Transec, a Secure Authentication Tag Library

Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

Then, the terrorists have already won...

Seriously now. Are we going to inconvenience ourselves just because a few programs out there do Bad Things?

The solution isn't to work around the baddies but to eliminate them altogether.

Good luck. No chance in hell.

You're dealing with people who register a domain in Uzbekistan, run the server in the Ukraine and sit in Moldavia. With these three countries being placeholders for pretty much every country from the former East Block east of Poland. Now try to get ANY kind of help from law enforcement there concerning computer crimes.

Those law enforcement organisations there have real problems to deal with, they have no spare manpower for petty things like computer crimes. I say that so I don't say they don't want to stand up against organized crime 'cause they have families.

Lots o mouse clicks

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

If so, the malware must go after specific types of clicks - for example, maybe it looks at the URL and form action to determine whether it's worth capturing the images. Otherwise, a typical day of perusing Digg articles could result in megabytes upon megabytes of captured images. And unlike text data, image data is hard to sieve for gold.

Heh...

"I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?"

Well, it does now.

I'm skeptic

This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.

This "new" product does not work around the principle that software cannot secure a computer for which you adversary has physical access.

Screen Capture

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

I've heard about it many times as well and even seen a proof-of-concept.

Anyway, it could easily be implemented, and that's the point. I think a good solution would be Deja Vu [zdnet.com] or something similar, with lots of information (tens of known pictures), so that you need to grab lots of screenshots before actually having a chance.

But even in Deja Vu, you're only delaying the attack. With enough information, it is possible to crack it too.

Why can't we have a TCB that is really Trusted? A secure operating system is all that takes to divert these attacks (granted it's easier said than done).

Re:Screen Capture

Why can't we have a TCB that is really Trusted? A secure operating system is all that takes to divert these attacks (granted it's easier said than done).

How do you know the operating system in a particular machine is actually the Trusted version, and not a hacked version that's masquerading as the trusted one ?

I don't get it.

Here's their demo app [micromata.de].

I don't understand why this has made it's way onto Slashdot? It's an image map. With a PIN pad. Besides the fact it looks like a solution looking for a problem, I don't see the innovation. This could very easily be replicated in praticially any web scripting language of your choice.

Re:I don't get it.

This could very easily be replicated in praticially any web scripting language of your choice.
Exactly. It doesn't require any client-side processing. That's the beauty of it. This means you can TURN OFF javascript and it will still work.

As for the innovation- it allows a user to enter their pin while reducing the chance that it's snooped by malware, which is a Good Thing. It also makes it a lot harder for said malware to replicate the response compared to keyboard entry- because in addition to protecting your code, it also acts as a (primitive) captcha, making reasonably sure that whoever is entering the code is human.

Doesn't ING direct already do something like this?

When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

One time pads. The only solution.

When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

The trouble is, anyone who owns your PC and has installed a keylogger can just as easily spy on your display and see what you are clicking.

Sometimes I would swear my brain explodes at our slowness to learn.

The only true solution is one time pads. They are unhackable, and only a minor inconvenience.

I would give blood to be able to use a one time pad for my online banking. The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset. Some marketing guru should wake up to the possibilities of the one time pad - potentially the greatest chick puller since the circular waterbed - and get us the hell out of this horrendous hacky world.

Java GPL Domino game ?

With Java implementations being now under GPLv2 (and could go to v3 when ready), are we about to see some domino effect ?

Let's "GPL the world" !

Not sure MS will like this game .... maybe they should bring a new TLD : .bin :P

Randomly rotated?

Probably a mistake in the article... but if they just randomly rotate the keypad, then
take (mouse x-min(mouse x))/key size, and you get 10 possible pins. Try 10, and you are done.

If they randomly permute, then things would be a bit harder. If they randomly permute and have OCR-resistant digits, the pin would be very secure (though, if enough money is involved, a cracker would probably be ready to actually look at the image...)

nothing new here

nothing new here, china has been doing it for online payments for the last few years, some are activex, some are javascript, some are java. but all i know is that they piss me off from a usability point. but in this context of a voting booth i guess it would be touch screens?

The French bank Société Généra

... in a slightly (and IMHO better) way. Try the following: go to https://logitelnet.socgen.com/ [socgen.com], then enter a bogus 8-digit client number like 12345678 in the upper left entry (below "Code client"), and validate. The system then asks for your PIN using a random keypad. Not only does the position of the keys change, but also the position of the keypad on the page. Of course it doesn't defeat screen grabbing but it's enough for mouse/key loggers.

OPIE

Using images as a PIN-code isn't making things much more secure, if the same images are used every time. The credentials are still sent in a way that can be logged. It's just an extra annoyance for those who want to steal your password.

I use one-time passwords for accessing my home computer over SSH. Anyone can log my keystrokes, or look over my shoulder how much they want. The password is generated by an OPIE client running on my cell phone, and is valid only once.

OPIE clients run on virtually any kind of device. Just as long as you don't run it on the actual computer which you use to access the server, this is a more secure solution.

Using OPIE on untrusted servers would still present the security problem of initial passphrase synchronization between server and OPIE client - unless the passphrase is sent to the user by some secure channel, unlikely to be snooped.

Yes, such a threat exists

Without breaking NDAs I can verify that such malware exists, in the wild. So far this functionality (taking screenshots) has not been used widely, but the necessary functions are there, screenshots are taken, it's just not been necessary to use them.

Picture shots would certainly increase security and raise the bar for malware writers. Current BHOs are able to manipulate the data stream on the fly, so you can never be sure what you send to your bank, and whether the data your bank sends to you is actually also displayed. With a picture, this becomes harder to manipulate.

Harder. Not impossible. Many malware BHO families are already prepared for this kind of defense and are working on a way around it (or already found a way around it). Any claim to make malware impossible is a lot of smoke screen and even more snake oil. The best defense against such attacks are still:

1. Using non-mainstreamy software. Malware is a business, target is the mass market. So the further you're from the "masses", the higher the chance that the malware can't strike you. Using Firefox instead of the omnipresent IE is a good step. Defeats a good deal of malware. Taking a step further and using a Mac or Linux almost eliminates the threat. That doesn't mean MacOS or Linux are more secure (I'll spare you and me the discussion), that simply means that their market share is smaller and thus it is less interesting for malware writers.

2. Using a brain when connecting to the 'net. Clicking everything and using mainstream apps is a surefire way to catch some kind of infection. Even with current anti-malware tools installed. No antivirus is able to catch everything (and they usually are at least one day behind the malware writers). No security tool is able to intercept all invasion attempts (Windows simply offers way too many entry points). Software is no replacement for brains and common sense.

a bit futile isn't it?

I don't get it...
Why not use something like this:
http://www.vasco.com/products/product.html?product =48&VSID=6d7fc48bd716da9ea9996168a1d6880b [vasco.com]
It's a little calculator-like device, which only changes one 6-digit number into another 6-digit number. I don't know the workings behind it, but it's a unique calculation per device, and they're cheap and easy to use.
You just log into a webpage, enter the number on the back or a logincode if the number is registered to a login, input the (changing per page-reload) 6-digit number on the screen onto the calculator, type in the code you receive from the little thing onto the webpage, and you're in.
Anyone who would want to hack the account, would have to have physical access to your particular calculator, know the pass of the calculator, and be able to interpret the numbers on the screen (guess that screenshot-taking malware could do that part). No way any piece of malware could get thru this.
If someone hacks their way into your account with this security thing, You'd have some serious other problems to worry about, like getting rid of that rope around your wrists, tied to the chair you're sitting on with an apple lodged in your mouth :/

Perhaps it'd be interresting if a government could supply these things to their citizens, and have 1 webpage they could do everything on, from filling in their tax forms, to change a home address etc.

Broken by design.

At least in their demo the entropy in the assignment between the coordinates and the numbers input is completely missing. Not a good "encryption" or "security" scheme.

Itaú in Brazil has something similar but bett

Their scheme it like this: when they ask you for your PIN, they give you a keyboard which has buttons like [1 or 4], [3 or 5], [2 or 8], so there are five buttons. You can input your password even with someone looking over your shoulder and they won't know what your password is, because the buttons are ambiguous and the numbers are grouped randomly. They would have to be able to watch you a few times until they can be sure of your password. This reduces the search space for a brute force attack, but as the account is locked up after three incorrect tries, it doesn't really matter.

Not that it helps much anyway. A man in the middle attack will defeat this easily, where the bad guy will just proxy whatever challenge he gets from the bank and get access to his account. We need to make users less stupid - good luck fixing that!

Not secure

The image is a map, when you click it, coordinates are POSTed to the server, that replies with a new image.
Grab the coordinates and the image, and you can stich together the password with close to no effort.

And the blind...

Are supposed to log in how?

Another Solution

If you're looking for a solution that will remain secure even with a keylogger, screengrabber, person over your shoulder or CIA microwave monitor tap try...

1. Please enter your username
2. Please enter the 2nd and 6th letter of your password.

Randomize the digits asked for in 2 and hide password fields.

Not usable by the blind

At the risk of starting another flame war about why we should care about the blind...This system is unusable by the blind using a screen reader. You are unable to detect the location of the "buttons". I tested it with both the MacOS built in screen reader (VoiceOver) and a window add on (Jaws) screen reader.

So, in the U.S.,unless your looking to have the National Federation of the Blind, American Council of the Blind or the Justice Department come after you in court you would be well advised not to implement it in a commercial setting unless you have an alternate means of providing services.

And no, providing a physical store thirty miles down the road is not an alternate means, the blind don't drive remeber?

obvious and bad

The reason people aren't using this more widely even though it's obvious is that it's also not a very good solution, for many reasons.

If you want something secure, use one time passwords or an authentication token.

And if you think you might have spyware on your computer, reinstall, preferably an operating system that is less susceptible.

what is it about voting machine companies?

While developing the Polyas (German) online voting system,

Why do those companies seem to attract the most incompetent developers?

Micromata invented a component

[sarcasm]What else did the "invent"? The mouse? Sex? Combining peanut butter and jelly?[/sarcasm] Using these kinds of inputs has a long tradition.

for secure PIN/password input via untrusted, insecure browsers.

It's not secure, not even close to it. And it has big usability problems. The approach is of some use in some applications, but for an on-line voting system, there are so much better things you can do, like send people a list of one-time passwords along with their voter registration card.

Of course, that presumes that on-line voting is even a good idea, which it isn't.

Secure Keyboard Idea

I had this idea for a secure keyboard. You could make a keyboard (or adapter dongle) which is capable of encrypting each character you type with a public key (PGP style). Once you browse to a secure site that supports it, a browser plugin would send your keyboard the public key and the keyboard would then encrypt everything you type using that key and the browser will send the result directly back to the website. You'd have to use a protocol that lets you detect a man in the middle attack (and I'm sure they must exist).

There's probably some massive flaw with this idea that I haven't thought of? :)

JavaServer Pages?

They are still widely in use, but if you are up-to-date in Java web application technologies, you are probably aware that JSP is dead. This is not a troll. JSP is rapidly being pushed out by alternatives like Facelets [java.net] (which is used to define JavaServer Faces [sun.com] views), Tapestry [apache.org], and Wicket [sourceforge.net]. All of these are XML, disallow any logic in the view (thus encouraging proper MVC), and do not require a mountain of boilerplate code to extend [sun.com]. Why anyone would use JSP these days is totally beyond my understanding. Confusing and hard to maintain, JSP is rapidly diminishing and releasing a new library targeting it is like announcing some great new technology for Windows 95.

Biggest Problem

For those of use that suffer with Section 508 accessibility requirements, using this technology in voting and other (U.S.) government applications would be a show stopper. A screen reader would not be able to interpret the images, and if you put ALT="Your PIN is 1234", that defeats the whole purpose.

Data over non SSL/TLS being secure?

This approach does not fly with me, I wouldn't use it in a million years.

Malware screen grabbing...

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

It's definitely possible to write a screen capture program that can copy a region, window or even the entire screen. There are numerous shareware programs which will allow you to do this. Some even allow you to perform screen-grabs across the network. Even the MSDN developers CD proved an example program to do this. Other programs
demonstrate how to intercept the main keyboard event handler, so you can implement hot-key applications.
So combining the two is theoretically possible.

But why bother grabbing the screen - most passwords just show up as *******'s anyway, so all a malware writer has
to do is log keyboard events.

Security by unavailability

The demo page is full of typo errors and it just doesn't work with Firefox. Now THAT is secure since nothing goes anywhere...

GPL: Non-Proprietary != Non-commercial

Obviously, they are dual licensing the software, but they need to make a clearer distinction between the two licenses. The (presumedly fee-based) proprietary use license allows closed source redistribution. But both GPLv1 or GPLv2 require redistribution to be open source, and prohibit use restrictions.

But then they wouldn't be the first to misunderstand the term "proprietary" to mean "commercial". If I'm wrong, Redhat needs to give me my money back.

Keyboardless computing?

It seems like every time someone mentions keyboardless computing I have ten more web forms with required text fields to type into.