SSL/TLS Session-Aware User Authentication Using a GAA Bootstrapped Key

Abstract : Most SSL/TLS-based electronic commerce (e-commerce) applications (including Internet banking) are vulnerable to man in the middle attacks. Such attacks arise since users are often unable to authenticate a server effectively, and because user authentication methods are typically decoupled from SSL/TLS session establishment. Cryptographically binding the two authentication procedures together, a process referred to here as SSL/TLS session-aware user authentication (TLS-SA), is a lightweight and effective countermeasure. In this paper we propose a means of implementing TLS-SA using a GAA bootstrapped key. The scheme employs a GAA-enabled user device with a display and an input capability (e.g. a 3G mobile phone) and a GAA-aware server. We describe a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition we describe two possible variants that give security-efficiency trade-offs. Analysis shows that the scheme is effective, secure and scalable. Moreover, the approach fits well to the multi-institution scenario.
Type de document :
Communication dans un congrès
Claudio A. Ardagna; Jianying Zhou. 5th Workshop on Information Security Theory and Practices (WISTP), Jun 2011, Heraklion, Crete, Greece. Springer, Lecture Notes in Computer Science, LNCS-6633, pp.54-68, 2011, Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication. 〈10.1007/978-3-642-21040-2_4〉
Liste complète des métadonnées

Littérature citée [29 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01573291
Contributeur : Hal Ifip <>
Soumis le : mercredi 9 août 2017 - 10:24:15
Dernière modification le : mercredi 9 août 2017 - 10:25:13

Fichier

978-3-642-21040-2_4_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Chunhua Chen, Chris Mitchell, Shaohua Tang. SSL/TLS Session-Aware User Authentication Using a GAA Bootstrapped Key. Claudio A. Ardagna; Jianying Zhou. 5th Workshop on Information Security Theory and Practices (WISTP), Jun 2011, Heraklion, Crete, Greece. Springer, Lecture Notes in Computer Science, LNCS-6633, pp.54-68, 2011, Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication. 〈10.1007/978-3-642-21040-2_4〉. 〈hal-01573291〉

Partager

Métriques

Consultations de la notice

50

Téléchargements de fichiers

9