{"id":13170,"date":"2021-12-06T19:29:10","date_gmt":"2021-12-07T00:29:10","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13170"},"modified":"2021-12-06T19:29:10","modified_gmt":"2021-12-07T00:29:10","slug":"tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/","title":{"rendered":"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer"},"content":{"rendered":"

Carleton University
\nTechnical Report<\/a> TR-06-08
\nMay 9, 2006<\/p>\n

Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Mohammad Mannan & Paul C. Van Oorschot<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n

Abstract<\/h3>\n

Among the most significant current threats to online banking are keylogging and phishing. These attacks extract user identity and account information (e.g. userid, password) to be used later for unauthorized access to users’ financial accounts. We propose a simple approach which cryptographically separates a user’s long-term secret input from client (typically untrusted) PCs; a client PC performs most computations but has access only to temporary secrets. The user’s long-term secret (typically short and low-entropy, e.g., a password or PIN) is input through an independent personal trusted device such as a cellphone. The personal device provides a user’s long-term secrets to a client PC only after encrypting the secrets using a pre-installed, “correct” public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security for online banking. We also provide a comprehensive survey of web authentication techniques — both proposed in the literature and\/or developed in practice — that use an additional factor (e.g. a cellphone, PDA or hardware token) of authentication, and compare MP-Auth with these.<\/p>\n

TR-06-08.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Carleton University Technical Report TR-06-08 May 9, 2006 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer Mohammad Mannan & Paul C. Van Oorschot Abstract Among the most significant current threats to online banking are keylogging and phishing. These attacks extract user identity and account information (e.g. userid, password) to be used […]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12352,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"\nTR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-06-08 May 9, 2006 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/\",\"name\":\"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-07T00:29:10+00:00\",\"dateModified\":\"2021-12-07T00:29:10+00:00\",\"description\":\"Carleton University Technical Report TR-06-08 May 9, 2006 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2006\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer - School of Computer Science","description":"Carleton University Technical Report TR-06-08 May 9, 2006 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/","name":"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-07T00:29:10+00:00","dateModified":"2021-12-07T00:29:10+00:00","description":"Carleton University Technical Report TR-06-08 May 9, 2006 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2006","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/"},{"@type":"ListItem","position":5,"name":"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13170"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13170"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13170\/revisions"}],"predecessor-version":[{"id":13171,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13170\/revisions\/13171"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12352"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}