Skip to main content
SpringerLink
Log in

A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA)

  • Conference paper
Kommunikation in Verteilten Systemen (KiVS)

Part of the book series: Informatik aktuell ((INFORMAT))

Abstract

Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to man-in-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proof of concept implementation of TLS-SA. We think that TLS-SA fills a gap between the use of public key certificates on the client side and currently deployed user authentication mechanisms. Most importantly, it allows for the continued use of legacy two-factor authentication devices while still providing high levels of protection against MITM attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Dierks T, Allen C: The TLS Protocol Version 1.0. RFC 2246, 1999.

    Google Scholar 

  2. Lopez J, Oppliger R, Pernul G: Why Have Public Key Infrastructures Failed so far? Internet Research, 15(5):544–556, 2005.

    Article  Google Scholar 

  3. Mitchell J, Shmatikov V, Stern U: Finite-State Analysis of SSL 3.0. USENIX Security Symposium, 201–216, 1998.

    Google Scholar 

  4. Paulson LC: Inductive Analysis of the Internet Protocol TLS. ACM Trans. on Computer and System Security, 2(3):332–351, 1999.

    Article  Google Scholar 

  5. Bleichenbacher D: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. CRYPTO, 1–42, 1998.

    Google Scholar 

  6. Manger J: A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS#1 v2.0. CRYPTO, 230–238, 2001.

    Google Scholar 

  7. Vaudenay S: Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS... EUROCRYPT, 534–545, 2002.

    Google Scholar 

  8. Anderson RJ: Why Cryptosystems Fail. Communications of the ACM, 37(11):32–40, 1994.

    Article  Google Scholar 

  9. Burkholder P: SSL Man-in-the-Middle Attacks. SANS Reading Room, 2002.

    Google Scholar 

  10. Oppliger R, Gajek S: Effective Protection Against Phishing and Web Spoofing. CMS, 32–41, 2005.

    Google Scholar 

  11. Desmedt Y, Goutier C, Bengio S: Special uses and abuses of the Fiat-Shamir passport protocol. CRYPTO, 16–20, 1987.

    Google Scholar 

  12. Fiat A, Shamir A: How To Prove Yourself: Practical Solutions to Identification and Signature Problems. CRYPTO, 186–194, 1986.

    Google Scholar 

  13. Cramer R, Damgård I: Fast and Secure Immunization Against Adaptive Man-in-the-Middle Impersonation. EUROCRYPT, 75–87, 1997.

    Google Scholar 

  14. Eronen P, Tschofenig H (Eds.): Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279, 2005.

    Google Scholar 

  15. Badra M, Hajjeh I: Key-Exchange Authentication Using Shared Secrets. IEEE Computer, 39(3):58–66, 2006.

    Google Scholar 

  16. RSA Laboratories: OTP Methods for TLS. Draft 1, January 2006.

    Google Scholar 

  17. Steiner M., et al.: Secure Password-Based Cipher Suite for TLS. ACM Trans. Information and System Security, 4(2):134–157, 2001.

    Article  Google Scholar 

  18. Taylor D, et al: Using SRP for TLS Authentication. Work in progress, 2005.

    Google Scholar 

  19. Rivest RL, Shamir A: How to Expose an Eavesdropper. Communications of the ACM, 27(4):393–395, 1984.

    Article  Google Scholar 

  20. Bellovin SM, Merritt M: An Attack on the Interlock Protocol When Used for Authentication. IEEE Trans. on Information Theory, 40(1), 1994.

    Google Scholar 

  21. Jakobsson M, Myers S: Stealth Attacks and Delayed Password Disclosure. 2005.

    Google Scholar 

  22. Kaliski B, Nyström M: Authentication: Risk vs. Readiness, Challenges & Solutions. BITS Protecting the Core Forum, October 6, 2004.

    Google Scholar 

  23. Asokan N, Niemi V. Nyberg K: Man-in-the-Middle in Tunneled Authentication Protocols. International Workshop on Security Protocols, 15–24, 2003.

    Google Scholar 

  24. Parno B, Kuo C, Perrig A: Phoolproof Phishing Prevention. Financial Cryptography, 2006.

    Google Scholar 

  25. Alkassar A, Stüble C, Sadeghi AR: Secure Object Identification—or: Solving The Chess Grandmaster Problem. Workshop on New Security Paradigms. 77–85, 2003.

    Google Scholar 

  26. Oppliger R, Hauser R, Basin D: SSL/TLS Session-Aware User Authentication—Or How to Effectively Thwart the Man-in-the-Middle. Computer Communications, 29(12):2238–2246, 2006.

    Article  Google Scholar 

  27. Oppliger R, Hauser R, Basin D: Browser Enhancements to Support SSL/TLS Session-Aware User Authentication. W3C Workshop on Transparency and Usability of Web Authentication, 2006.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. eSECURITY Technologies, Beethovenstrasse 10, CH-3073, Gümligen

    Rolf Oppliger

  2. PrivaSphere AG, Jupiterstrasse 49, CH-8032, Zürich

    Ralf Hauser

  3. Department of Computer Science, ETH Zurich, Haldeneggsteig 4, CH-8092, Zürich

    David Basin

  4. AdNovum Informatik AG, Röntgenstrasse 22, CH-8005, Zürich

    Aldo Rodenhaeuser & Bruno Kaiser

Authors
  1. Rolf Oppliger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ralf Hauser
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Basin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aldo Rodenhaeuser
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bruno Kaiser
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institut für Informatik u. Angewandte Mathematik, Universität Bern, Neubrückstr. 10, CH-3012, Bern

    Torsten Braun

  2. Wilhelm-Schickard-Institut für Informatik, Universität Tübingen, Sand 13, D-72076, Tübingen

    Georg Carle

  3. Institut für Informatik, Universität Zürich, Binzmühlestr. 14, CH-8050, Zürich

    Burkhard Stiller

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Oppliger, R., Hauser, R., Basin, D., Rodenhaeuser, A., Kaiser, B. (2007). A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA). In: Braun, T., Carle, G., Stiller, B. (eds) Kommunikation in Verteilten Systemen (KiVS). Informatik aktuell. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69962-0_19

Download citation

Publish with us

Policies and ethics

Search

Navigation