Atanas Filyanov’s research while affiliated with Ruhr-Universität Bochum and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (4)


Figure 1: Secure GUI status bar (at the bottom) indicating the current active compartment 
POSTER: On the Usability of Secure GUIs
  • Conference Paper
  • Full-text available

July 2013

·

110 Reads

·

1 Citation

Atanas Filyanov

·

Aysegül Nas

·

·

Secure GUIs have been proposed in the literature and few commercial products implement their concepts. One of these concepts is to provide a reserved area on screen where the name and trustworthiness (or security-level) of the application is shown that has currently the input/output focus of the user. While usability studies in the context of web browsers and phishing have shown that passive security indicators do not effectively protect users, usability studies on the operating system level for secure GUIs have not been conducted to the best of our knowledge. With our research we try to shed light in this situation. We study two different approaches to display the reserved area as trusted statusbar. The approaches we evaluated support to execute different virtual machines (compartments) with varying security sensitivity. Our results show that the statusbar—independent from being displayed on the top or the bottom of the screen— enables participants to select the proper compartment in two of three cases.

Download

Fig. 1. Integration of an SEE-based cryptographic token.
Fig. 3. System component interaction during normal operation.
Fig. 4. Protocol extension for PIN-caching.
Softer Smartcards

February 2012

·

62 Reads

·

3 Citations

Franz Ferdinand Brasser

·

Sven Bugiel

·

Atanas Filyanov

·

[...]

·

Cryptographic smartcards provide a standardized, interoperable way for multi-factor authentication. They bridge the gap between strong asymmetric authentication and short, user-friendly passwords (PINs) and protect long-term authentication secrets against malware and phishing attacks. However, to prevent malware from capturing entered PINs such cryptographic tokens must provide secure means for user input and output. This often makes their usage inconvenient, as dedicated input key pads and displays are expensive and do not integrate with mobile applications or public Internet terminals. The lack of user acceptance is perhaps best documented by the large variety of non-standard multi-factor authentication methods used in online banking. In this paper, we explore a novel compromise between tokens with dedicated card reader and USB or software-based solutions. We design and implement a cryptographic token using modern secure execution technology, resulting in a flexible, cost-efficient solution that is suitable for mobile use yet secure against common malware and phishing attacks.



Figure 2. Prototype implementation of the UTP transaction confirmation.
Figure 3. Device enrollment using a Privacy CA.
Figure 6. Timeline of a typical UTP session.  
Uni-directional trusted path: Transaction confirmation on just one device

July 2011

·

767 Reads

·

32 Citations

Commodity computer systems today do not include a full trusted path capability. Consequently, malware can control the user's input and output in order to reveal sensitive information to malicious parties or to generate manipulated transaction requests to service providers. Recent hardware offers compelling features for remote attestation and isolated code execution, however, these mechanisms are not widely used in deployed systems to date. We show how to leverage these mechanisms to establish a “one-way” trusted path allowing service providers to gain assurance that users' transactions were indeed submitted by a human operating the computer, instead of by malware such as transaction generators. We design, implement, and evaluate our solution, and argue that it is practical and offers immediate value in e-commerce, as a replacement for captchas, and in other Internet scenarios.

Citations (3)


... DRTM technology has been used to securely execute critical software payloads such as SSH logins, X.509 e-mail signatures, or to protect banking secrets [16], [32], [64]. Intel TXT has also been used in combination with Intel VT to initiate a trusted hypervisor, which in turn provides multiple TEEs to the individual running VMs [63]. ...

Reference:

Mobile Trusted Computing
Softer Smartcards - Usable Cryptographic Tokens with Secure Execution
  • Citing Conference Paper
  • January 2012

... Secondly, they provide a graphical indication of the security domain of the application that currently has the input focus, which we call the current domain. The CDDC for instance draws a unobscurable, coloured banner at the top of the screen for this purpose, similarly to [9,15,16]. ...

POSTER: On the Usability of Secure GUIs

... Trusted path [41] provides a secure channel between the user and a trusted service, either on the local system or remote (mediated by a trusted application on the local system). Possible approaches to establishing trusted paths are trusted execution environments (TEEs) [37] such as Intel SGX, that provide isolation from an untrusted OS, or widespread transaction confirmation devices [14], where the user confirms input parameters on an external trusted device. ...

Uni-directional trusted path: Transaction confirmation on just one device