Sciweavers

COMPSEC
2008

SSL/TLS session-aware user authentication revisited

13 years 3 months ago
SSL/TLS session-aware user authentication revisited
Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications, and there are only a few technologies available to mitigate the risks. In [OHB05], we introduced the notion of SSL/TLS session-aware user authentication to protect SSL/TLSbased e-commerce applications against MITM attacks, and we proposed an implementation based on impersonal authentication tokens. In this paper, we present a number of extensions and variations of SSL/TLS session-aware user authentication. More specifically, we address multiinstitution tokens, possibilities for changing the PIN, and possibilities for making several popular and widely deployed user authentication systems be SSL/TLS session-aware. Furthermore, we also investigate the technical feasibility and the security implications of software-based implementations of SSL/TLS session-aware user authentication. Keywords. Electronic commerce, security, phishing, pharming, man-inthe-middle attack, SSL/TLS protocol, SSL/TLS-aw...
Rolf Oppliger, Ralf Hauser, David A. Basin
Added 09 Dec 2010
Updated 09 Dec 2010
Type Journal
Year 2008
Where COMPSEC
Authors Rolf Oppliger, Ralf Hauser, David A. Basin
Comments (0)