{"id":13207,"date":"2021-12-07T20:47:00","date_gmt":"2021-12-08T01:47:00","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13207"},"modified":"2021-12-07T20:47:00","modified_gmt":"2021-12-08T01:47:00","slug":"tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/","title":{"rendered":"TR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007)"},"content":{"rendered":"

Carleton University
\nTechnical Report<\/a> TR-07-11
\nMarch 29, 2007<\/p>\n

Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007)<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n

Mohammad Mannan & P.C. van Oorschot<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

\n

Abstract<\/h3>\n

Keylogging and phishing attacks can extract user identity and sensitive account information for unauthorized access to users’ financial accounts. Most existing or proposed solutions are vulnerable to session hijacking attacks. We propose a simple approach to counter these attacks, which cryptographically separates a user’s long-term secret input from (typically untrusted) client PCs; a client PC performs most computations but has access only to temporary secrets. The user’s long-term secret (typically short and low-entropy) is input through an independent personal trusted device such as a cellphone. The personal device provides a user’s long-term secrets to a client PC only after encrypting the secrets using a pre-installed, “correct” public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security to foil session hijacking. We report on a prototype implementation of MP-Auth, and provide a comparison of web authentication techniques that use an additional factor of authentication (e.g. a cellphone, PDA or hardware token).<\/p>\n

TR-07-11.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Carleton University Technical Report TR-07-11 March 29, 2007 Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007) Mohammad Mannan & P.C. van Oorschot Abstract Keylogging and phishing attacks can extract user identity and sensitive account information for unauthorized access to users’ financial accounts. Most existing or proposed solutions are […]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12385,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"\nTR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007) - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-07-11 March 29, 2007 Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/\",\"name\":\"TR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007) - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-08T01:47:00+00:00\",\"dateModified\":\"2021-12-08T01:47:00+00:00\",\"description\":\"Carleton University Technical Report TR-07-11 March 29, 2007 Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2007\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007) - School of Computer Science","description":"Carleton University Technical Report TR-07-11 March 29, 2007 Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/","name":"TR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007) - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-08T01:47:00+00:00","dateModified":"2021-12-08T01:47:00+00:00","description":"Carleton University Technical Report TR-07-11 March 29, 2007 Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/tr-07-11-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer-revised-march-2007\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2007","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2007\/"},{"@type":"ListItem","position":5,"name":"TR-07-11: Using a Personal Device to Strengthen Password Authentication From an Untrusted Computer (Revised March 2007)"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13207"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13207"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13207\/revisions"}],"predecessor-version":[{"id":13208,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13207\/revisions\/13208"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12385"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}