面向安全磁盘加密的相互认证和信任引导

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2014-11-17 DOI:10.1145/2663348

J. Götzfried, Tilo Müller

{"title":"面向安全磁盘加密的相互认证和信任引导","authors":"J. Götzfried, Tilo Müller","doi":"10.1145/2663348","DOIUrl":null,"url":null,"abstract":"The weakest link in software-based full disk encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes become attackable. The current technological response, as enforced by BitLocker, verifies the integrity of the boot process by use of the trusted platform module. But, as we show, this countermeasure is insufficient in practice. We present STARK, the first tamperproof authentication scheme that mutually authenticates the computer and the user in order to resist keylogging during boot. To achieve this, STARK implements trust bootstrapping from a secure token to the whole PC. The secure token is an active USB drive that verifies the integrity of the PC and indicates the verification status by an LED to the user. This way, users can ensure the authenticity of the PC before entering their passwords.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2014-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"Mutual Authentication and Trust Bootstrapping towards Secure Disk Encryption\",\"authors\":\"J. Götzfried, Tilo Müller\",\"doi\":\"10.1145/2663348\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The weakest link in software-based full disk encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes become attackable. The current technological response, as enforced by BitLocker, verifies the integrity of the boot process by use of the trusted platform module. But, as we show, this countermeasure is insufficient in practice. We present STARK, the first tamperproof authentication scheme that mutually authenticates the computer and the user in order to resist keylogging during boot. To achieve this, STARK implements trust bootstrapping from a secure token to the whole PC. The secure token is an active USB drive that verifies the integrity of the PC and indicates the verification status by an LED to the user. This way, users can ensure the authenticity of the PC before entering their passwords.\",\"PeriodicalId\":50912,\"journal\":{\"name\":\"ACM Transactions on Information and System Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-11-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Transactions on Information and System Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2663348\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q\",\"JCRName\":\"Engineering\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2663348","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 12

摘要

基于软件的全磁盘加密中最薄弱的环节是身份验证过程。由于主引导记录必须是未加密的，以便启动其余系统部分的解密，它很容易被执行击键记录的引导包操纵和渗透;因此，基于密码的身份验证方案变得容易受到攻击。目前的技术响应，由BitLocker强制执行，通过使用可信平台模块验证启动过程的完整性。但是，正如我们所展示的，这种对策在实践中是不够的。我们提出了STARK，这是第一个防篡改认证方案，它相互认证计算机和用户，以防止在启动过程中进行键盘记录。为了实现这一点，STARK实现了从安全令牌到整个PC的信任引导。安全令牌是一个活动的USB驱动器，用于验证PC的完整性，并通过LED向用户显示验证状态。这样，用户在输入密码之前就可以确保电脑的真实性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Mutual Authentication and Trust Bootstrapping towards Secure Disk Encryption

The weakest link in software-based full disk encryption is the authentication procedure. Since the master boot record must be present unencrypted in order to launch the decryption of remaining system parts, it can easily be manipulated and infiltrated by bootkits that perform keystroke logging; consequently, password-based authentication schemes become attackable. The current technological response, as enforced by BitLocker, verifies the integrity of the boot process by use of the trusted platform module. But, as we show, this countermeasure is insufficient in practice. We present STARK, the first tamperproof authentication scheme that mutually authenticates the computer and the user in order to resist keylogging during boot. To achieve this, STARK implements trust bootstrapping from a secure token to the whole PC. The secure token is an active USB drive that verifies the integrity of the PC and indicates the verification status by an LED to the user. This way, users can ensure the authenticity of the PC before entering their passwords.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.