[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2810103.2813692acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens

Published: 12 October 2015 Publication History

Abstract

Two-factor authentication has been widely used due to the vulnerabilities associated with traditional text-based password. One-time password (OTP) plays an indispensable role on authenticating mobile users to critical web services that demand a high level of security. As the smartphones are increasingly gaining popularity nowadays, software-based OTP generators have been developed and installed into smartphones as software apps, which bring great convenience to the users without introducing extra burden. However, software-based OTP solutions cannot guarantee the confidentiality of the generated passwords or even the seeds when the mobile OS is compromised. Moreover, they also suffer from denial-of-service attacks when the mobile OS crashes. Hardware-based OTP tokens can solve these security problems in the software-based OTP solutions; however, it is inconvenient for the users to carry physical tokens with them, particularly, when there are more than one token to be carried. In this paper, we present TrustOTP, a secure one-time password solution that can achieve both the flexibility of software tokens and the security of hardware tokens by using ARM TrustZone technology. TrustOTP can not only protect the confidentiality of the OTPs against a malicious mobile OS, but also guarantee reliable OTP generation and trusted OTP display when the mobile OS is compromised or even crashes. It is flexible to integrate multiple OTP algorithms and instances for different application scenarios on the same smartphone platform without modifying the mobile OS. We develop a prototype of TrustOTP on Freescale i.MX53 QSB. The experimental results show that TrustOTP has small impacts on the mobile OS and its power consumption is low.

References

[1]
AMD Virtualization. http://www.amd.com/en-us/solutions/servers/virtualization.
[2]
Android OATH Token. https://code.google.com/p/androidtoken/.
[3]
Antutu Benchmark. http://www.antutu.com/en/Ranking.shtml.
[4]
ARM. http://www.arm.com/.
[5]
Booting the Android LXC container. https://wiki.ubuntu.com/Touch/ContainerArchitecture.
[6]
DIGIPASS GO 6. https://www.vasco.com/products/client_products/single_button_digipass/digipass_go6.aspx.
[7]
Juno ARM Development Platform. http://www.arm.com/products/tools/development-boards/versatile-express/juno-arm-development-platform.php.
[8]
OATH Compatible Hardware Tokens. http://www.rcdevs.com/tokens/?type=hardware.
[9]
Phi phenomenon. http://en.wikipedia.org/wiki/Phi_phenomenon.
[10]
RFC1760. https://tools.ietf.org/html/rfc1760.
[11]
RFC2289. https://tools.ietf.org/html/rfc2289.
[12]
RFC4226. https://tools.ietf.org/html/rfc4226.
[13]
RFC6238. https://tools.ietf.org/html/rfc6238.
[14]
Adeneo Embedded. Reference BSPs for Freescale i.MX53 Quick Start Board. http://www.adeneo-embedded.com/en/Products/Board-Support-Packages/Freescale-i.MX53-QSB.
[15]
T. Alves and D. Felton. Trustzone: Integrated hardware and software security. ARM white paper, 3(4), 2004.
[16]
S. Arzt, S. Rasthofer, and E. Bodden. Instrumenting android and java applications as easy as abc. In Runtime Verification - 4th International Conference, RV 2013, Rennes, France, September 24--27, 2013. Proceedings, pages 364--381.
[17]
A. M. Azab, P. Ning, J. Shah, Q. Chen, R. Bhutkar, G. Ganesh, J. Ma, and W. Shen. Hypervision across worlds: Real-time kernel protection from the ARM trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014, pages 90--102.
[18]
J. Azema and G. Fayad. M-shield mobile security technology: making wireless secure. Texas Instruments Whitepaper, 2008.
[19]
O. Board. Origen exynos4 quad evaluation board. http://www.origenboard.org/wiki/index.php/Introduction.
[20]
C. Dall and J. Nieh. KVM/ARM: the design and implementation of the linux ARM hypervisor. In Architectural Support for Programming Languages and Operating Systems, ASPLOS '14, Salt Lake City, UT, USA, March 1--5, 2014, pages 333--348.
[21]
A. Dmitrienko, C. Liebchen, C. Rossow, and A. Sadeghi. Security analysis of mobile two-factor authentication schemes. Intel Technology Journal, 18(4), 2014.
[22]
P. Duc. Secure Mobile Payments - Protecting display data in TrustZone-enabled SoCs with the Evatronix PANTA Family of Display Processors. http://www.design-reuse.com/articles/30675.
[23]
J. Ekberg, K. Kostiainen, and N. Asokan. Trusted execution environments on mobile devices. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS'13, Berlin, Germany, November 4--8, 2013, pages 1497--1498.
[24]
EMC$^2$. RSA SecureID Hardware Tokens. http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm.
[25]
Evatronix. Evatronix Launches Display Processor based on Latest ARM Security Technology. http://www.electronicsweekly.com/noticeboard/general/evatronix-launches-display-processor-based-on-latest-arm-security-technology-2012-05/.
[26]
Fortinet. FortiToken. http://www.fortinet.com/products/fortitoken/index.html.
[27]
Freescale. Hardware Reference Manual for i.MX53 Quick Start-R. http://cache.freescale.com/files/32bit/doc/ref_manual/IMX53RQSBRM-R.pdf?fr=g.
[28]
Freescale. i.MX 6Solo/6DualLite Applications Processor Reference Manual. http://cache.freescale.com/files/32bit/doc/ref_manual/IMX6SDLRM.pdf?fpsp=1&WT_TYPE=Reference%20Manuals&WT_VENDOR=FREESCALE&WT_FILE_FORMAT=pdf&WT_ASSET=Documentation.
[29]
Freescale. i.MX53 Processors. http://www.freescale.com/webapp/sps/site/taxonomy.jsp?code=IMX53_FAMILY.
[30]
Freescale. i.MX53 Reference Manual with fusemap addendum. http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=i.MX537&fpsp=1&tab=Documentation_Tab.
[31]
Freescale. Imx53qsb: i.mx53 quick start board. http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=IMX53QSB&tid=vanIMXQUICKSTART.
[32]
Freescale. On Board Diagnose Suit (OBDS). http://www.freescale.com/webapp/sps/download/license.jsp?colCode=IMX53QSBOBDS&location=null&fasp=1.
[33]
Giesecke & Devrient. MobiCore. http://www.gi-de.com/en/trends_and_insights/mobicore/trusted-mobile-services.jsp.
[34]
Google. Google Authenticator. http://en.wikipedia.org/wiki/Google_Authenticator.
[35]
IDC. Worldwide Mobile Worker Population 2011--2015 Forecast. http://cdn.idc.asia/files/5a8911ab-4c6d-47b3--8a04-01147c3ce06d.pdf, Dec 2011.
[36]
Intel. Intel identity protection technology with one-time password. http://ipt.intel.com/Home/How-it-works/network-security-identity-management/ipt-with-one-time-password.
[37]
J. Jang, S. Kong, M. Kim, D. Kim, and B. B. Kang. Ssecret: Secure channel between rich execution environment and trusted execution environment. In 21st Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, February 8--11, 2015.
[38]
Jeff Carpenter, EMC. Did You Know: Trends in RSA SecurID Two-Factor Authentication. http://www.emc.com/collateral/rsa/eventpresentations/04--10--12-Two-Factor_Auth.pdf.
[39]
S. Kalkowski. Virtualization Dungeon on ARM. In Free and Open Source Software Developers' European Meeting, FOSDEM 2014, Brussels, Belgium, February 1--2, 2014.
[40]
K. Kostiainen, J. Ekberg, N. Asokan, and A. Rantala. On-board credentials with open provisioning. In Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, March 10--12, 2009, pages 104--115.
[41]
W. Li, H. Li, H. Chen, and Y. Xia. Adattester: Secure online mobile advertisement attestation using trustzone. In Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2015, Florence, Italy, May 19--22, 2015, pages 75--88.
[42]
C. Lin, H. Li, X. Zhou, and X. Wang. Screenmilker: How to milk your android screen for secrets. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2014.
[43]
C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun. Smartphones as practical and secure location verification tokens for payments. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2014.
[44]
McAfee. Mcafee one time password. http://www.mcafee.com/us/products/one-time-password.aspx.
[45]
Monsoon Solutions. Monsoon Power Monitor. https://www.msoon.com/LabEquipment/PowerMonitor/.
[46]
Open AuTHentication. OATH Toolkit. http://www.nongnu.org/oath-toolkit/.
[47]
Qualcomm Innovation Center. Vellamo Mobile Benchmark. https://play.google.com/store/apps/details?id=com.quicinc.vellamo&hl=en.
[48]
Samsung Electronics. White Paper: An Overview of Samsung KNOX. http://www.samsung.com/global/business/business-images/resource/white-paper/2013/06/Samsung_KNOX_whitepaper_June-0.pdf.
[49]
N. Santos, H. Raj, S. Saroiu, and A. Wolman. Using ARM trustzone to build a trusted language runtime for mobile applications. In Architectural Support for Programming Languages and Operating Systems, ASPLOS '14, Salt Lake City, UT, USA, March 1--5, 2014, pages 67--80.
[50]
SolidPass. Desktop soft token. http://www.solidpass.com/authentication-methods/one-time-password-generator-otp-token.html.
[51]
H. Sun, K. Sun, Y. Wang, J. Jing, and S. Jajodia. Trustdump: Reliable memory acquisition on smartphones. In Computer Security - ESORICS 2014 - 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7--11, 2014. Proceedings, Part I, pages 202--218.
[52]
Symantec. Whitepaper: Two-factor Authentication: A TCO Viewpoiont. https://www4.symantec.com/mktginfo/whitepaper/user_authentication/whitepaper-twofactor-authentication.pdf.
[53]
Trusted Logic. Trusted foundations by trusted logic mobility. http://www.arm.com/community/partners/display_product/rw/ProductId/5393/.
[54]
R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith. Intel Virtualization Technology. Computer, 38(5):48--56, 2005.
[55]
J. Winter. Experimenting with ARM trustzone - or: How I met friendly piece of trusted hardware. In 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2012, Liverpool, United Kingdom, June 25--27, 2012, pages 1161--1166.
[56]
J. Winter, P. Wiegele, M. Pirker, and R. Tögl. A flexible software development and emulation framework for arm trustzone. In INTRUST, pages 1--15. 2011.
[57]
D. You and B. Noh. Android platform based linux kernel rootkit. In 6th International Conference on Malicious and Unwanted Software, MALWARE 2011, Fajardo, Puerto Rico, USA, October 18--19, 2011, pages 79--87.
[58]
Yubico. Yubikey. https://www.yubico.com/.

Cited By

View all
  • (2024)Dynamic Group Time-Based One-Time PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.338635019(4897-4913)Online publication date: 2024
  • (2024)Building a Lightweight Trusted Execution Environment for Arm GPUsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.3334277(1-16)Online publication date: 2024
  • (2024)CacheIEE: Cache-Assisted Isolated Execution Environment on ARM Multi-Core PlatformsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325141821:1(254-269)Online publication date: Jan-2024
  • Show More Cited By

Index Terms

  1. TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
    October 2015
    1750 pages
    ISBN:9781450338325
    DOI:10.1145/2810103
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 12 October 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. arm trustzone
    2. one-time password
    3. secure GUI

    Qualifiers

    • Research-article

    Funding Sources

    • U.S. Office of Naval Research
    • Strategy Pilot Project of Chinese Academy of Sciences
    • National 973 Program of China

    Conference

    CCS'15
    Sponsor:

    Acceptance Rates

    CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)60
    • Downloads (Last 6 weeks)13
    Reflects downloads up to 11 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Dynamic Group Time-Based One-Time PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.338635019(4897-4913)Online publication date: 2024
    • (2024)Building a Lightweight Trusted Execution Environment for Arm GPUsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.3334277(1-16)Online publication date: 2024
    • (2024)CacheIEE: Cache-Assisted Isolated Execution Environment on ARM Multi-Core PlatformsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.325141821:1(254-269)Online publication date: Jan-2024
    • (2024)Exclusively in-store: Acoustic location authentication for stationary business devicesJournal of Network and Computer Applications10.1016/j.jnca.2024.104028(104028)Online publication date: Sep-2024
    • (2023)Analysis of Distinguishable Security between the One-Time Password Extraction Function Family and Random Function FamilyApplied Sciences10.3390/app1315876113:15(8761)Online publication date: 28-Jul-2023
    • (2023)PumpChannel: An Efficient and Secure Communication Channel for Trusted Execution Environment on ARM-FPGA Embedded SoC2023 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE56975.2023.10137170(1-6)Online publication date: Apr-2023
    • (2023)TZEAMMSecurity and Communication Networks10.1155/2023/69219602023Online publication date: 31-Jan-2023
    • (2023)SoK: A Systematic Review of TEE Usage for Developing Trusted ApplicationsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600169(1-15)Online publication date: 29-Aug-2023
    • (2023)End-to-End Security for Distributed Event-driven Enclave Applications on Heterogeneous TEEsACM Transactions on Privacy and Security10.1145/359260726:3(1-46)Online publication date: 26-Jun-2023
    • (2023)SoK: A Comprehensive Evaluation of 2FA-based Schemes in the Face of Active Concurrent Attacks from User TerminalProceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3558482.3590183(175-186)Online publication date: 29-May-2023
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media