Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2)

Shane Balfe and Kenneth G. Paterson

(2008)

Shane Balfe and Kenneth G. Paterson (2008) Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2).

Our Full Text Deposits

Full text access: Open

Full Text - 334.81 KB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

In this paper, we demonstrate how Trusted Computing technology can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. We take a pragmatic approach, focusing here on exploiting features of Trusted Computing as it is being deployed today. Thus we rely only on the presence of client-side Trusted Platform Modules, rather than upon the ``idealised'' deployment in which Trusted Computing functionality is fully integrated with OS and CPU, and which still seems to be a distant prospect. In essence, our approach uses features of the Public Key Infrastructure that is inherent in Trusted Computing to build lightweight client-side enrollment and certification processes; public key certificates are then used to underpin authentication for CNP payments. Using this approach we demonstrate how Trusted Platform Module (TPM) enabled platforms can integrate with SSL and 3-D Secure. We discuss the threats to CNP transactions that remain even with our enhancements in place, focussing in particular on the threat of malware, and how it can be ameliorated.

Information about this Version

This is a Published version
This version's date is: 07/03/2008
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/2769c9b4-1f56-b98d-531d-9413c1e00b70/1/

Item TypeMonograph (Technical Report)
TitleAugmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2)
AuthorsBalfe, Shane
Paterson, Kenneth G.
DepartmentsFaculty of Science\Mathematics

Deposited by () on 12-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010

Notes

References

[1] A. Alsaid and C. J. Mitchell. Preventing phishing attacks using trusted
computing technology. In INC 2006: Sixth International Network Conference,
pages 221–228, July 2006.

[2] T. Alves and D. Felton. TrustZone: Integrated Hardware and Software
Security — Enabling Trusted Computing in Embedded Systems. White
paper, ARM, July 2004. http://www.arm.com/pdfs/TZ\_Whitepaper.
pdf.

[3] APACS. Fraud – the facts 2007. http://www.apacs.org.uk/
resources_publications/documents/FraudtheFacts2007.pdf,
April 2007.

[4] Visa International Service Association. 3-D SecureTM Protocol Specification:
Core Functions. http://international.visa.com/fb/paytech/
secure/main.jsp, July 2002.

[5] Visa International Service Association. 3-D SecureTM Protocol Specification:
System Overview. http://international.visa.com/fb/
paytech/secure/main.jsp, May 2003.

[6] B. Balacheff, D. Chan, L. Chen, S. Pearson, and G. Proudler. Securing
intelligent adjuncts using trusted computing platform technology. In
IFIP TC8/WG 8.8 4th Working Conference on Smart Card Research
and Advanced Applications, IFIP TC8/WG 8.8, pages 177–195, 2000.

[7] S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing peer-to-peer networks
using trusted computing. In C.J. Mitchell, editor, Trusted Computing,
pages 271–298. IEE Press, 2005.

[8] M. Bellare, J.A. Garay, R. Hauser, A. Herzberg, H. Krawczyk,
M. Steiner, G. Tsudik, and M. Waidner. iKP – A Family of Secure
Electronic Payment Protocols. In WOEC’95: Proceedings of the 1st
conference on USENIX Workshop on Electronic Commerce, pages 89–
106, Berkeley, CA, USA, 1995. USENIX Association.

[9] Intel Corporation. LaGrande Technology Preliminary Architecture Specification,
May 2006. http://www.intel.com/technology/security/.

[10] S. Gajek, A.-R. Sadeghi, C. St¨uble, and M. Winandy. Compartmented
security for browsers - or how to thwart a phisher with trusted computing.
pages 120–127, Los Alamitos, CA, USA, 2007. IEEE Computer
Society.

[11] Trusted Computing Group. Trusted computing: Opportunities and
challenges. https://www.trustedcomputinggroup.org/downloads/
tcgpresentations/, 2004.

[12] Trusted Computing Group. Interoperability Specification for Backup and
Migration Services, revision 1.0 edition, 2005.

[13] Trusted Computing Group. TCG Infrastructure Workgroup Subject Key
Attestation Evidence Extension, 1.0 edition, June 2005.

[14] Trusted Computing Group. TCG PC Client Specific Implementation
Specification For Conventional BIOS, 1.2 final edition, 2005.

[15] Trusted Computing Group. TCG Software Stack Specificiation Version
1.2 Level 1, 2006.

[16] MasterCard International. SecureCodeTM Merchant Implementation
Guide. http://www.mastercardmerchant.com/securecode/, March
2004.

[17] C. Jackson, D. Boneh, and J. Mitchell. Spyware resistant web authentication
using virtual machines. http://crypto.stanford.edu/
antiphishing/spyblock.pdf.

[18] C. Jackson, D. Boneh, and J. Mitchell. Transaction generators: Rootkits
for the web. In Proceedings of the 2nd USENIX Workshop on Hot Topics
in Security (HotSec 2007), August 2007.

[19] B. Krebs. Citibank phish spoofs 2-factor authentication.
http://blog.washingtonpost.com/securityfix/2006/07/
citibank\_phish\_spoofs\_2factor\_1.html, 2006.

[20] J.M. McCune, A. Perrig, and M.K. Reiter. Bump in the Ether: A
Framework for Securing Sensitive User Input. In Proceedings of the
2006 USENIX Annual Technical Conference, pages 185–198, June 2006.

[21] P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/
uk/news/article/459478/combating+card+fraud/, January 2005.

[22] C.J. Mitchell, editor. Trusted Computing. IEE Professional Applications
of Computing Series 6. The Institute of Electrical Engineers (IEE), London,
UK, April 2005.

[23] S. Pearson, editor. Trusted Computing Platforms: TCPA Technology in
Context. Prentice Hall, Upper Saddle River, New Jersey, USA, 2003.

[24] M. Peinado, Y. Chen, P. England, and J. Manferdelli. NGSCB: A
Trusted Open System. In H. Wang, J. Pieprzyk, and V. Varadharajan,
editors, Proceedings of 9th Australasian Conference on Information
Security and Privacy, (ACISP ’04), volume 3108 of Lecture Notes in
Computer Science (LNCS), pages 86–97, Sydney, Austrailia, 13–15 July
2004. Springer–Verlag, Belin–Heidelberg, Germany.

[25] M. Peinado, P. England, and Y. Chen. An Overview of NGSCB. In C. J.
Mitchell, editor, Trusted Computing, IEE Professional Applications of
Computing Series 6, chapter 7, pages 115–141. The Institute of Electrical
Engineers (IEE), London, UK, April 2005.

[26] L.F.G. Sarmenta, M. van Dijk, C.W. O’Donnell, J. Rhodes, and S. Devadas.
Virtual monotonic counters and count-limited objects using a
tpm without a trusted os. In STC ’06: Proceedings of the first ACM
workshop on Scalable trusted computing, pages 27–42, New York, NY,
USA, 2006. ACM Press.

[27] SETCo. SET Secure Electronic Transaction 1.0 specification
— the formal protocol definition. http://www.setco.org/set_
specifications.html, May 1997.

[28] A. Spalka, A.B. Cremers, and H. Langweg. Protecting the creation of
digital signatures with trusted computing platform technology against
attacks by trojan horse programs. In Proceedings of the IFIP SEC 2001,
pages 403–420, 2001.

[29] Symantec. Symantec Internet Security Threat Report Volume XI. Available
on-line, March 2007. http://www.symantec.com/enterprise/
theme.jsp?themeid=threatreport.

[30] TCG. The TCG Mobile Trusted Module Specification, 0.9 revision 1
edition, 2006.

[31] TCG. TPM Main: Part 1 Design Principles, 1.2 revision 103 edition,
2007.

[32] TCG. TPM Main: Part 2 Structures of the TPM, 1.2 revision 103
edition, 2007.

[33] TCG. TPM Main: Part 3 Commands, 1.2 revision 103 edition, 2007.

Details