Trustworthy Wallet-Based Web Authentication
Phishing attacks aim at stealing the user's identity, e.g., financial account data or personal identity data, typically protected in form of user passwords. Besides social engineering tricks, technical subterfuge (malware) is more and more in use to directly retrieve the passwords from the user's computer system. To counter those attacks, we propose a modular platform that uses a trusted wallet to store user's credentials and authenticate the remote bank or e-commerce site as a proxy on behalf of the user. Hence, it does not require specific skills from users, e.g., to distinguish between real and faked web sites by identifying security indicators. To establish a secure execution environment, the wallet executes on top of a virtualization platform based on trusted computing functionality. In that way, the wallet is isolated and protected from other environments which may be compromised by malware.
Architecture of TruWallet:
- Sebastian Gajek, Hans Löhr, Ahmad-Reza Sadeghi and Marcel Winandy: TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication, STC 2009.
- Andreas Krügersen: A Secure Password Wallet Countering Phishing Attacks Based on Trusted Computing. Diploma Thesis, Ruhr-University Bochum, April 2008.
- Sebastian Gajek, Ahmad-Reza Sadeghi, Jörg Schwenk and Marcel Winandy: Trusted User-Aware Web Authentication, TIPPI 2007.
- Sebastian Gajek, Ahmad-Reza Sadeghi, Christian Stüble and Marcel Winandy: Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing ARES 2007.
- Sebastian Gajek, Ahmad-Reza Sadeghi, Christian Stüble, and Marcel Winandy: Compartmented Security for Browsers, Technical Report HGI-TR-2007-001, Ruhr-University Bochum.
- Sebastian Gajek, Ahmad-Reza Sadeghi, Christian Stüble, Marcel Winandy: Towards Multicolored Computing - Compartmented Security to Prevent Phishing Attacks, 1st Benelux Workshop on Information and System Security (WISSec 2006), Antwerpen (Belgium), 2006.