Shane Balfe and Kenneth G. Paterson (2008) Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2).
Full text access: Open
In this paper, we demonstrate how Trusted Computing technology can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. We take a pragmatic approach, focusing here on exploiting features of Trusted Computing as it is being deployed today. Thus we rely only on the presence of client-side Trusted Platform Modules, rather than upon the ``idealised'' deployment in which Trusted Computing functionality is fully integrated with OS and CPU, and which still seems to be a distant prospect. In essence, our approach uses features of the Public Key Infrastructure that is inherent in Trusted Computing to build lightweight client-side enrollment and certification processes; public key certificates are then used to underpin authentication for CNP payments. Using this approach we demonstrate how Trusted Platform Module (TPM) enabled platforms can integrate with SSL and 3-D Secure. We discuss the threats to CNP transactions that remain even with our enhancements in place, focussing in particular on the threat of malware, and how it can be ameliorated.
This is a Published version This version's date is: 07/03/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/2769c9b4-1f56-b98d-531d-9413c1e00b70/1/
Deposited by () on 12-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] A. Alsaid and C. J. Mitchell. Preventing phishing attacks using trustedcomputing technology. In INC 2006: Sixth International Network Conference,pages 221–228, July 2006.
[2] T. Alves and D. Felton. TrustZone: Integrated Hardware and SoftwareSecurity — Enabling Trusted Computing in Embedded Systems. Whitepaper, ARM, July 2004. http://www.arm.com/pdfs/TZ\_Whitepaper.pdf.
[3] APACS. Fraud – the facts 2007. http://www.apacs.org.uk/resources_publications/documents/FraudtheFacts2007.pdf,April 2007.
[4] Visa International Service Association. 3-D SecureTM Protocol Specification:Core Functions. http://international.visa.com/fb/paytech/secure/main.jsp, July 2002.
[5] Visa International Service Association. 3-D SecureTM Protocol Specification:System Overview. http://international.visa.com/fb/paytech/secure/main.jsp, May 2003.
[6] B. Balacheff, D. Chan, L. Chen, S. Pearson, and G. Proudler. Securingintelligent adjuncts using trusted computing platform technology. InIFIP TC8/WG 8.8 4th Working Conference on Smart Card Researchand Advanced Applications, IFIP TC8/WG 8.8, pages 177–195, 2000.
[7] S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing peer-to-peer networksusing trusted computing. In C.J. Mitchell, editor, Trusted Computing,pages 271–298. IEE Press, 2005.
[8] M. Bellare, J.A. Garay, R. Hauser, A. Herzberg, H. Krawczyk,M. Steiner, G. Tsudik, and M. Waidner. iKP – A Family of SecureElectronic Payment Protocols. In WOEC’95: Proceedings of the 1stconference on USENIX Workshop on Electronic Commerce, pages 89–106, Berkeley, CA, USA, 1995. USENIX Association.
[9] Intel Corporation. LaGrande Technology Preliminary Architecture Specification,May 2006. http://www.intel.com/technology/security/.
[10] S. Gajek, A.-R. Sadeghi, C. St¨uble, and M. Winandy. Compartmentedsecurity for browsers - or how to thwart a phisher with trusted computing.pages 120–127, Los Alamitos, CA, USA, 2007. IEEE ComputerSociety.
[11] Trusted Computing Group. Trusted computing: Opportunities andchallenges. https://www.trustedcomputinggroup.org/downloads/tcgpresentations/, 2004.
[12] Trusted Computing Group. Interoperability Specification for Backup andMigration Services, revision 1.0 edition, 2005.
[13] Trusted Computing Group. TCG Infrastructure Workgroup Subject KeyAttestation Evidence Extension, 1.0 edition, June 2005.
[14] Trusted Computing Group. TCG PC Client Specific ImplementationSpecification For Conventional BIOS, 1.2 final edition, 2005.
[15] Trusted Computing Group. TCG Software Stack Specificiation Version1.2 Level 1, 2006.
[16] MasterCard International. SecureCodeTM Merchant ImplementationGuide. http://www.mastercardmerchant.com/securecode/, March2004.
[17] C. Jackson, D. Boneh, and J. Mitchell. Spyware resistant web authenticationusing virtual machines. http://crypto.stanford.edu/antiphishing/spyblock.pdf.
[18] C. Jackson, D. Boneh, and J. Mitchell. Transaction generators: Rootkitsfor the web. In Proceedings of the 2nd USENIX Workshop on Hot Topicsin Security (HotSec 2007), August 2007.
[19] B. Krebs. Citibank phish spoofs 2-factor authentication.http://blog.washingtonpost.com/securityfix/2006/07/citibank\_phish\_spoofs\_2factor\_1.html, 2006.
[20] J.M. McCune, A. Perrig, and M.K. Reiter. Bump in the Ether: AFramework for Securing Sensitive User Input. In Proceedings of the2006 USENIX Annual Technical Conference, pages 185–198, June 2006.
[21] P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/uk/news/article/459478/combating+card+fraud/, January 2005.
[22] C.J. Mitchell, editor. Trusted Computing. IEE Professional Applicationsof Computing Series 6. The Institute of Electrical Engineers (IEE), London,UK, April 2005.
[23] S. Pearson, editor. Trusted Computing Platforms: TCPA Technology inContext. Prentice Hall, Upper Saddle River, New Jersey, USA, 2003.
[24] M. Peinado, Y. Chen, P. England, and J. Manferdelli. NGSCB: ATrusted Open System. In H. Wang, J. Pieprzyk, and V. Varadharajan,editors, Proceedings of 9th Australasian Conference on InformationSecurity and Privacy, (ACISP ’04), volume 3108 of Lecture Notes inComputer Science (LNCS), pages 86–97, Sydney, Austrailia, 13–15 July2004. Springer–Verlag, Belin–Heidelberg, Germany.
[25] M. Peinado, P. England, and Y. Chen. An Overview of NGSCB. In C. J.Mitchell, editor, Trusted Computing, IEE Professional Applications ofComputing Series 6, chapter 7, pages 115–141. The Institute of ElectricalEngineers (IEE), London, UK, April 2005.
[26] L.F.G. Sarmenta, M. van Dijk, C.W. O’Donnell, J. Rhodes, and S. Devadas.Virtual monotonic counters and count-limited objects using atpm without a trusted os. In STC ’06: Proceedings of the first ACMworkshop on Scalable trusted computing, pages 27–42, New York, NY,USA, 2006. ACM Press.
[27] SETCo. SET Secure Electronic Transaction 1.0 specification— the formal protocol definition. http://www.setco.org/set_specifications.html, May 1997.
[28] A. Spalka, A.B. Cremers, and H. Langweg. Protecting the creation ofdigital signatures with trusted computing platform technology againstattacks by trojan horse programs. In Proceedings of the IFIP SEC 2001,pages 403–420, 2001.
[29] Symantec. Symantec Internet Security Threat Report Volume XI. Availableon-line, March 2007. http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport.
[30] TCG. The TCG Mobile Trusted Module Specification, 0.9 revision 1edition, 2006.
[31] TCG. TPM Main: Part 1 Design Principles, 1.2 revision 103 edition,2007.
[32] TCG. TPM Main: Part 2 Structures of the TPM, 1.2 revision 103edition, 2007.
[33] TCG. TPM Main: Part 3 Commands, 1.2 revision 103 edition, 2007.