TrustTokenF: A Generic Security Framework for Mobile Two-Factor Authentication Using TrustZone

We give a detail analysis of the security issues when using mobile devices as a substitution of dedicated hardware tokens in two-factor authentication (2FA) schemes and propose TrustTokenF, a generic security framework for mobile 2FA schemes, which provides comparable security assurance to dedicated hardware tokens, and is more flexible for token management. We first illustrate how to leverage the Trusted Execution Environment(TEE) based on ARM TrustZone to provide essential security features for mobile 2FA applications, i.e., runtime isolated execution and trusted user interaction, which resist software attackers who even compromise the entire mobile OS. We also use the SRAM Physical Unclonable Functions (PUFs) to provide persistent secure storage for the authentication secrets, which achieves both high-level security and low cost. Based on these security features, we design a series of secure protocols for token deployment, migration and device key updating. We also introduce TPM2.0 policy-based authorization mechanism to enhance the security of the interface from outside world into the trusted tokens. Finally, we implement the prototype system on real TrustZone-enabled hardware. The experiment results show that TrustTokenF is secure, flexible, economical and efficient for mobile 2FA applications.

[1]  N. Asokan,et al.  On-board credentials with open provisioning , 2009, ASIACCS '09.

[2]  Erik Poll,et al.  Using Trusted Execution Environments in Two-factor Authentication: comparing approaches , 2013, Open Identity Summit.

[3]  Quan Chen,et al.  Hypervision Across Worlds: Real-time Kernel Protection from the ARM TrustZone Secure World , 2014, CCS.

[4]  Ahmad-Reza Sadeghi,et al.  On the (In)Security of Mobile Two-Factor Authentication , 2014, Financial Cryptography.

[5]  Ingrid Verbauwhede,et al.  PUFKY: A Fully Functional PUF-Based Cryptographic Key Generator , 2012, CHES.

[6]  J. Langer,et al.  Practical Attack Scenarios on Secure Element-Enabled Mobile Devices , 2012, 2012 4th International Workshop on Near Field Communication.

[7]  Yu Qin,et al.  Providing Root of Trust for ARM TrustZone using On-Chip SRAM , 2014, TrustED '14.

[8]  Claudio Soriente,et al.  Smartphones as Practical and Secure Location Verification Tokens for Payments , 2014, NDSS.

[9]  N. Asokan,et al.  Can Hand-Held Computers Still Be Better Smart Cards? , 2010, INTRUST.

[10]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[11]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[12]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[13]  Claudio Soriente,et al.  Secure enrollment and practical migration for mobile trusted execution environments , 2013, SPSM '13.

[14]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[15]  Peng Jiang,et al.  Enhancing the Security of Mobile Applications by Using TEE and (U)SIM , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.

[16]  Alec Wolman,et al.  Software abstractions for trusted sensors , 2012, MobiSys '12.

[17]  James F. Plusquellic,et al.  Securing Trusted Execution Environments with PUF Generated Secret Keys , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.