SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle

Computer Communications

Volumn 29, Issue 12, 2006, Pages 2238-2246

  Oppliger, Rolf ^a   Hauser, Ralf ^b   Basin, David ^c  

^a eSECURITY Technologies   (Switzerland)

^b PrivaSphere AG   (Switzerland)

^c ETH ZURICH   (Switzerland)

Author keywords

Electronic commerce; Man in the middle attack; Security; SSL TLS protocol; User authentication

Indexed keywords

COMPUTER CRIME; COMPUTER SOFTWARE; ELECTRONIC COMMERCE; INTERNET; NETWORK PROTOCOLS; SECURITY SYSTEMS;

MAN-IN-THE-MIDDLE ATTACK; SECURITY; SSL/TLS PROTOCOL; USER AUTHENTICATION;

COPYRIGHTS;

EID: 33745913964     PISSN: 01403664     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comcom.2006.03.004     Document Type: Article

References (31)

1. N. Asokan, V. Niemi, K. Nyberg, Man-in-the-middle in tunneled authentication protocols, in: Proceedings of the International Workshop on Security Protocols, 2003, pp. 15-24 (also available as IACR ePrint 2002/163).
2. Alkassar A., Stüble C., and Sadeghi A.-R. Secure object identification - or: solving the chess grandmaster problem. Proceedings of the 2003 Workshop on New Security Paradigms, Ascona, Switzerland (2003), ACM Press, New York 77-85
3. Anderson R.J. Why cryptosystems fail. Communications of the ACM 37 11 (1994) 32-40
4. M. Bellare, et al., A concrete security treatment of symmetric encryption: analysis of the DES modes of operation, in: Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS '97), 1997, pp. 394-403.
5. Bleichenbacher D. Chosen Ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Kadrwer S. (Ed). Proceedings of CRYPTO '98 (1998), Springer, Berlin 1-12
6. Bellovin S.M., and Merritt M. An attack on the interlock protocol when used for authentication. IEEE Transactions on Information Theory 40 1 (1994)
7. Cramer R., and Damgård I. Fast and secure immunization against adaptive man-in-the-middle impersonation. Proceedings of EUROCRYPT '97. Lecture Notes in Computer Science vol. 1233 (1997), Springer, Berlin 75-87
8. T. Dierks, C. Allen, The TLS Protocol Version 1.0, Request for Comments 2246, January 1999.
9. Dhamija R., and Tygar J.D. The battle against phishing: dynamic security skins. Proceedings of the 2005 ACM Symposium on Usable Security and Privacy (SOUPS 2005) (2005), ACM Press, New York 77-88
10. Fiat A., and Shamir A. How to prove yourself: practical solutions to identification and signature problems. Proceedings of CRYPTO '86. Lecture Notes in Computer Science vol. 263 (1987), Springer, Berlin 186-194
11. Guillou L.C., and Quisquater J. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. Proceedings of EUROCRYPT '88. Lecture Notes in Computer Science vol. 330 (1988), Springer, Berlin 112-123
12. M. Jakobsson, S. Myers, Stealth attacks and delayed password disclosure, 2005, .
13. B. Kaliski, M. Nyström, Authentication: risk vs. readiness, challenges and solutions, in: Presentation held at the BITS Protecting the Core Forum, October 6, 2004, .
14. Lamport L. Password authentication with insecure communication. Communications of the ACM 24 (1981) 770-772
15. Javier L., Oppliger R., and Pernul G. Why have public key infrastructures failed so far?. Internet Research 15 5 (2005) 544-556
16. Manger J. A chosen ciphertext attack on RSA optimal asymmetric encryption padding (OAEP) as standardized in PKCS#1 v2.0. Proceedings of CRYPTO '01 (2001), Springer, Berlin 230-238
17. J. Mitchell, V. Shmatikov, U. Stern, Finite-state analysis of SSL 3.0, in: Proceedings of the Seventh USENIX Security Symposium, USENIX, 1998, pp. 201-216.
18. Molva R., and Tsudik G. Authentication method with impersonal token cards. Proceedings of IEEE Symposium on Research in Security and Privacy (1993), IEEE Press, New York
19. Oppliger R., and Gajek S. Effective protection against phishing and web spoofing. Proceedings of the 9th IFIP TC6 and TC11 Conference on Communications and Multimedia Security (CMS 2005). Lecture Notes in Computer Science vol. 3677 (2005), Springer, Berlin 32-41
20. R. Oppliger, R. Hauser, D. Basin, SSL/TLS Session-Aware User Authentication Revisited, Computer Communications, in preparation.
21. Oppliger R. Security Technologies for the World Wide Web. second ed. (2003), Artech House Publishers, Norwood, MA
22. Oppliger R. Contemporary Cryptography (2005), Artech House Publishers, Norwood, MA
23. Oppliger R., and Rytz R. Does trusted computing remedy computer security problems?. IEEE Security and Privacy 3 2 (2005) 16-19
24. Paulson L.C. Inductive analysis of the Internet protocol TLS. ACM Transactions on Computer and System Security 2 3 (1999) 332-351
25. Rivest R.L., and Shamir A. How to expose an Eavesdropper. Communications of the ACM 27 4 (1984) 393-395
26. RSA Laboratories, PKCS #11 v2.20: Cryptographic Token Interface Standard, June 28, 2004.
27. Steiner M., et al. Secure password-based Cipher suite for TLS. ACM Transactions on Information and System Security (TISSEC) 4 2 (2001) 134-157
28. R. Shirey, Internet Security Glossary, Request for Comments 2828, May 2000.
29. Vaudenay S. Security flaws induced by CBC padding - Applications to SSL, IPSEC, WTLS .... Proceedings of EUROCRYPT '02. Lecture Notes in Computer Science vol. 2332 (2002), Springer, Amsterdam, Netherland 534-545
30. Z.E. Ye, S. Smith, Trusted paths for browsers, in: Proceedings of the USENIX Security Symposium, 2002, pp. 263-279.
31. D. Wagner, B. Schneier, Analysis of the SSL 3.0 Protocol. USENIX Security Symposium, 1996, pp. 29-40.