ABSTRACT
Together with the rapidly growing number of services in the Internet, authentication becomes an issue of increasing importance. A very common situation is that for each service, users must remember the associated name and password they are registered under. This method is prone to identity theft and its usability leaves much to be desired. The Trusted Platform Module (TPM) is a microcontroller with cryptographic functions that is integrated into many computers. It is capable to protect against software attacks. TPM can generate and store non-migratable keying material for authentication and is an effective safeguard against the acquisition and use of an identity by an adversary. Even though TPM prohibits identity theft, Internet services still have few options to verify the true identity of a user. Electronic identity cards (eID) assert for the identity of their owner. Their large-scale deployment can be expected in the near future. The use of eIDs is impaired, though. They must be present for each authentication, and all devices must be equipped with a compatible card reader. We mitigate the problems of both approaches by using eIDs for establishing trust in user specific TPM authentication credentials. The eID and a compatible reader must be present only at one time for establishing the initial trust. We integrated our identity theft resistant authentication method with the OpenID identity system to allow a large number of services to profit from verified and trustworthy identity assertions.
- M. Abadi, M. Burrows, C. Kaufman, and B. Lampson. Authentication and delegation with smart-cards. In TACS'91: Selected papers of the conference on Theoretical aspects of computer software, pages 93--113, Amsterdam, The Netherlands, The Netherlands, 1993. Elsevier Science Publishers B. V. Google ScholarDigital Library
- A. Alsaid and C. J. Mitchell. Preventing phishing attacks using trusted computing technology. In Proceedings of the 6th International Network Conference, pages 221--228, july 2006.Google Scholar
- S. Arora. National e-ID card schemes: A European overview. Information Security Technical Report, 13(2):46--53, 2008. Google ScholarDigital Library
- S. Berger, R. Ceres, K. Goldman, R. Perez, R. Sailer, and L. van Doorn. vTPM: Virtualizing the Trusted Platform Module. Technical report, IBM Research, 2006.Google Scholar
- F. Gawlas and U. Stutenbaumer. Combined trusted platform modules and smart card solutions. In ISSE 2005 Securing Electronic Business Processes: Highlights of the Information Security Solutions Europe 2005 Conference, pages 92--97. Springer Verlag, 2005.Google ScholarCross Ref
- P. George. User Authentication with Smart Cards in Trusted Computing Architecture. Technical report, Gemplus, 2004.Google Scholar
- C. Latze and U. Ultes-Nitsche. Stronger authentication in e-commerce: How to protect even naive user against phishing, pharming, and mitm attacks. In Proceedings of the IASTED International Conference on Communication Systems, Networks, and Applications, pages 111--116, october 2007. Google ScholarDigital Library
- OpenID Foundation. OpenID Authentication 2.0, 2007. Final Specification.Google Scholar
- A. Pashalidis and C. J. Mitchell. Single Sign-On Using Trusted Platforms. Information Security, 6th International Conference, ISC, pages 1--3, 2003.Google Scholar
- R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. 13th Usenix Security Symposium, San Diego, California, August 2004. Google ScholarDigital Library
- B. Schneier. Attack Trees. Dr. Dobb's Journal, 24(12):21--29, 1999.Google Scholar
- F. Stumpf, M. Sacher, A. Roßnagel, and C. Eckert. Erzeugung elektronischer signaturen mittels trusted platform module. Datenschutz und Datensicherheit-DuD, 31(5):357--361, 2007.Google ScholarCross Ref
- Trusted Computing Group, Incorporated. TPM Specification Part 1--3, 2006. Specification Version 1.2, Rev 103.Google Scholar
- Trusted Computing Group, Incorporated. MTM Specification, 2008. Specification Version 1.0, Rev 6.Google Scholar
Index Terms
- Preventing identity theft with electronic identity cards and the trusted platform module
Recommendations
Is identity theft really theft?
LAW SHAPING TECHNOLOGY; TECHNOLOGY SHAPING THE LAWThis article continues the examination of the emergent legal concept of identity now clearly evident in the UK as a result of the Identity Cards Act 2006 (UK) and its consequences. In 'Conceptualising Identity' (International Review of Law, Computers ...
Comments