersonation attacks). Protecting user credentials from such attacks is a challenging task, especially if we assume to not have trustworthy computer systems. While users may be inclined to trust their personal computers and smartphones, they might not invest the same confidence in the external machines of others, although they sometimes have no choice but to rely on them, e.g., in their co-workers’ offices.
To relieve the user from the trust he or she has to grant to these computers, we propose a privacy proxy called SmartProxy, running on a smartphone. The point of this proxy is that it can be accessed from untrusted or even compromised machines via a WiFi or a USB connection, so as to enable secure logins, while at the same time preventing the attacker (who is controlling the machine) from seeing crucial data like user credentials or browser cookies. SmartProxy is capable of handling both HTTP and HTTPS connections and uses either the smartphone’s Internet connection, or the fast connection provided by the computer it is linked to. Our solution combines the security benefits of a trusted smartphone with the comfort of using a regular, yet untrusted, computer, i.e., this functionality is especially appealing to those who value the use of a full-sized screen and keyboard.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
SPDY, http://www.chromium.org/spdy (accessed November 04, 2011)
One, A.: Smashing the Stack for Fun and Profit. Phrack Magazine 49(14) (1996)
Balfanz, D., Felten, E.W.: Hand-Held Computers Can Be Better Smart Cards. In: USENIX Security Symposium (1999)
Clarke, D., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.: The Untrusted Computer Problem and Camera-Based Authentication. In: Mattern, F., Naghshineh, M. (eds.) PERVASIVE 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002)
Drew, C., (The New York Times): Stolen Data Is Tracked to Hacking at Lockheed, http://www.nytimes.com/2011/06/04/technology/04security.html (accessed November 04, 2011)
Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security Symposium (2006)
Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, Consumer-Friendly Web Authentication and Payments with a Phone. In: Gris, M., Yang, G. (eds.) MobiCASE 2010. LNICST, vol. 76, pp. 17–38. Springer, Heidelberg (2012)
EMC Corporation. RSA SecurID, http://www.rsa.com/node.aspx?id=1156 (accessed November 04, 2011)
Franklin, J., Perrig, A., Paxson, V., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: ACM Conference on Computer and Communications Security, CCS (2007)
Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.: How to Make Personalized Web Browsing Simple, Secure, and Anonymous. In: Luby, M., Rolim, J.D.P., Serna, M. (eds.) FC 1997. LNCS, vol. 1318, pp. 17–31. Springer, Heidelberg (1997)
gera: Advances in Format String Exploitation. Phrack Magazine 59(12) (2002)
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 91–98 (2009)
Hallsteinsen, S., Jorstad, I., Van Thanh, D.: Using the mobile phone as a security token for unified authentication. In: Proceedings of the Second International Conference on Systems and Networks Communications, ICSNC (2007)
Henecka, W., May, A., Meurer, A.: Correcting Errors in RSA Private Keys. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 351–369. Springer, Heidelberg (2010)
Holz, T., Engelberth, M., Freiling, F.: Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)
Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: root kits for web. In: USENIX Workshop on Hot Topics in Security, HotSec (2007)
Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K.E., Venkasubramanian, N.: Delegate: A Proxy Based Architecture for Secure Website Access from an Untrusted Machine. In: Annual Computer Security Applications Conference, ACSAC (2006)
Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0 (2000), http://tools.ietf.org/html/rfc2898
Langley, A.: Transport Layer Security (TLS) Next Protocol Negotiation Extension (2010), https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00
Langley, A.: Transport Layer Security (TLS) Snap Start (2010), http://tools.ietf.org/html/draft-agl-tls-snapstart-00
Langley, A., Modadugu, N., Moeller, B.: Transport Layer Security (TLS) False Start (2010), https://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00
Mannan, M., van Oorschot, P.C.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)
Nergal: The Advanced return-into-lib(c) Exploits: PaX Case Study. Phrack Magazine 58(4) (2001)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security Symposium (2005)
Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In: ACM Conference on Computer and Communications Security, CCS (2007)
Wu, M., Garfinkel, S., Miller, R.: Secure Web Authentication with Mobile Phones. In: DIMACS Workshop on Usable Privacy and Security Systems (2004)
Yubico. YubiKey - The key to the cloud, http://www.yubico.com/products-250 (accessed November 04, 2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hoffmann, J., Uellenbeck, S., Holz, T. (2013). SmartProxy: Secure Smartphone-Assisted Login on Compromised Machines. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-37300-8_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37299-5
Online ISBN: 978-3-642-37300-8
eBook Packages: Computer ScienceComputer Science (R0)