论文信息 - TrustID: trustworthy identities for untrusted mobile devices

TrustID: trustworthy identities for untrusted mobile devices

Identity theft has deep impacts in today's mobile ubiquitous environments. At the same time, digital identities are usually still protected by simple passwords or other insufficient security mechanisms. In this paper, we present the TrustID architecture and protocols to improve this situation. Our architecture utilizes a Secure Element (SE) to store multiple context-specific identities securely in a mobile device, e.g., a smartphone. We introduce protocols for securely deriving identities from a strong root identity into the SE inside the smartphone as well as for using the newly derived IDs. Both protocols do not require a trustworthy smartphone operating system or a Trusted Execution Environment. In order to achieve this, our concept includes a secure combined PIN entry mechanism for user authentication, which prevents attacks even on a malicious device. To show the feasibility of our approach, we implemented a prototype running on a Samsung Galaxy SIII smartphone utilizing a microSD card SE. The German identity card nPA is used as root identity to derive context-specific identities.

Sascha Wessel | Frederic Stumpf | Konstantin Böttinger | Julian Horsch | Michael Weiß

[1] A. Emigh,et al. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures , 2005 .

[2] Sarvar Patel,et al. Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[3] Pascal Urien,et al. A New Convergent Identity System Based on EAP-TLS Smart Cards , 2011, 2011 Conference on Network and Information Systems Security.

[4] Adam J. Aviv,et al. Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[5] Yehuda Lindell,et al. Session-Key Generation Using Human Passwords Only , 2001, Journal of Cryptology.

[6] Konstantin Hyppönen,et al. An Open Mobile Identity Tool: An Architecture for Mobile Identity Management , 2008, EuroPKI.

[7] Andreas Leicher,et al. Smart OpenID A Smart Card based OpenID Protocol , 2012 .

[8] Ahmad-Reza Sadeghi,et al. Privilege Escalation Attacks on Android , 2010, ISC.

[9] Wei-Dar Chen,et al. NFC mobile payment with Citizen Digital Certificate , 2011, The 2nd International Conference on Next Generation Information Technology.

[10] Steven M. Bellovin,et al. Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[11] Ahmad-Reza Sadeghi,et al. SmartTokens: Delegable Access Control with NFC-Enabled Smartphones , 2012, TRUST.