Abstract
The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user’s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates.
In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS’07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS’08. It turns out that the small modification of the browser’s security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Allen, C., Dierks, T.: The TLS Protocol — Version 1.1. Internet proposed standard RFC 4346 (2006)
Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)
Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM CCS 1993, pp. 62–73. ACM Press, New York (1993)
Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical Password Authentication Using Cued Click Points. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 359–374. Springer, Heidelberg (2007)
Dhamija, R., Tygar, J.D.: The Battle against Phishing: Dynamic Security Skins. In: SOUPS 2005, pp. 77–88. ACM Press, New York (2005)
Dhamija, R., Tygar, J.D., Hearst, M.A.: Why Phishing Works? In: CHI 2006, pp. 581–590. ACM Press, New York (2006)
Fouque, P.-A., Pointcheval, D., Zimmer, S.: HMAC is a Randomness Extractor and Applications to TLS. In: ACM ASIACCS 2008, pp. 21–32. ACM Press, New York (2008)
Freier, A.O., Kariton, P., Kocher, P.C.: The SSL Protocol: Version 3.0. Internet draft, Netscape Communications (1996)
Gajek, S., Schwenk, S.: Revising the Mature Browser Security Model. Technical Report, HGI TR-2008-004 (2008)
Gajek, S., Manulis, M., Sadeghi, A.-R., Schwenk, J.: Provably Secure Browser-Based User-Aware Mutual Authentication over TLS. In: ACM ASIACCS 2008, pp. 300–311. ACM Press, New York (2008)
Groß, T.: Security Analysis of the SAML Single Sign-on Browser/Artifact Profile. In: ACSAC 2003, pp. 298–307. IEEE CS, Los Alamitos (2003)
Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Browser Model for Security Analysis of Browser-Based Protocols. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005)
Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Proving a WS-Federation Passive Requestor Profile with a Browser Model. In: SWS 2005, pp. 54–64. ACM Press, New York (2005)
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting Browsers from DNS Rebinding Attacks. In: CCS 2007, pp. 421–431. ACM Press, New York (2007)
Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: FC 2007/USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2008)
Jakobsson, M., Myers, S.: Delayed Password Disclosure. IJACT 1(1), 47–59 (2008)
Jonsson, J., Kaliski, B.S.: On the Security of RSA Encryption in TLS. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 127–142. Springer, Heidelberg (2002)
Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic Pharming Attacks and Locked Same-Origin Policies for Web Browsers. In: ACM CCS 2007, pp. 58–71. ACM Press, New York (2007)
Kormann, D., Rubin, A.: Risks of the Passport Single SignOn Protocol. Computer Networks 33(1–6), 51–58 (2000)
Microsoft Corporation. Mitigating Cross-Site Scripting with HTTP-only Cookies (2008), http://msdn2.microsoft.com/en-us/library/ms533046.aspx
Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)
Mason, C., Baek, K.-H., Smith, S.: WSKE: Web Server Key Enabled Cookies. In: FC 2007/USEC 2007, pp. 294–306. Springer, Heidelberg (2008)
Mitchell, J.C., Shmatikov, V., Stern, U.: Finite-State Analysis of SSL 3.0. In: USENIX Security Symp., pp. 201–216 (1998)
Paulson, L.C.: Inductive Analysis of the Internet protocol TLS. ACM Trans. on Comp. and Syst. Sec. (3), 332–351 (1999)
Pfitzmann, B., Waidner, M.: A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission. In: IEEE S&P 2001, pp. 184–200. IEEE Computer Society Press, Los Alamitos (2001)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: IEEE S&P 2007, pp. 51–65. IEEE Computer Society Press, Los Alamitos (2007)
Schneier, B., Wagner, D.: Analysis of the SSL 3.0 protocol. In: USENIX Workshop on Electronic Commerce (1996)
Shoup, V.: OAEP Reconsidered. Journal of Cryptology 15(4), 223–249 (2002)
Soghoian, C., Jakobsson, M.: A Deceit-Augmented Ma. In: The Middle Attack Against Bank of America’s SiteKey Service (2007), http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html
Suo, X., Zhu, Y., Owen, G.S.: Graphical Passwords: A Survey. In: Ann. Comp. Sec. Applic. Conf. IEEE Computer Society Press, Los Alamitos (2005)
W3C. Document Object Model (DOM) (2005), http://www.w3.org/DOM
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gajek, S., Manulis, M., Schwenk, J. (2008). Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-70500-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69971-2
Online ISBN: 978-3-540-70500-0
eBook Packages: Computer ScienceComputer Science (R0)