Darko Kirovski and Christopher A. Meek
23 April 2009
When logging onto a remote server from a distrusted terminal, one can leak secrets such as passwords and account data to various forms of malware. To address this problem, we take an existing approach of using a trusted personal device as the interface available to users for entering their login credentials. In our proposal, such a device would send the credentials to a server using a tunneled TLS session routed via a distrusted terminal. The tunneling would be done within an existing TLS session established between the terminal's browser and the server. Upon validating the credentials, the server would enable the terminal to access the user account. Consequently, the terminal would never see in plain-text the login credentials. We show that the proposed protocol resists arbitrary key-loggers, phishing agents, cross-site scripting, and invasive virtual machines. As a powerful and surprising application, if the distrusted terminal is at a point-of-sale, the trusted device could use our protocol to execute a payment with it. The user experience for this payment engine is similar to a payment with a traditional credit card.
© 2008 Microsoft Corporation. All rights reserved.
|Journal||MSR Technical Report|