SSL/TLS Session-Aware User Authentication — Or How to Effectively Thwart the Man-in-the-Middle

SSL/TLS Session-Aware User Authentication — Or How to Effectively Thwart the Man-in-the-Middle (2006)

Cached

Download Links

[www.inf.ethz.ch]

by Rolf Oppliger , Ralf Hauser , David Basin

Venue:	COMPUTER COMMUNICATIONS
Citations:	2 - 0 self

BibTeX

@ARTICLE{Oppliger06ssl/tlssession-aware,
    author = {Rolf Oppliger and Ralf Hauser and David Basin},
    title = {SSL/TLS Session-Aware User Authentication — Or How to Effectively Thwart the Man-in-the-Middle},
    journal = {COMPUTER COMMUNICATIONS},
    year = {2006},
    volume = {29},
    pages = {2238--2246}
}

Bookmark

OpenURL

Abstract

Man-in-the-middle attacks pose a serious threat to SSL/TLS based electronic commerce applications, such as Internet banking. In this paper, we argue that most deployed user authentication mechanisms fail to provide protection against this type of attack, even when they run on top of SSL/TLS. As a possible countermeasure, we introduce the notion of SSL/TLS session-aware user authentication, and present different possibilities for implementing it. More specifically, we start with a basic implementation that employs impersonal authentication tokens. Afterwards, we address extensions and enhancements and discuss possibilities for implementing SSL/TLS session-aware user authentication in software.

Citations

706	A.: How to prove yourself: Practical solutions to identification and signature problems - Fiat, Shamir - 1986
307	Password authentication with insecure communication - Lamport
296	A Concrete Security Treatment of Symmetric Encryption - Bellare, Desai, et al. - 1997
252	Why cryptosystems fail - Anderson - 1994
198	Chosen ciphertext attacks against protocols based on the RSA encryption standard - Bleichenbacher - 1998
175	A Practical Zero-Knowledge Protocol Fitted to Security Microprocessors Minimizing Both Transmission and Memory - Guillou, Quisquater - 1988
111	The battle against phishing: dynamic security skins - Dhamija, Tygar - 2005
100	Inductive Analysis of the Internet Protocol TLS - Paulson - 1997
71	Finite-State Analysis of SSL 3.0 - Mitchell, Shmatikov, et al. - 1998
64	Trusted paths for browsers - Ye, Smith, et al. - 2005
55	OFMC: A symbolic model checker for security protocols - Basin, Mödersheim, et al. - 2005
48	The TLS protocol version 1.0. Request for Commnets: 2246 - Dierks, Allen - 1999
42	A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized - Manger - 2001
42	How to Expose an Eavesdropper - Rivest, Shamir - 1984
24	Secure password-based cipher suite for TLS - Steiner, Buhler, et al.
13	An Attack on the Interlock Protocol When Used for Authentication - Bellovin, Merritt - 1994
10	Man-in-the-Middle in Tunneled Authentication - Asokan, Niemi, et al.
10	Secure Object Identification— or: Solving The Chess Grandmaster Problem - Alkassar, Stüble, et al. - 2003
8	Authentication method with impersonal token cards - Molva, Tsudik - 1993
7	Why have public key infrastructures failed so far - Lopez, Oppliger, et al.
6	Fast and Secure Immunization against Adaptive Man-in-theMiddle Impersonation - Cramer, Damg˚ard - 1997
6	Does Trusted Computing Remedy Computer Security Problems - Oppliger, Rytz
4	Security Technologies for the World Wide Web - Oppliger - 2003
4	Contemporary Cryptography, Artech - Oppliger - 2005
3	Stealth Attacks and Delayed Password Disclosure,” http://www.informatics.indiana.edu/markus/stealth-attacks.htm - Jakobsson, Myers
3	Effective protection against phishing and web spoofing - Oppliger, Gajek - 2005
3	SSL/TLS session-aware user authentication revisited - Oppliger, Hauser, et al.
3	Internet Security Glossary,” Request for Comments 2828 - Shirey - 2000
1	Authentication: Risk vs. Readiness, Challenges & Solutions,” presentation held at - Kaliski, Nyström
1	Security Flaws Induced by CBC Padding—Applications to - Vaudenay