Inductive analysis of the Internet protocol TLS
ACM Transactions on Information and System Security (TISSEC)
Secure password-based cipher suite for TLS
ACM Transactions on Information and System Security (TISSEC)
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Provably secure password-based authentication in TLS
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Finite-state analysis of SSL 3.0
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Stronger TLS bindings for SAML assertions and SAML artifacts
Proceedings of the 2008 ACM workshop on Secure web services
Cellular Authentication for Mobile and Internet Services
Cellular Authentication for Mobile and Internet Services
SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle
Computer Communications
| Hi-index | 0.00 |
Most SSL/TLS-based electronic commerce (e-commerce) applications (including Internet banking) are vulnerable to man in the middle attacks. Such attacks arise since users are often unable to authenticate a server effectively, and because user authentication methods are typically decoupled from SSL/TLS session establishment. Cryptographically binding the two authentication procedures together, a process referred to here as SSL/TLS session-aware user authentication (TLS-SA), is a lightweight and effective countermeasure. In this paper we propose a means of implementing TLS-SA using a GAA bootstrapped key. The scheme employs a GAA-enabled user device with a display and an input capability (e.g. a 3G mobile phone) and a GAA-aware server. We describe a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition we describe two possible variants that give security-efficiency trade-offs. Analysis shows that the scheme is effective, secure and scalable. Moreover, the approach fits well to the multi-institution scenario.