Cyberspace of Shujun LI


Title Page

hPIN/hTAN: A Lightweight and Low-Cost e-Banking Solution against Untrusted Computers

Shujun Li1, Ahmad-Reza Sadeghi2,3, Sören Heisrath3, Roland Schmitz4 and Junaid Jameel Ahmad1

1 University of Konstanz, Germany
2 Darmstadt University of Technology and Fraunhofer SIT, Germany
3 Ruhr-University of Bochum, Germany
4 Stuttgart Media University, Germany

This paper has been published in Financial Cryptography and Data Security: 15th International Conference, FC 2011, Gros Islet, St. Lucia, February 28 - March 4, 2011, Revised Selected Papers, Lecture Notes in Computer Science, vol. 7035, pp. 235-249, Springer-Verlag GmbH, 2012. © IFCA


In this paper, we propose hPIN/hTAN, a low-cost hardware token based PIN/TAN system for protecting e-banking systems against the strong threat model where the adversary has full control over the user's computer. This threat model covers various kinds of attacks related to untrusted terminal computers, such as keyloggers/screenloggers, session hijackers, Trojan horses and transaction generators. The core of hPIN/hTAN is a secure and easy user-computer-token interface. The security is guaranteed by the user-computer-token interface and two underlying security protocols for user/server/transaction authentication. The hPIN/hTAN system is designed as an open framework so that the underlying authentication protocols can be easily reconfigured. To minimize the costs and maximize usability, we chose two security protocols dependent on simple cryptography (a cryptographic hash function and a random number generator). In contrast to other existing hardware-based solutions, hPIN/hTAN depends on neither a second trusted channel nor a secure keypad nor external trusted center. Our prototype implementation does not involve cryptography beyond a cryptographic hash function. The minimalistic design not only enhances usability but also increases security since more complicated systems tend to have more security holes and software bugs. As an important feature, hPIN/hTAN exploits the human user's active involvement in the whole process to compensate security weaknesses caused by careless human behavior.


hPIN/hTAN in a Nutshell

Threat Model and System Requirements

Threat Model


                   T -> S: (UID, rT),
                   S -> T: (rS, H1 = HMAC(h(KT), rS || rT || S)),
                   T -> S: H2 = HMAC(h(KT), rT || rS || T), hPIN

Legend: Dashed lines denote information display, and bold lines should the reconfigurable part.


                   T -> S: (IDU, STD, NSTD, rT),
                   S -> T: (rS, H3 = HMAC(h(KT); rS || rT || STD)),
                   T -> S: (IDU, H4 = HMAC(h(KT); rT || rS || STD)),
          where rT and rS are two new nonces generated by T and S, respectively. hTAN

Proof-of-Concept System

Website Startpage USB token

User study

How lightweight is the token?

How low-cost is the token?

hPIN/hTAN vs. Existing Solutions


In the published edition of the paper, the SKID3 protocol in Step 5 of hPIN protocol is erroneous, which was caused by a mistake when we made some changes to the description of hPIN protocol. In addition, in both hPIN and hTAN protocols, the key used in HMAC should be h(KT), not KT. This is a typo we made in the paper writing. We apologize for making these errors.

To be more exact, in hPIN protocol, the following part

                   T -> S: UID,
                   S -> T: rT,
                   T -> S: (UID, rS, H1 = HMAC(KT, rS || rT || T)),
                   S -> T: H2 = HMAC(KT, rT || rS || S)

should read

                   T -> S: (UID, rT),
                   S -> T: (rS, H1 = HMAC(h(KT), rS || rT || S)),
                   T -> S: H2 = HMAC(h(KT), rT || rS || T)

And in the hTAN protocol, KT should be replaced by h(KT) wherever it appears.

Yet another error is about PIN* which is represented by two different equations: h(PIN || KT || s) and HMAC(KT, PIN || s). Since the latter is more general, so it should be used to replace the former.

Valid XHTML 1.0 Transitional


Germany (CET)