WSKE: web server key enabled cookies

Authors:
Chris Masone;Kwang-Hyun Baek;Sean Smith
Affiliations:
Department of Computer Science, Dartmouth College, Hanover, NH;Department of Computer Science, Dartmouth College, Hanover, NH;Department of Computer Science, Dartmouth College, Hanover, NH
Venue:
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Year:
2007

Citing 6
Cited 8

Trusted Paths for Browsers

Proceedings of the 11th USENIX Security Symposium
Beware of BGP attacks

ACM SIGCOMM Computer Communication Review
Stopping spyware at the gate: a user study of privacy, notice and spyware

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Why phishing works

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Understanding the network-level behavior of spammers

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Design principles and patterns for computer systems that are simultaneously secure and usable

Design principles and patterns for computer systems that are simultaneously secure and usable

Dynamic pharming attacks and locked same-origin policies for web browsers

Proceedings of the 14th ACM conference on Computer and communications security
Protecting browsers from dns rebinding attacks

Proceedings of the 14th ACM conference on Computer and communications security
Forcehttps: protecting high-security web sites from network attacks

Proceedings of the 17th international conference on World Wide Web
Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy

ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Robust defenses for cross-site request forgery

Proceedings of the 15th ACM conference on Computer and communications security
Stronger TLS bindings for SAML assertions and SAML artifacts

Proceedings of the 2008 ACM workshop on Secure web services
The power of recognition: secure single sign-on using TLS channel bindings

Proceedings of the 7th ACM workshop on Digital identity management
Getting web authentication right: a best-case protocol for the remaining life of passwords

SP'11 Proceedings of the 19th international conference on Security Protocols

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we present the design and prototype of a new approach to cookie management: if a server deposits a cookie only after authenticating itself via the SSL handshake, the browser will return the cookie only to a server that can authenticate itself, via SSL, to the same keypair. This approach can enable usable but secure client authentication. This approach can improve the usability of server authentication by clients. This approach is superior to the prior work on Active Cookies in that it defends against both DNS spoofing and IP spoofing--and does not require binding a user's interaction with a server to individual IP addresses.