Keyjacking: the surprising insecurity of client-side SSL

Marchesini, John; Smith, Sean W.; Zhao, Meiyuan

doi:10.1016/j.cose.2004.06.014

Cited by 20 publications

(13 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The keyboard input information that is stored in the internal buffer uses the encoded key already received to encode in a block-encoding format. The control of the security input window directly reads in the keyboard input information from the keyboard security driver and uses it on the encoded key to provide it to an application program after a decoding process [8].…”

Section: Software Approachmentioning

confidence: 99%

The study on end-to-end security for ubiquitous commerce

Chang

2010

J Supercomput

View full text Add to dashboard Cite

Traditional authentication systems used to protect access to online services are vulnerable by using various types of keyboard hacking tools at application-level and kernel-level. This study has been carried out for the purpose to secure keyboard input information at end to end area between the keyboard hardware and the computer main system. For this, we found out security vulnerabilities at kernel-level in accordance with the input information processing procedure by using risk analysis based technology methodology. To secure derived vulnerabilities we have designed a couple of detailed system components such as debug interrupt exception processing, 'JUMP' code insertion, keyboard input encryption and direct transmission. As the consequence of security evaluation on our proposed technologies, we have got experiment results better than literature studies in the confidentiality experiment and the comparison experiment (regarding authentication and access control) about various information invasion tools. We expect that our research would be able to contribute to follow-up study not only to prevent leaking about keyboard input information but also to secure important information in ubiquitous commerce applications.

show abstract

Section: Software Approachmentioning

confidence: 99%

The study on end-to-end security for ubiquitous commerce

Chang

2010

J Supercomput

View full text Add to dashboard Cite

show abstract

“…RSA's SecureID [12] adds an additional factor of authentication, although deploying tokens may not be appropriate for all organizations. Smartcards and USB PKI tokens face similar cost and logistical challenges; moreover, a compromised workstation can take advantage of the access to the user's keypair, even with userand system-level controls in place [7]. Instead of reducing the size of the Trusted Computing Base (TCB) to fit a secure co-processing unit as in the SHEMP project [6], our work uses an external device (i.e.…”

Section: Related Workmentioning

confidence: 99%

“…Alice could use a PKI-equipped USB token-but this requires that W contain drivers for this token, and (what's worse) can expose Alice's key to malicious use by W [7].…”

Section: System Designmentioning

confidence: 99%

PorKI: Portable PKI Credentials via Proxy Certificates

Pala

Sinclair

Smith

2011

Public Key Infrastructures, Services and Applications

View full text Add to dashboard Cite

Abstract. Authenticating human users using public key cryptography provides a number of useful security properties, such as being able to authenticate to remote party without giving away a secret. However, in many scenarios, users need to authenticate from a number of client machines, of varying degrees of trustworthiness. In previous work, we proposed an approach to solving this problem by giving users portable devices which wirelessly issue temporary, limited-use proxy certificates to the clients. In this paper, we describe our complete prototype, enabling the use of proxy credentials issued from a mobile device to securely authenticate users to remote servers via a shared (or otherwise not trusted) device. In particular, our PorKI implementation combines out-of-band authentication (via 2D barcode images), standard Proxy Certificates, and platform attestation to provide usable and secure temporary credentials for web-based applications.

show abstract

“…Indeed, the keyjacking work by Marchesini et al showed that keys stored on the Spyrus Rosetta USB token and the Aladdin eToken were vulnerable to attack through the Windows CryptoAPI (CAPI) system, which those devices use to enable the interface between the private key and applications on the workstation [11]. PKI devices such as these do not aid the user in making trust decisions, nor do they offer relying parties with a way to judge whether the private key may have been subjected to keyjacking by a malicious workstation.…”

Section: Prior Workmentioning

confidence: 99%

“…The keyjacking work of Marchesini et al showed that conditions #1 and #2 fail in situations satisfying #3 [11]. However, even if an enterprise solves the problem of securing a user's private keys at one standard machine, it is still necessary to make user PKI portable, and to accommodate the fact that not all machines in the enterprise will have the same level of trustworthiness.…”

Section: Introductionmentioning

confidence: 99%

PorKI: Making User PKI Safe on Machines of Heterogeneous Trustworthiness

Sinclair

Smith

21st Annual Computer Security Applications Conference (ACSAC'05)

Self Cite

View full text Add to dashboard Cite

As evidenced by the proliferation of phishing attacks and keystroke loggers, we know that human beings are not wellequipped to make trust decisions about when to use their passwords or other personal credentials. Public key cryptography can reduce this risk of attack, because authentication using PKI is designed to not give away sensitive data. However, using private keys on standard platforms exposes the user to "keyjacking"; mobile users wishing to use keypairs on an unfamiliar and potentially untrusted workstation face even more obstacles.In this paper we present the design and prototype of PorKI, a software application for mobile devices that offers an alternative solution to the portable key problem. Through the use of temporary keypairs, proxy certificates, and wireless protocols, PorKI enables a user to employ her PKI credentials on any Bluetoothenabled workstation, including those not part of her organization's network, and even those that might be malicious. Moreover, by crafting XACML policy statements that limit the key usage to the workstation's trustworthiness level, and inserting these statements into extensions of the proxy certificates, PorKI provides the user or the relying party with the ability to limit the amount of trust that can be put in the temporary keypair used on that workstation, and thus the scope of a potential compromise.

show abstract

Keyjacking: the surprising insecurity of client-side SSL

Cited by 20 publications

References 4 publications

The study on end-to-end security for ubiquitous commerce

The study on end-to-end security for ubiquitous commerce

PorKI: Portable PKI Credentials via Proxy Certificates

PorKI: Making User PKI Safe on Machines of Heterogeneous Trustworthiness

Contact Info

Product

Resources

About