Role-based access control on the web
ACM Transactions on Information and System Security (TISSEC)
IEEE Internet Computing
Dos and don'ts of client authentication on the web
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Cookies: A deployment study and the testing implications
ACM Transactions on the Web (TWEB)
Empowering users against sidejacking attacks
Proceedings of the ACM SIGCOMM 2010 conference
| Hi-index | 0.00 |
With the recent explosion in wireless hotspots, more and more users find themselves browsing the internet in an insecure manner. This is due to the typical lack of security in the Wi-Fi Access Points at popular hotspots such as coffee shops and airports. A common vulnerability in this scenario is when a user's cookie information is transmitted in plain-text, exposing potential session information. This would typically include the session id, which, if stolen, could lead to session hijacking, also known as sidejacking. In this paper, we present a novel way of authenticating the client to the server using what we call a Rolling Code, much like the rolling code technology used to prevent perpetrators from recording a code and replaying it to open a garage door. By using this technique, the client is able to prove to the server with each request that they are the legitimate client and no other person could have hijacked the session. Our protocol also offers optional payload integrity and confidentiality via a multi-level security model. Our Rolling Code protocol is efficient and is particularly suitable for mobile devices used in wireless networks. We implemented a benchmark of the Rolling Code authentication and used it to evaluate the performance of the scheme for different hardware platforms. Our tests have shown that the Rolling Code protocol is more computationally efficient than the hash chains approach used in a recent cookie security protocol to prevent session sidejacking.