Trails:

Cyberspace of Shujun LI >> hPIN/hTAN

Shortcuts

Publications, Talks/Teaching, Honors, HTMSarrow-up; IT-World, TEX/LATEX; eTravel, eTime/eWeather, eLanguages, eLife/eLeben, Beloved
HTMS: hooklee's Research Pointer, Sci-Journals and Sci-Conferences (hooklee's Calendar of CFPs), Sci-Services, Organizations, Academiaarrow-down

Title Page

hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers

Shujun Li1, Ahmad-Reza Sadeghi2,3, Sören Heisrath3, Roland Schmitz4 and Junaid Jameel Ahmad1

1 University of Konstanz, Germany
2 Darmstadt University of Technology and Fraunhofer SIT, Germany
3 Ruhr-University of Bochum, Germany
4 Stuttgart Media University, Germany


This paper has been published in Financial Cryptography and Data Security: 15th International Conference, FC 2011, Gros Islet, St. Lucia, February 28 - March 4, 2011, Revised Selected Papers, Lecture Notes in Computer Science, vol. 7035, pp. 235-249, Springer-Verlag GmbH, 2012. © IFCA

Abstract

In this paper, we propose hPIN/hTAN, a low-cost hardware token based PIN/TAN system for protecting e-banking systems against the strong threat model where the adversary has full control over the user's computer. This threat model covers various kinds of attacks related to untrusted terminal computers, such as keyloggers/screenloggers, session hijackers, Trojan horses and transaction generators. The core of hPIN/hTAN is a secure and easy user-computer-token interface. The security is guaranteed by the user-computer-token interface and two underlying security protocols for user/server/transaction authentication. The hPIN/hTAN system is designed as an open framework so that the underlying authentication protocols can be easily reconfigured. To minimize the costs and maximize usability, we chose two security protocols dependent on simple cryptography (a cryptographic hash function and a random number generator). In contrast to other existing hardware-based solutions, hPIN/hTAN depends on neither a second trusted channel nor a secure keypad nor external trusted center. Our prototype implementation does not involve cryptography beyond a cryptographic hash function. The minimalistic design not only enhances usability but also increases security since more complicated systems tend to have more security holes and software bugs. As an important feature, hPIN/hTAN exploits the human user's active involvement in the whole process to compensate security weaknesses caused by careless human behavior.

Links

hPIN/hTAN in a Nutshell

Threat Model and System Requirements

Threat Model

hPIN

                   T -> S: (UID, rT),
                   S -> T: (rS, H1 = HMAC(h(KT), rS || rT || S)),
                   T -> S: H2 = HMAC(h(KT), rT || rS || T), hPIN

Legend: Dashed lines denote information display, and bold lines should the reconfigurable part.

hTAN

                   T -> S: (IDU, STD, NSTD, rT),
                   S -> T: (rS, H3 = HMAC(h(KT); rS || rT || STD)),
                   T -> S: (IDU, H4 = HMAC(h(KT); rT || rS || STD)),
          where rT and rS are two new nonces generated by T and S, respectively. hTAN

Proof-of-Concept System

Website Startpage USB token

User study

How lightweight is the token?

How low-cost is the token?

hPIN/hTAN vs. Existing Solutions

Errata

In the published edition of the paper, the SKID3 protocol in Step 5 of hPIN protocol is erroneous, which was caused by a mistake when we made some changes to the description of hPIN protocol. In addition, in both hPIN and hTAN protocols, the key used in HMAC should be h(KT), not KT. This is a typo we made in the paper writing. We apologize for making these errors.

To be more exact, in hPIN protocol, the following part

                   T -> S: UID,
                   S -> T: rT,
                   T -> S: (UID, rS, H1 = HMAC(KT, rS || rT || T)),
                   S -> T: H2 = HMAC(KT, rT || rS || S)

should read

                   T -> S: (UID, rT),
                   S -> T: (rS, H1 = HMAC(h(KT), rS || rT || S)),
                   T -> S: H2 = HMAC(h(KT), rT || rS || T)

And in the hTAN protocol, KT should be replaced by h(KT) wherever it appears.

Yet another error is about PIN* which is represented by two different equations: h(PIN || KT || s) and HMAC(KT, PIN || s). Since the latter is more general, so it should be used to replace the former.

Only one revision exists, which was created (or modified) by hooklee at 2012年7月16日 19:26:58.
This page was locked and can only be edited by administrators.

HomeIndexRecent ChangesPreference

Google

Google PageRank Checker
Valid XHTML 1.0 Transitional
Locations of visitors to this page
ip-location map zoom
Germany

China

GMT (London)