Abstract
Authenticating human users using public key cryptography provides a number of useful security properties, such as being able to authenticate to remote party without giving away a secret. However, in many scenarios, users need to authenticate from a number of client machines, of varying degrees of trustworthiness. In previous work, we proposed an approach to solving this problem by giving users portable devices which wirelessly issue temporary, limited-use proxy certificates to the clients. In this paper, we describe our complete prototype, enabling the use of proxy credentials issued from a mobile device to securely authenticate users to remote servers via a shared (or otherwise not trusted) device. In particular, our PorKI implementation combines out-of-band authentication (via 2D barcode images), standard Proxy Certificates, and platform attestation to provide usable and secure temporary credentials for web-based applications.
This work was supported in part by Intel Corporation and by the NSF, under grant CNS-0448499. The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of any of the sponsors.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bluetooth SIG: Specification of the Bluetooth System, Core Version 1.2 (2003), http://www.bluetooth.org/
Cholia, S., Genovese, T., Skow, D.: Profile for SLCS X.509 Public Key Certification Authorities with Secured Infrastructure (2009), http://www.tagpma.org/files/SLCS-2.1b.pdf
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (May 2008), http://www.ietf.org/rfc/rfc5280.txt
El-Bakry, H.M., Mastorakis, N.: Design of Anti-GPS for Reasons of Security. In: CIS 2009: Proceedings of the International Conference on Computational and Information Science 2009, pp. 480–500. World Scientific and Engineering Academy and Society (WSEAS), Stevens Point (2009)
Garriss, S., Cáceres, R., Berger, S., Sailer, R., van Doorn, L., Zhang, X.: Trustworthy and Personalized Computing on Public Kiosks. In: MobiSys 2008: Proceeding of the 6th International Conference on Mobile Systems, Applications, and Services, pp. 199–210. ACM, New York (2008)
Marchesini, J.: Shemp: Secure Hardware Enhanced MyProxy. Ph.D. thesis, Dartmouth College, Hanover, NH, USA (2005)
Marchesini, J., Smith, S.W., Zhao, M.: Keyjacking: The Surprising Insecurity of Client-Side SSL. Computers & Security 24(2), 109–123 (2005)
McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication. In: SP 2005: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 110–124. IEEE Computer Society, Washington, DC, USA (2005)
Wu, M., Garfinkel, S., Miller, R.: Secure Web Authentication with Mobile Phones. In: MIT Project Oxygen: Student Oxygen Workshop (2003)
Mundt, T.: Two Methods of Authenticated Positioning. In: Q2SWinet 2006: Proceedings of the 2nd ACM International Workshop on Quality of service & Security for Wireless and Mobile Networks, pp. 25–32. ACM, New York (2006)
Pala, M.: The LibPKI project. Project Homepage, https://www.openca.org/projects/libpki/
RSA: RSA SecurID Two-Factor Authentication. RSA Solution Brief (2010)
Sharp, R., Madhavapeddy, A., Want, R., Pering, T.: Enhancing Web Browsing Security on Public Terminals using Mobile Composition. In: MobiSys 2008: Proceeding of the 6th International Conference on Mobile Systems, Applications, and Services, pp. 94–105. ACM, New York (2008)
Sinclair, S., Smith, S.W.: PorKI: Making User PKI Safe on Machines of Heterogeneous Trustworthiness. In: Annual Conference on Computer Security Applications, vol. 0, pp. 419–430 (2005)
Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password Sharing: Implications for Security Design Based on Social Practice. In: CHI 2007: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 895–904. ACM, New York (2007)
Tippenhauer, N.O., Rasmussen, K.B., Pöpper, C., Čapkun, S.: Attacks on Public WLAN-based Positioning Systems. In: MobiSys 2009: Proceedings of the 7th International Conference on Mobile Systems, Applications, and Services, pp. 29–40. ACM, New York (2009)
Trusted Computing Group: TCG Specification Architecture Overview. Specification, Revision 1.4 (August 2007), http://www.trustedcomputinggroup.org/files/resource_files/AC652DE1-1D09-3519-ADA026A0C05CFAC2/TCG_1_4_Architecture_Overview.pdf
Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. RFC 3820 (Proposed Standard) (June 2004), http://www.ietf.org/rfc/rfc3820.txt
Whitten, A., Tygar, J.D.: Why Johnny Can’t Encrypt: a Usability Evaluation of PGP 5.0. In: Proceedings of the 8th USENIX Security Symposium, p. 14. USENIX Association, Berkeley (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pala, M., Sinclair, S., Smith, S.W. (2011). PorKI: Portable PKI Credentials via Proxy Certificates. In: Camenisch, J., Lambrinoudakis, C. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2010. Lecture Notes in Computer Science, vol 6711. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22633-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-22633-5_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22632-8
Online ISBN: 978-3-642-22633-5
eBook Packages: Computer ScienceComputer Science (R0)