论文信息 - Advanced Client/Server Authentication in TLS

Advanced Client/Server Authentication in TLS

Many business transactions on the Internet occur between strangers, that is, between entities with no prior relationship and no common security domain. Traditional security approaches based on identity or capabilities do not solve the problem of establishing trust between strangers. New approaches to trust establishment are required that are secure, scalable, and portable. One new approach to mutual trust establishment is trust negotiation, the bilateral exchange of digital credentials to establish trust gradually. This paper describes the Trust Negotiation in TLS (TNT) protocol, an extension to the TLS handshake protocol that incorporates recent advances in trust negotiation into TLS to provide advanced client/server authentication in TLS. In this paper we describe the current limitations in TLS client/server authentication with respect to trust establishment, and show how the TNT protocol overcomes them. We also describe our implementation of TNT, built using PureTLS, a Java TLS package that is freely available. This implementation is the first to provide confidential trust negotiation, verification of private keys during trust negotiation, and a single trust negotiation protocol supporting interoperable trust negotiation strategies.

[1] Marianne Winslett,et al. Internet Credential Acceptance Policies , 1997, APPIA-GULP-PRODE.

[2] Marianne Winslett,et al. Interoperable strategies in automated trust negotiation , 2001, CCS '01.

[3] Marianne Winslett,et al. Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation , 2001, NDSS.

[4] K.E. Seamons,et al. Automated trust negotiation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[5] Marianne Winslett,et al. PRUNES: an efficient and complete strategy for automated trust negotiation over the Internet , 2000, CCS.

[6] Ivan Visconti,et al. User privacy issues regarding certificates and the TLS protocol: the design and implementation of the SPSL protocol , 2000, CCS.

[7] Kent E. Seamons,et al. Trust Negotiation in Electronic Markets , 2001 .

[8] Adam Stubblefield,et al. Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[9] Stephen Thomas. SSL and TLS Essentials: Securing the Web , 2000 .

[10] Amir Herzberg,et al. Access control meets public key infrastructure, or: assigning roles to strangers , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[11] Christopher Allen,et al. The TLS Protocol Version 1.0 , 1999, RFC.

[12] Eric Rescorla,et al. SSL and TLS: Designing and Building Secure Systems , 2000 .