The document presents a proof of concept for a secure e-commerce authentication scheme, focusing on user protection against attacks like phishing and pharming. It discusses the use of hardware-based solutions, particularly Trusted Platform Module (TPM) and mobile devices, to ensure a higher level of security through methods like three-way handshake protocols and one-time passwords. The evaluation indicates that all proposed protocols exhibit good security and usability, with varying authentication times.

1. A proof of concept implementation of a secure
e-commerce authentication scheme
C. Latze1, A. Ruppen1, U. Ultes-Nitsche1
1University of Fribourg
Faculty of Science
Departement of Informatics
TNS
ISSA
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 1 / 17
Structure
1 Introduction
2 Stronger authentication
TPM based solutions
Mobile Cell Phone based solutions
3 Conclusion
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 2 / 17

2. Introduction
Inroduction
Motivation
E-commerce application are gaining popularity.
Users are not aware of the security risks.
Protecting the users from attacks like phishing, pharming or
man-in-the-middle is of main importance in online business.
However
The solution should be simple for the user.
The solution should really increase the security.
The solution should have a low cost :
for the customer and also
for the e-commerce provider
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 4 / 17
Introduction
Making e-commerce applications more secure
What can be considered as secure ?
The root of trust
Software is not really trustworthy ?
So where can we define the ”Root of Trust” ?
The only remaining solution is hardware.
This can either be some hardware bound to the computer or
some hardware bound to the e-commerce application.
Computer bound hardware might be the Trusted Platform Module
(TPM).
Application bound hardware might be a mobile cell phone.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 5 / 17

3. Introduction
Implied hardware
Trusted Platform Module (TPM)
A TPM is a small trusted chip, build into most of the computers
build today.
It has been specified by the Trusted Computing Group (TCG).
It provides secure storage for keys and hashes and some basic
cryptographic functions.
It is the root of trust.
Mobile phone
Enhanced SIM cards like those from SanDisk.
Multimedia cards from Gemalto.
One-Time-Passwords (OTP) sent by SMS.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 6 / 17
Stronger authentication
Architecture
PHP
C
MySQL
Gammu
C
TPM
Mobile Phone BrowserClient
Server
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 8 / 17

4. Stronger authentication TPM based solutions
Solutions
Authentication using a TPM
A TPM based solution
The TPM is the root of trust.
The TPM based solution secures the line between the user and
the e-commerce application.
It is based on a three way handshake protocol.
Later (not implemented) the keys for the SSL session-keys should
be exchanged over this secure line.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 9 / 17
Solutions
Authentication using a TPM
A TPM based solution
The TPM is the root of trust.
The TPM based solution secures the line between the user and
the e-commerce application.
It is based on a three way handshake protocol.
Later (not implemented) the keys for the SSL session-keys should
be exchanged over this secure line.
2009-07-06
secure e-commerce authentication
Stronger authentication
TPM based solutions
Solutions
• Successor of the Trusted Computing Platform Alliance.
• Founded in 2007.
• Counts actually 170 members around the world.
• Has developed multiple specifications in the trusted computing domain,
including specifications for
– servers,
– storage,
– clients and
– mobile devices.
• The most known specification is the TPM specification.
• The TPM is a small chip which guaranties protecting a users secrets
(aka private keys).
• Each TPM has a unique endorsement key.
• The chip is very cheap.

5. Stronger authentication TPM based solutions
Authentication using a TPM
3-way handshake protocol
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 10 / 17
Stronger authentication Mobile Cell Phone based solutions
Solutions
Authentication using a Trustable Mobile Device
Cell phone based solutions
The cell phone is the root of trust.
One of the solution uses a mutual transaction confirmation over
SMS.
The other solution is based on a one-time-password received by
SMS.
Both solutions give the user a second independant channel
making the authentiation/confirmation strong.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 11 / 17

6. Stronger authentication Mobile Cell Phone based solutions
Authentication using a Trustable Mobile Device
Mutual Transaction Confirmation
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 12 / 17
Stronger authentication Mobile Cell Phone based solutions
Authentication using a Trustable Mobile Device
SMS One-Time-Password (OTP)
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 13 / 17

7. Conclusion
Evalution
Performance of the system
The system is only as good as its perfomance.
The mean authentication time using the TPM solution is 4.5
seconds.
The mean authentication time for mutual transaction confirmation
is 27.1 seconds.
The mean authentication time for One-time-passwords over SMS
is 19.5 seconds.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 15 / 17
Conclusion
Evaluation
Security
All three protocols behaves well and are secure.
The security of the TPM mutual authentication was proven using
the AVISPA framework.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 16 / 17

8. Conclusion
Conclusion
The presented protocols are usable in practice.
The implementation can be done transparent to the user.
The protocol introduces a new degree of complexity.
The level of security needed depends on the nature of the
application.
Latze,Ruppen,Ultes-Nitsche (University of Fribourg)secure e-commerce authentication Jul 09 17 / 17