Sciweavers

ACISP
2008
Springer

Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy

13 years 10 months ago
Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy
The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user’s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates. In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS’07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browserbased mutual authentication introduced at ACM ASIACCS’08. It turns out that the small modification of the browser’s security policy is sufficient to achieve provably...
Sebastian Gajek, Mark Manulis, Jörg Schwenk
Added 01 Jun 2010
Updated 01 Jun 2010
Type Conference
Year 2008
Where ACISP
Authors Sebastian Gajek, Mark Manulis, Jörg Schwenk
Comments (0)