Provably secure browser-based user-aware mutual authentication over TLS

Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS '08

Volumn , Issue , 2008, Pages 300-311

  Gajek, Sebastian ^a   Manulis, Mark ^b   Sadeghi, Ahmad Reza ^a   Schwenk, Jörg ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

^b B 1348   (Belgium)

Author keywords

Browser based protocols; Phishing; TLS; User authentication

Indexed keywords

BROWSER-BASED PROTOCOLS; IMPERSONATION ATTACK; INTERNET USERS; MUTUAL AUTHENTICATION; PHISHING; PROOF OF CONCEPT; PROVABLY SECURE; SECURE CHANNELS; SECURITY MODEL; SERVER-BASED; STANDARD SOLUTIONS; USER AUTHENTICATION; X.509 CERTIFICATES;

INTERNET PROTOCOLS; NETWORK SECURITY; SEEBECK EFFECT; SURVEYING INSTRUMENTS;

AUTHENTICATION;

EID: 77952417644     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1368310.1368354     Document Type: Conference Paper

References (39)

1. M. Abdalla, E. Bresson, O. Chevassut, B. Möller, and D. Pointcheval. Provably secure password-based authentication in tls. In ASIACCS '06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pages 35-45, New York, NY, USA, 2006. ACM.
2. M. Abdalla, O. Chevassut, and D. Pointcheval. One-time verifier-based encrypted key exchange. In Public Key Cryptography, volume 3386 of LNCS, pages 47-64. Springer, 2005. (Pubitemid 41231325)
3. M. Abdalla and D. Pointcheval. Simple password-based encrypted key exchange protocols. In CT-RSA, volume 3376 of LNCS, pages 191-208. Springer, 2005. (Pubitemid 41231212)
4. C. Allen and T. Dierks. The TLS protocol - version 1.1. Internet proposed standard RFC 4346, 2006.
5. M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In ASIACRYPT, volume 1976 of LNCS, pages 531-545. Springer, 2000.
6. M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT, volume 1807 of LNCS, pages 139-155. Springer, 2000.
7. M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO, volume 773 of LNCS, pages 232-249. Springer, 1993.
8. M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Conference on Computer and Communications Security, pages 62-73. ACM, 1993.
9. M. Bellare and P. Rogaway. The AuthA protocol for password-based authenticated key exchange. contributions to ieee p1363, 2000. http://grouper.ieee.org/groups/1363/passwdPK/contributions.html.
10. S. M. Bellovin and M. Merritt. Augmented encrypted key exchange: A password-based protocol secure against dictionary atttacks and password file compromise. In Conference on Computer and Communications Security, pages 244-250. ACM, 1993.
11. V. Boyko, P. D. MacKenzie, and S. Patel. Provably secure password-authenticated key exchange using diffie-hellman. In EUROCRYPT, volume 1807 of LNCS, pages 156-171. Springer, 2000.
12. E. Bresson, O. Chevassut, and D. Pointcheval. Security proofs for an efficient password-based key exchange. In ACM Conference on Computer and Communications Security, pages 241-250. ACM, 2003.
13. E. Bresson, O. Chevassut, and D. Pointcheval. New security results on encrypted key exchange. In Public Key Cryptography, volume 2947 of LNCS, pages 145-158. Springer, 2004.
14. R. Canetti, S. Halevi, and M. Steiner. Mitigating dictionary attacks on password-protected local storage. In CRYPTO, volume 4117 of LNCS, pages 160-179. Springer, 2006.
15. S. Chiasson, P. C. van Oorschot, and R. Biddle. Graphical password authentication using cued click points. In ESORICS, volume 4734 of LNCS, pages 359-374. Springer, 2007.
16. R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security, pages 77-88. ACM, 2005.
17. R. Dhamija, J. D. Tygar, and M. A. Hearst. Why phishing works. In CHI, pages 581-590. ACM, 2006.
18. T. Dierks and E. Rescorla. The transport layer security (TLS) protocol, version 1.1. RFC 4346, IETF, 2006. Proposed Standard.
19. C. Ellison. Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399, 2007.
20. R. T. Fielding, J. Gettys, J. Mogul, H. F. Nielsen, L. Masinter, P. J. Leach, and T. Berners-Lee. Hypertext Transfer Protocol - HTTP/1.1. Technical Report 2616, Internet Engineering Task Force, June 1999.
21. I. Giang. SSL Phishing, Microsoft Moves to Brand, and Nyms. Financial Cryptography, 14 February 2006. https://www.financialcryptography.com/mt/ archives/000654.html.
22. T. Groß. Security analysis of the SAML single sign-on browser/artifact profile. In Annual Computer Security Applications Conference. IEEE Computer Society, 2003.
23. T. Gro, B. Pfitzmann, and A.-R. Sadeghi. Browser model for security analysis of browser-based protocols. In ESORICS, volume 3679 of LNCS, pages 489-508. Springer, 2005.
24. T. Groß, B. Pfitzmann, and A.-R. Sadeghi. Proving a ws-federation passive requestor profile with a browser model. In SWS '05: Proceedings of the 2005 workshop on Secure web services, pages 54-64. ACM, 2005.
25. A. Herzberg. Why Johnny can't surf (safely)?, 2007. (Work in Progress).
26. M. Jakobsson and S. Myers. Delayed password disclosure. In DIM '07: Proceedings of the 2007 ACM workshop on Digital identity management, pages 17-26. ACM, 2007.
27. J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. In EUROCRYPT, volume 2045 of LNCS, pages 475-494. Springer, 2001.
28. J. Katz, R. Ostrovsky, and M. Yung. Forward secrecy in password-only key exchange protocols. In SCN, volume 2576 of LNCS, pages 29-44. Springer, 2002.
29. D. Kormann and A. Rubin. Risks of the passport single signon protocol. Computer Networks, 33 (1-6): 51-58, 2000.
30. P. MacKenzie. The PAK suite: Protocols for password-authenticated key exchange. Technical Report 2002-46, DIMACS, 2002.
31. B. Pfitzmann and M. Waidner. A model for asynchronous reactive systems and its application to secure message transmission. In IEEE Symposium on Security and Privacy, page 184, 2001.
32. Proof of Concept Implementation of BBMA, 2007. http://www.demo.nds.rub. de/bbma.
33. V. Shoup. OAEP reconsidered. J. Cryptology, 15 (4):223-249, 2002.
34. V. Shoup. Sequences of Games: A Tool for Taming Complexity in Security Proofs. Cryptology ePrint Archive, Report 2004/332, 2006.
35. C. Soghoian and M. Jakobsson. A deceit-augmented man in the middle attack against bank of america's sitekey service, 2007. http://paranoia.dubfire.net/ 2007/04/deceit-augmented-man-in-middle-attack.html.
36. M. Steiner, P. Buhler, T. Eirich, and M. Waidner. Secure password-based cipher suite for TLS. TISSEC, 4 (2):134-157, 2001.
37. A. O. Stuart Schechter, Rachna Dhamija and I. Fischer. The emperor's new security indicators. In Symposium on Security and Privacy, pages 51-65. IEEE Computer Society, 2007.
38. X. Suo, Y. Zhu, and G. S. Owen. Graphical passwords: A survey. In ACSAC, pages 463-472. IEEE Computer Society, 2005.
39. W3C. Document object model (DOM), 2005. http://www.w3.org/DOM.