Uni-directional trusted path: Transaction confirmation on just one device

Authors:
Atanas Filyanov;Jonathan M. McCuney;Ahmad-Reza Sadeghiz;Marcel Winandy
Affiliations:
Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany;CyLab, Carnegie Mellon University, USA;Center for Advanced Security Research Darmstadt / Technical University Darmstadt, Germany;Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany
Venue:
DSN '11 Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks
Year:
2011

Citing 0
Cited 3

Tunneled TLS for multi-factor authentication

Proceedings of the 11th annual ACM workshop on Digital rights management
Client-based authentication technology: user-centric authentication using secure containers

Proceedings of the 7th ACM workshop on Digital identity management
DriverGuard: Virtualization-Based Fine-Grained Protection on I/O Flows

ACM Transactions on Information and System Security (TISSEC)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Commodity computer systems today do not include a full trusted path capability. Consequently, malware can control the user's input and output in order to reveal sensitive information to malicious parties or to generate manipulated transaction requests to service providers. Recent hardware offers compelling features for remote attestation and isolated code execution, however, these mechanisms are not widely used in deployed systems to date. We show how to leverage these mechanisms to establish a "one-way" trusted path allowing service providers to gain assurance that users' transactions were indeed submitted by a human operating the computer, instead of by malware such as transaction generators. We design, implement, and evaluate our solution, and argue that it is practical and offers immediate value in e-commerce, as a replacement for captchas, and in other Internet scenarios.