Secure authentication key sharing between mobile devices based on owner identity

Abstract

The public key based Web authentication can be securely implemented using modern mobile devices with a hardware-assisted trusted environment such as the Trusted Execution Environment (TEE) as a secure storage of private keys. As a private key is strictly kept secret within the TEE and never leaves the device, there is a usability issue: the user must register the key separately on each device and Web site, which is burdensome for users who start using a new device. The aim of this research is to provide a solution with enhanced usability in key management by relaxing the restriction that the keys never leave the device and allowing the private keys to be shared among the devices while still maintaining an acceptable level of security. We introduce a third party that is responsible for supervising the key-sharing between devices in an authentication system. The third party performs the identification of the owner of each device to mitigate the risk of the keys being illegally shared to another person's device. Also, we propose a secure method for copying keys from the TEE of one device to that of another through a certificate-based mutually authenticated channel. We implemented the copying method in the ARM TrustZone-based TEE and showed that our approach is feasible on a commercially available smartphone.