Achieving Communication Effectiveness of Web Authentication Protocol with Key Update

  • Zijian Zhang
  • Chongxi Shen
  • Liehuang ZhuEmail author
  • Chen Xu
  • Salabat Khan Wazir
  • Chuyi Chen
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 747)


Today, with the presence of a large number of Man-In-The-Middle (MITM) attacks, identity authentication plays an important role in computer communication network. Series of authentication protocols have been proposed to resist against MITM attacks. Due to the lack of two-way certification between the client and the server, an attack named Man-In-The-Middle-Script-In-The-Browser (MITM-SITB) still works in most protocols. In order to protect against this kind of attack, a Channel-ID based authentication protocol named Server-Invariance-with-Strong-Client-Authentication (SISCA) is put forward. This protocol can not support key update and execute inefficiently. To solve this problem, we propose a Communication-Effectiveness-of-Web-Authentication (CEWA) protocol. We design a new certification process to make the protocol support key update, thus avoiding the risk of key leaks. Simultaneously, We designed the key storage method to manage the keys. We improve the efficiency of implementation. We also analyze its security and the experimental analysis shows the better performance of the efficiency than that in SISCA protocol.


Man-In-The-Middle (MITM) Attack TLS Channel ID Web authentication Key update 



This work is partially supported by China National Key Research and Development Program No. 2016YFB0800301.


  1. 1.
    Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle. Comput. Commun. 29(12), 2238–2246 (2006)CrossRefGoogle Scholar
  2. 2.
    Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the HTTPS protocol. IEEE Secur. Priv. 7(1), 78–81 (2009)CrossRefGoogle Scholar
  3. 3.
    Stricot-Tarboton, S., Chaisiri, S., Ko, R.K.L.: Taxonomy of man-in-the-middle attacks on HTTPS. In: TrustCom/BigDataSE/ISPA (2017)Google Scholar
  4. 4.
    Huang, L.S., Rice, A., Ellingsen, E., et al.: Analyzing forged SSL certificates in the wild. In: IEEE Symposium on Security and Privacy, pp. 83–97 (2014)Google Scholar
  5. 5.
    Mayer, W., Zauner, A., Schmiedecker, M., et al.: No need for black chambers: testing TLS in the e-mail ecosystem at large, pp. 10–20 (2015)Google Scholar
  6. 6.
    Dietz, M., Czeskis, A., Balfanz, D., et al.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: USENIX Conference on Security Symposium, p. 16 (2012)Google Scholar
  7. 7.
    Karapanos, N., Capkun, S.: On the effective prevention of TLS man-in-the-middle attacks in web applications. In: 23rd USENIX Security Symposium, pp. 671–686 (2014)Google Scholar
  8. 8.
    Karlof, C., Shankar, U., Tygar, J.D., et al.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 58–71, October 2007Google Scholar
  9. 9.
    Chen, K., Lin, D., Yan, L., Sun, X.: Environment-bound SAML assertions: a fresh approach to enhance the security of SAML assertions. In: Lin, D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 361–376. Springer, Cham (2014). Scholar
  10. 10.
    Xia, H.: Hardening web browsers against man-in-the-middle and eavesdropping attacks. In: International Conference on World Wide Web, WWW 2005, Chiba, Japan, pp. 489–498, May 2005Google Scholar
  11. 11.
    Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE Computer Security Foundations Symposium, pp. 247–262 (2012)Google Scholar
  12. 12.
    Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: USENIX Security Symposium (2014)Google Scholar
  13. 13.
    Chang, P.H., Kim, W., Agha, G.: An adaptive programming framework for web applications. In: Proceedings of the International Symposium on Applications and the Internet, pp. 152–159 (2004)Google Scholar
  14. 14.
    Xiao, Y., Rayi, V., Sun, B., Du, X., Hu, F., Galloway, M.: A survey of key management schemes in wireless sensor networks. J. Comput. Commun. 30(11–12), 2314–2341 (2007)CrossRefGoogle Scholar
  15. 15.
    Du, X., Xiao, Y., Guizani, M., Chen, H.H.: An effective key management scheme for heterogeneous sensor networks. Ad Hoc Netw. 5(1), 24–34 (2007)CrossRefGoogle Scholar
  16. 16.
    Du, X., Guizani, M., Xiao, Y., Chen, H.H.: A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks. IEEE Trans. Wirel. Commun. 8(3), 1223–1229 (2009)CrossRefGoogle Scholar
  17. 17.
    Dierks, T., Rescorla, E.: RFC 5246 - The transport layer security (TLS) protocol - Version 1.2 (2008)Google Scholar
  18. 18.
    Xiao, Y., Du, X., Zhang, J., Guizani, S.: Internet protocol television (IPTV): the killer application for the next generation internet. IEEE Commun. Mag. 45(11), 126–134 (2007)CrossRefGoogle Scholar
  19. 19.
    Lennox, I.D.J., Rosenberg, J., Schulzrinne, H.: Internet Engineering Task Force. RFC, pp. 82–89, 11 August 2001Google Scholar
  20. 20.
    Tschofenig, H., Fossati, T.: Transport layer security (TLS)/datagram transport layer security (DTLS) profiles for the internet of things. Physiol. Rev. 66(4), 1121–1188 (2016)Google Scholar
  21. 21.
    Du, X., Chen, H.H.: Security in wireless sensor networks. IEEE Wirel. Commun. Mag. 15(4), 60–66 (2008)CrossRefGoogle Scholar
  22. 22.
    Yee, P.: Updates to the internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. Harefuah 131(5–6), 184 (2013)Google Scholar
  23. 23.
    Fielding, R., Gettys, J., Mogul, J., et al.: RFC 2616: Hypertext Transfer Protocol - HTTP/1.1. Comput. Sci. Commun. Dict. 7(9), 3969–3973 (1999)Google Scholar
  24. 24.
    Du, X., Guizani, M., Xiao, Y., Chen, H.H.: Secure and efficient time synchronization in heterogeneous sensor networks. IEEE Trans. Veh. Technol. 57(4), 2387–2394 (2008)CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  • Zijian Zhang
    • 1
  • Chongxi Shen
    • 1
  • Liehuang Zhu
    • 1
    Email author
  • Chen Xu
    • 1
  • Salabat Khan Wazir
    • 1
  • Chuyi Chen
    • 1
  1. 1.Beijing Institute of TechnologyBeijingChina

Personalised recommendations