Reducing risks from poorly chosen keys
SOSP '89 Proceedings of the twelfth ACM symposium on Operating systems principles
Pass-algorithms: a user validation scheme based on knowledge of secret algorithms
Communications of the ACM
Password authentication with insecure communication
Communications of the ACM
Grammar based off line generation of disposable credit card numbers
Proceedings of the 2002 ACM symposium on Applied computing
Key-Insulated Public Key Cryptosystems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
SecureClick: A Web Payment System with Disposable Credit Card Numbers
FC '01 Proceedings of the 5th International Conference on Financial Cryptography
Off-Line Generation of Limited-Use Credit Card Numbers
FC '01 Proceedings of the 5th International Conference on Financial Cryptography
A PIN-entry method resilient against shoulder surfing
Proceedings of the 11th ACM conference on Computer and communications security
Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
Delegation of cryptographic servers for capture-resilient devices
Distributed Computing
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Protecting Users Against Phishing Attacks with AntiPhish
COMPSAC '05 Proceedings of the 29th Annual International Computer Software and Applications Conference - Volume 01
Loud and Clear: Human-Verifiable Authentication Based on Audio
ICDCS '06 Proceedings of the 26th IEEE International Conference on Distributed Computing Systems
Another Look at "Provable Security"
Journal of Cryptology
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Using a personal device to strengthen password authentication from an untrusted computer
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Dynamic virtual credit card numbers
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Another look at “provable security”. II
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Countering identity theft through digital uniqueness, location cross-checking, and funneling
FC'05 Proceedings of the 9th international conference on Financial Cryptography and Data Security
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
| Hi-index | 0.00 |
Identity fraud (IDF) may be defined as unauthorized exploitation of credential information through the use of false identity. We propose CROO, a universal (i.e. generic) infrastructure and protocol to either prevent IDF (by detecting attempts thereof), or limit its consequences (by identifying cases of previously undetected IDF). CROOis a capture resilient one-time password scheme, whereby each user must carry a personal trusted device used to generate one-time passwords (OTPs) verified by online trusted parties. Multiple trusted parties may be used for increased scalability. OTPs can be used regardless of a transaction's purpose (e.g. user authentication or financial payment), associated credentials, and online or on-site nature; this makes CROOa universal scheme. OTPs are not sent in cleartext; they are used as keys to compute MACs of hashed transaction information, in a manner allowing OTP-verifying parties to confirm that given user credentials (i.e. OTP-keyed MACs) correspond to claimed hashed transaction details. Hashing transaction details increases user privacy. Each OTP is generated from a PIN-encrypted non-verifiable key; this makes users' devices resilient to off-line PIN-guessing attacks. CROO's credentials can be formatted as existing user credentials (e.g. credit cards or driver's licenses).