SSL/TLS session-aware user authentication revisited

Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications. In Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle. Computer Communications August 2006;29(12):2238-46] and Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication. IEEE Computer March 2008;41(3) 59-65], we introduced the notion of SSL/TLS session-aware user authentication to protect SSL/TLS-based e-commerce applications against MITM attacks and we proposed an implementation based on impersonal authentication tokens. In this paper, we present a number of extensions of the basic idea. These include multi-institution tokens, possibilities for changing the PIN, and different ways of making several popular and widely deployed user authentication systems SSL/TLS session-aware.

[1]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[2]  Peter Burkholder SSL Man-in-the-Middle Attacks , 2009 .

[3]  Rolf Oppliger,et al.  SSL/TLS Session-Aware User Authentication , 2008, Computer.

[4]  Simon Josefsson,et al.  The Base16, Base32, and Base64 Data Encodings , 2003, RFC.

[5]  Rolf Oppliger,et al.  Protecting TLS-SA implementations for the challenge-response feature of EMV-CAP against challenge collision attacks , 2008, Secur. Commun. Networks.

[6]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[7]  Rolf Oppliger,et al.  A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA) , 2007, KiVS.

[8]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[9]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[10]  Gene Tsudik,et al.  Authentication method with impersonal token cards , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Markus Jakobsson,et al.  Delayed password disclosure , 2008, Int. J. Appl. Cryptogr..

[12]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[13]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[14]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[15]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[16]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.