TruWallet: trustworthy and migratable wallet-based web authentication

Scalable Trusted Computing Pub Date : 2009-11-13 DOI:10.1145/1655108.1655112

S. Gajek, Hans Löhr, A. Sadeghi, M. Winandy

{"title":"TruWallet: trustworthy and migratable wallet-based web authentication","authors":"S. Gajek, Hans Löhr, A. Sadeghi, M. Winandy","doi":"10.1145/1655108.1655112","DOIUrl":null,"url":null,"abstract":"Identity theft has fostered to a major security problem on the Internet, in particular stealing passwords for web applications through phishing and malware. We present TruWallet, a wallet-based authentication tool that improves previous solutions for protecting web-based authentication. In contrast to other wallet-based solutions, TruWallet provides (i) strong protection for users' credentials and sensitive data by cryptographically binding them to the user's platform configuration based on Trusted Computing technology, (ii) an automated login procedure where the server is authenticated independently from (SSL) certificates, thus limiting the possibility of attacks based on hijacked certificates and allowing less dependency on the SSL PKI model, and (iii) a secure migration protocol for transferring wallet data to other platforms. Our implementation uses a small virtualization-based security kernel with trusted computing support and works with standard SSL-based authentication solutions for the web, where only minor modifications and extensions are required. It is interoperable so that we can re-use existing operating systems and applications like web browsers.","PeriodicalId":401412,"journal":{"name":"Scalable Trusted Computing","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"30","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Scalable Trusted Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1655108.1655112","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 30

Abstract

Identity theft has fostered to a major security problem on the Internet, in particular stealing passwords for web applications through phishing and malware. We present TruWallet, a wallet-based authentication tool that improves previous solutions for protecting web-based authentication. In contrast to other wallet-based solutions, TruWallet provides (i) strong protection for users' credentials and sensitive data by cryptographically binding them to the user's platform configuration based on Trusted Computing technology, (ii) an automated login procedure where the server is authenticated independently from (SSL) certificates, thus limiting the possibility of attacks based on hijacked certificates and allowing less dependency on the SSL PKI model, and (iii) a secure migration protocol for transferring wallet data to other platforms. Our implementation uses a small virtualization-based security kernel with trusted computing support and works with standard SSL-based authentication solutions for the web, where only minor modifications and extensions are required. It is interoperable so that we can re-use existing operating systems and applications like web browsers.

查看原文本刊更多论文

TruWallet:可信赖和可迁移的基于钱包的web认证

身份盗窃已经成为互联网上的一个重大安全问题，特别是通过网络钓鱼和恶意软件窃取网络应用程序的密码。我们介绍TruWallet，一个基于钱包的身份验证工具，改进了以前保护基于web的身份验证的解决方案。与其他基于钱包的解决方案相比，TruWallet提供(i)通过基于可信计算技术将用户的凭据和敏感数据加密绑定到用户的平台配置，为用户提供强大的保护;(ii)自动登录程序，服务器独立于(SSL)证书进行身份验证，从而限制了基于劫持证书的攻击的可能性，减少了对SSL PKI模型的依赖。(iii)用于将钱包数据传输到其他平台的安全迁移协议。我们的实现使用一个小型的基于虚拟化的安全内核，具有可信计算支持，并与标准的基于ssl的web身份验证解决方案一起工作，其中只需要进行少量的修改和扩展。它是可互操作的，因此我们可以重用现有的操作系统和应用程序，如web浏览器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Scalable Trusted Computing

自引率

0.00%

发文量