Skip to main content
SpringerLink
Log in

Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy

  • Conference paper
Information Security and Privacy (ACISP 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5107))

Included in the following conference series:

  • 1053 Accesses

Abstract

The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user’s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates.

In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS’07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS’08. It turns out that the small modification of the browser’s security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Allen, C., Dierks, T.: The TLS Protocol — Version 1.1. Internet proposed standard RFC 4346 (2006)

    Google Scholar 

  2. Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  3. Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Google Scholar 

  4. Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM CCS 1993, pp. 62–73. ACM Press, New York (1993)

    Chapter  Google Scholar 

  5. Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical Password Authentication Using Cued Click Points. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 359–374. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  6. Dhamija, R., Tygar, J.D.: The Battle against Phishing: Dynamic Security Skins. In: SOUPS 2005, pp. 77–88. ACM Press, New York (2005)

    Chapter  Google Scholar 

  7. Dhamija, R., Tygar, J.D., Hearst, M.A.: Why Phishing Works? In: CHI 2006, pp. 581–590. ACM Press, New York (2006)

    Chapter  Google Scholar 

  8. Fouque, P.-A., Pointcheval, D., Zimmer, S.: HMAC is a Randomness Extractor and Applications to TLS. In: ACM ASIACCS 2008, pp. 21–32. ACM Press, New York (2008)

    Chapter  Google Scholar 

  9. Freier, A.O., Kariton, P., Kocher, P.C.: The SSL Protocol: Version 3.0. Internet draft, Netscape Communications (1996)

    Google Scholar 

  10. Gajek, S., Schwenk, S.: Revising the Mature Browser Security Model. Technical Report, HGI TR-2008-004 (2008)

    Google Scholar 

  11. Gajek, S., Manulis, M., Sadeghi, A.-R., Schwenk, J.: Provably Secure Browser-Based User-Aware Mutual Authentication over TLS. In: ACM ASIACCS 2008, pp. 300–311. ACM Press, New York (2008)

    Chapter  Google Scholar 

  12. Groß, T.: Security Analysis of the SAML Single Sign-on Browser/Artifact Profile. In: ACSAC 2003, pp. 298–307. IEEE CS, Los Alamitos (2003)

    Google Scholar 

  13. Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Browser Model for Security Analysis of Browser-Based Protocols. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  14. Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Proving a WS-Federation Passive Requestor Profile with a Browser Model. In: SWS 2005, pp. 54–64. ACM Press, New York (2005)

    Google Scholar 

  15. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting Browsers from DNS Rebinding Attacks. In: CCS 2007, pp. 421–431. ACM Press, New York (2007)

    Chapter  Google Scholar 

  16. Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: FC 2007/USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2008)

    Google Scholar 

  17. Jakobsson, M., Myers, S.: Delayed Password Disclosure. IJACT 1(1), 47–59 (2008)

    Article  Google Scholar 

  18. Jonsson, J., Kaliski, B.S.: On the Security of RSA Encryption in TLS. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 127–142. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  19. Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic Pharming Attacks and Locked Same-Origin Policies for Web Browsers. In: ACM CCS 2007, pp. 58–71. ACM Press, New York (2007)

    Chapter  Google Scholar 

  20. Kormann, D., Rubin, A.: Risks of the Passport Single SignOn Protocol. Computer Networks 33(1–6), 51–58 (2000)

    Article  Google Scholar 

  21. Microsoft Corporation. Mitigating Cross-Site Scripting with HTTP-only Cookies (2008), http://msdn2.microsoft.com/en-us/library/ms533046.aspx

  22. Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  23. Mason, C., Baek, K.-H., Smith, S.: WSKE: Web Server Key Enabled Cookies. In: FC 2007/USEC 2007, pp. 294–306. Springer, Heidelberg (2008)

    Google Scholar 

  24. Mitchell, J.C., Shmatikov, V., Stern, U.: Finite-State Analysis of SSL 3.0. In: USENIX Security Symp., pp. 201–216 (1998)

    Google Scholar 

  25. Paulson, L.C.: Inductive Analysis of the Internet protocol TLS. ACM Trans. on Comp. and Syst. Sec. (3), 332–351 (1999)

    Article  Google Scholar 

  26. Pfitzmann, B., Waidner, M.: A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission. In: IEEE S&P 2001, pp. 184–200. IEEE Computer Society Press, Los Alamitos (2001)

    Chapter  Google Scholar 

  27. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The Emperor’s New Security Indicators. In: IEEE S&P 2007, pp. 51–65. IEEE Computer Society Press, Los Alamitos (2007)

    Google Scholar 

  28. Schneier, B., Wagner, D.: Analysis of the SSL 3.0 protocol. In: USENIX Workshop on Electronic Commerce (1996)

    Google Scholar 

  29. Shoup, V.: OAEP Reconsidered. Journal of Cryptology 15(4), 223–249 (2002)

    Article  MATH  MathSciNet  Google Scholar 

  30. Soghoian, C., Jakobsson, M.: A Deceit-Augmented Ma. In: The Middle Attack Against Bank of America’s SiteKey Service (2007), http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html

  31. Suo, X., Zhu, Y., Owen, G.S.: Graphical Passwords: A Survey. In: Ann. Comp. Sec. Applic. Conf. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  32. W3C. Document Object Model (DOM) (2005), http://www.w3.org/DOM

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Germany

    Sebastian Gajek & Jörg Schwenk

  2. UCL Crypto Group, Belgium

    Mark Manulis

Authors
  1. Sebastian Gajek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mark Manulis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Yi Mu Willy Susilo Jennifer Seberry

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gajek, S., Manulis, M., Schwenk, J. (2008). Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70500-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69971-2

  • Online ISBN: 978-3-540-70500-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation