Read Paper (in PDF)
Alina Oprea
Carnegie Mellon University
USA
Dirk Balfanz
Palo Alto Research Center
USA
Glenn Durfee
Palo Alto Research Center
USA
Diana Smetters
Palo Alto Research Center
USA
Many real-world applications use credentials such as passwords as means of user authentication. When accessed from untrusted public terminals, such applications are vulnerable to credential sniffing attacks, as shown by recent highly publicized compromises~\cite{jujujiang}.
In this paper, we describe a system that allows users possessing a trusted device (such as a PDA) to delegate their credentials for performing a task to a public terminal without being in danger of disclosing any long-term secrets. Instead, the user gives the terminal the capability of performing a task temporarily (as long as the user is in its proximity).
We describe one instance of such a system, in which the untrusted terminal is given temporary read-only access to just those items that the user directs by using his PDA as a trusted input device. As the user provides no input directly to the untrusted terminal, it obtains none of his long-term secrets, and its read-only access prevents it from tampering with any user data. This provides a very intuitive model by which the user exposes to the untrusted terminal only what he sees on the display, and nothing else.
We present a design and implementation of such a secure remote terminal application. The overhead -- in terms of additional network traffic -- created by introducing a trusted third party (in addition
to the untrusted terminal and the remote application to be protected) is a moderate 12%.
Keywords: "trusted input" "delegation of credentials"