A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA)

13 years 10 months ago

Download www.inf.ethz.ch

Abstract Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to manin-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proof of concept implementation of TLS-SA. We think that TLS-SA ﬁlls a gap between the use of public key certiﬁcates on the client side and currently deployed user authentication mechanisms. Most importantly, it allows for the continued use of legacy two-factor authentication devices while still providing high levels of protection against MITM attacks.

Rolf Oppliger, Ralf Hauser, David A. Basin, Aldo R

Real-time Traffic

Computer Networks | KIVS 2007 | MitM Attacks | Session-aware User Authentication | User Authentication |

claim paper

Added	08 Jun 2010
Updated	08 Jun 2010
Type	Conference
Year	2007
Where	KIVS
Authors	Rolf Oppliger, Ralf Hauser, David A. Basin, Aldo Rodenhaeuser, Bruno Kaiser

Sciweavers

A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA)

Computer Networks | KIVS 2007 | MitM Attacks | Session-aware User Authentication | User Authentication |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers