Skip to Main content Skip to Navigation
Conference papers

SSL/TLS Session-Aware User Authentication Using a GAA Bootstrapped Key

Abstract : Most SSL/TLS-based electronic commerce (e-commerce) applications (including Internet banking) are vulnerable to man in the middle attacks. Such attacks arise since users are often unable to authenticate a server effectively, and because user authentication methods are typically decoupled from SSL/TLS session establishment. Cryptographically binding the two authentication procedures together, a process referred to here as SSL/TLS session-aware user authentication (TLS-SA), is a lightweight and effective countermeasure. In this paper we propose a means of implementing TLS-SA using a GAA bootstrapped key. The scheme employs a GAA-enabled user device with a display and an input capability (e.g. a 3G mobile phone) and a GAA-aware server. We describe a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition we describe two possible variants that give security-efficiency trade-offs. Analysis shows that the scheme is effective, secure and scalable. Moreover, the approach fits well to the multi-institution scenario.
Document type :
Conference papers
Complete list of metadata

Cited literature [17 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Wednesday, August 9, 2017 - 10:24:15 AM
Last modification on : Tuesday, July 13, 2021 - 4:18:04 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Chunhua Chen, Chris J. Mitchell, Shaohua Tang. SSL/TLS Session-Aware User Authentication Using a GAA Bootstrapped Key. 5th Workshop on Information Security Theory and Practices (WISTP), Jun 2011, Heraklion, Crete, Greece. pp.54-68, ⟨10.1007/978-3-642-21040-2_4⟩. ⟨hal-01573291⟩



Record views


Files downloads