Sciweavers

FC
2007
Springer

Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer

14 years 5 months ago
Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer
Keylogging and phishing attacks can extract user identity and sensitive account information for unauthorized access to users’ financial accounts. Most existing or proposed solutions are vulnerable to session hijacking attacks. We propose a simple approach to counter these attacks, which cryptographically separates a user’s long-term secret input from (typically untrusted) client PCs; a client PC performs most computations but has access only to temporary secrets. The user’s long-term secret (typically short and low-entropy) is input through an independent personal trusted device such as a cellphone. The personal device provides a user’s long-term secrets to a client PC only after encrypting the secrets using a pre-installed, “correct” public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks an...
Mohammad Mannan, Paul C. van Oorschot
Added 07 Jun 2010
Updated 07 Jun 2010
Type Conference
Year 2007
Where FC
Authors Mohammad Mannan, Paul C. van Oorschot
Comments (0)