A proof of concept implementation of a securee-commerce authentication scheme

C. Latze1, A. Ruppen1, U. Ultes-Nitsche1

1University of FribourgFaculty of Science

Departement of InformaticsTNS

ISSA

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 1 / 17

Structure

1 Introduction

2 Stronger authenticationTPM based solutionsMobile Cell Phone based solutions

3 Conclusion

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 2 / 17

Introduction

Inroduction

MotivationE-commerce application are gaining popularity.Users are not aware of the security risks.Protecting the users from attacks like phishing, pharming orman-in-the-middle is of main importance in online business.

HoweverThe solution should be simple for the user.The solution should really increase the security.The solution should have a low cost :

for the customer and alsofor the e-commerce provider

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 4 / 17

Introduction

Making e-commerce applications more secureWhat can be considered as secure ?

The root of trustSoftware is not really trustworthy ?So where can we define the ”Root of Trust” ?The only remaining solution is hardware.

This can either be some hardware bound to the computer orsome hardware bound to the e-commerce application.

Computer bound hardware might be the Trusted Platform Module(TPM).Application bound hardware might be a mobile cell phone.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 5 / 17

Introduction

Implied hardware

Trusted Platform Module (TPM)A TPM is a small trusted chip, build into most of the computersbuild today.It has been specified by the Trusted Computing Group (TCG).It provides secure storage for keys and hashes and some basiccryptographic functions.It is the root of trust.

Mobile phoneEnhanced SIM cards like those from SanDisk.Multimedia cards from Gemalto.One-Time-Passwords (OTP) sent by SMS.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 6 / 17

Stronger authentication

Architecture

PHP

C

MySQL

Gammu

C

TPMMobile Phone BrowserClient

Server

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 8 / 17

Stronger authentication TPM based solutions

SolutionsAuthentication using a TPM

A TPM based solutionThe TPM is the root of trust.The TPM based solution secures the line between the user andthe e-commerce application.It is based on a three way handshake protocol.Later (not implemented) the keys for the SSL session-keys shouldbe exchanged over this secure line.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 9 / 17

SolutionsAuthentication using a TPM

A TPM based solutionThe TPM is the root of trust.The TPM based solution secures the line between the user andthe e-commerce application.It is based on a three way handshake protocol.Later (not implemented) the keys for the SSL session-keys shouldbe exchanged over this secure line.

2009

-07-

06

secure e-commerce authenticationStronger authentication

TPM based solutionsSolutions

• Successor of the Trusted Computing Platform Alliance.

• Founded in 2007.

• Counts actually 170 members around the world.

• Has developed multiple specifications in the trusted computing domain,including specifications for

– servers,– storage,– clients and– mobile devices.

• The most known specification is the TPM specification.

• The TPM is a small chip which guaranties protecting a users secrets(aka private keys).

• Each TPM has a unique endorsement key.

• The chip is very cheap.

• It is not a cryptographic accelerator.

Stronger authentication TPM based solutions

Authentication using a TPM3-way handshake protocol

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 10 / 17

Stronger authentication Mobile Cell Phone based solutions

SolutionsAuthentication using a Trustable Mobile Device

Cell phone based solutionsThe cell phone is the root of trust.One of the solution uses a mutual transaction confirmation overSMS.The other solution is based on a one-time-password received bySMS.Both solutions give the user a second independant channelmaking the authentiation/confirmation strong.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 11 / 17

Stronger authentication Mobile Cell Phone based solutions

Authentication using a Trustable Mobile DeviceMutual Transaction Confirmation

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 12 / 17

Stronger authentication Mobile Cell Phone based solutions

Authentication using a Trustable Mobile DeviceSMS One-Time-Password (OTP)

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 13 / 17

Conclusion

EvalutionPerformance of the system

The system is only as good as its perfomance.The mean authentication time using the TPM solution is 4.5seconds.The mean authentication time for mutual transaction confirmationis 27.1 seconds.The mean authentication time for One-time-passwords over SMSis 19.5 seconds.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 15 / 17

Conclusion

EvaluationSecurity

All three protocols behaves well and are secure.The security of the TPM mutual authentication was proven usingthe AVISPA framework.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 16 / 17

Conclusion

Conclusion

The presented protocols are usable in practice.The implementation can be done transparent to the user.The protocol introduces a new degree of complexity.The level of security needed depends on the nature of theapplication.

Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 17 / 17