TR-06-14: CROO: A Generic Architecture and Protocol to Detect Identity Fraud

Abstract

Identity fraud (IDF) may be defined as unauthorized exploitation of credential information through the use of false identity. We abstract the problem of IDF by defining fundamental terms, identifying major stakeholders, and modeling the generic process of IDF. We then propose CROO, a generic architecture and protocol to either prevent IDF (by detecting attempts thereof), or limit its consequences (by identifying cases of previously undetected IDF). CROO is a Capture Resilient Online One-time password scheme, whereby each user must carry a personal trusted device used to generate and send encrypted one-time passwords (OTPs) verified by online trusted parties. OTPs are generated and verified at any desired user transaction, and can be used regardless of the transaction’s purpose, associated credentials, and online or on-site nature; this makes CROO a generic scheme. OTPs are combined with hashed transaction information, in a manner allowing OTP-verifying parties to confirm the transaction information’s correctness; this provides a certain level of user privacy, and prevents OTPs from being used for transactions other than those for which they were intended. Each OTP is generated from a PIN-encrypted non-verifiable key; this makes users personal devices resilient to off-line PIN-guessing attacks.

TR-06-14.pdf