Abstract
Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to man-in-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proof of concept implementation of TLS-SA. We think that TLS-SA fills a gap between the use of public key certificates on the client side and currently deployed user authentication mechanisms. Most importantly, it allows for the continued use of legacy two-factor authentication devices while still providing high levels of protection against MITM attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Dierks T, Allen C: The TLS Protocol Version 1.0. RFC 2246, 1999.
Lopez J, Oppliger R, Pernul G: Why Have Public Key Infrastructures Failed so far? Internet Research, 15(5):544–556, 2005.
Mitchell J, Shmatikov V, Stern U: Finite-State Analysis of SSL 3.0. USENIX Security Symposium, 201–216, 1998.
Paulson LC: Inductive Analysis of the Internet Protocol TLS. ACM Trans. on Computer and System Security, 2(3):332–351, 1999.
Bleichenbacher D: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. CRYPTO, 1–42, 1998.
Manger J: A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS#1 v2.0. CRYPTO, 230–238, 2001.
Vaudenay S: Security Flaws Induced by CBC Padding—Applications to SSL, IPSEC, WTLS... EUROCRYPT, 534–545, 2002.
Anderson RJ: Why Cryptosystems Fail. Communications of the ACM, 37(11):32–40, 1994.
Burkholder P: SSL Man-in-the-Middle Attacks. SANS Reading Room, 2002.
Oppliger R, Gajek S: Effective Protection Against Phishing and Web Spoofing. CMS, 32–41, 2005.
Desmedt Y, Goutier C, Bengio S: Special uses and abuses of the Fiat-Shamir passport protocol. CRYPTO, 16–20, 1987.
Fiat A, Shamir A: How To Prove Yourself: Practical Solutions to Identification and Signature Problems. CRYPTO, 186–194, 1986.
Cramer R, Damgård I: Fast and Secure Immunization Against Adaptive Man-in-the-Middle Impersonation. EUROCRYPT, 75–87, 1997.
Eronen P, Tschofenig H (Eds.): Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279, 2005.
Badra M, Hajjeh I: Key-Exchange Authentication Using Shared Secrets. IEEE Computer, 39(3):58–66, 2006.
RSA Laboratories: OTP Methods for TLS. Draft 1, January 2006.
Steiner M., et al.: Secure Password-Based Cipher Suite for TLS. ACM Trans. Information and System Security, 4(2):134–157, 2001.
Taylor D, et al: Using SRP for TLS Authentication. Work in progress, 2005.
Rivest RL, Shamir A: How to Expose an Eavesdropper. Communications of the ACM, 27(4):393–395, 1984.
Bellovin SM, Merritt M: An Attack on the Interlock Protocol When Used for Authentication. IEEE Trans. on Information Theory, 40(1), 1994.
Jakobsson M, Myers S: Stealth Attacks and Delayed Password Disclosure. 2005.
Kaliski B, Nyström M: Authentication: Risk vs. Readiness, Challenges & Solutions. BITS Protecting the Core Forum, October 6, 2004.
Asokan N, Niemi V. Nyberg K: Man-in-the-Middle in Tunneled Authentication Protocols. International Workshop on Security Protocols, 15–24, 2003.
Parno B, Kuo C, Perrig A: Phoolproof Phishing Prevention. Financial Cryptography, 2006.
Alkassar A, Stüble C, Sadeghi AR: Secure Object Identification—or: Solving The Chess Grandmaster Problem. Workshop on New Security Paradigms. 77–85, 2003.
Oppliger R, Hauser R, Basin D: SSL/TLS Session-Aware User Authentication—Or How to Effectively Thwart the Man-in-the-Middle. Computer Communications, 29(12):2238–2246, 2006.
Oppliger R, Hauser R, Basin D: Browser Enhancements to Support SSL/TLS Session-Aware User Authentication. W3C Workshop on Transparency and Usability of Web Authentication, 2006.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Oppliger, R., Hauser, R., Basin, D., Rodenhaeuser, A., Kaiser, B. (2007). A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA). In: Braun, T., Carle, G., Stiller, B. (eds) Kommunikation in Verteilten Systemen (KiVS). Informatik aktuell. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69962-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-540-69962-0_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69961-3
Online ISBN: 978-3-540-69962-0
eBook Packages: Computer Science and Engineering (German Language)