loading...
SSL/TLS Session-Aware User Authentication
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MC.2008.98March 2008 (vol. 41 no. 3) pp. 59-65
 This Article 
 
Buy PURCHASE ARTICLE: $19
PDF
HTML
Buy IEEE Xplore Subscribers
 
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
ASCII Text
x 
 
Rolf Oppliger, Ralf Hauser, David Basin, "SSL/TLS Session-Aware User Authentication," Computer, vol. 41, no. 3, pp. 59-65, March, 2008.
 
 
BibTex
x
 
@article{ 10.1109/MC.2008.98,
author = {Rolf Oppliger and Ralf Hauser and David Basin},
title = {SSL/TLS Session-Aware User Authentication},
journal ={Computer},
volume = {41},
number = {3},
issn = {0018-9162},
year = {2008},
pages = {59-65},
doi = {http://doi.ieeecomputersociety.org/10.1109/MC.2008.98},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - MGZN
JO - Computer
TI - SSL/TLS Session-Aware User Authentication
IS - 3
SN - 0018-9162
SP59
EP65
EPD - 59-65
A1 - Rolf Oppliger,
A1 - Ralf Hauser,
A1 - David Basin,
PY - 2008
KW - man-in-the-middle (MITM) attacks
KW - security
KW - user authentication
KW - SSL/TLS protocols
VL - 41
JA - Computer
ER -
 
Rolf Oppliger, eSECURITY Technologies
Ralf Hauser, PrivaSphere AG
David Basin, ETH Zurich
Overall, transport layer security with session-aware user authentication offers a promising approach to solving man-in-the-middle attack problems by leveraging the legacy authentication mechanisms and systems that the general public has become accustomed to using.

[1] 59 T. Dierks and E. Rescorla, "The TLS Protocol Version 1.1," RFC 4346, Apr. 2006.
[2] R. Oppliger, R. Hauser, and D. Basin, "SSL/TLS Session-Aware User Authentication—Or How to Effectively Thwart the Man-in-the-Middle," Computer Comm., Aug. 2006, pp. 2238–2246.
[3] A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems," Proc. CRYPTO 86, LNCS 263, Springer, 1987, pp. 186–194.
[4] P. Eronen and H. Tschofenig, eds., "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)," Standards Track RFC 4279, Dec. 2005.
[5] M. Badra and I. Hajjeh, "Key-Exchange Authentication Using Shared Secrets," Computer, Mar. 2006, pp. 58–66.
[6] M. Steiner et al., "Secure Password-Based Cipher Suite for TLS," ACM Trans. Information and System Security, May 2001, pp. 134–157.
[7] R.L. Rivest and A. Shamir, "How to Expose an Eavesdropper," Comm. ACM, vol. 27, no. 4, 1984, pp. 393–395.
[8] S.M. Bellovin and M. Merritt, "An Attack on the Interlock Protocol When Used for Authentication," IEEE Trans. Information Theory, Jan. 1994, pp. 273–275.
[9] N. Asokan, V. Niemi, and K. Nyberg, "Man-in-the-Middle in Tunneled Authentication Protocols," Proc. Int'l Workshop Security Protocols, Springer-Verlag, 2003, pp. 15–24.
[10] RSA Security Technology Backgrounder, "Enhancing One-Time Passwords for Protection Against Real-Time Phishing Attacks;" www.rsa.com/rsalabs/technotesOne-TimePWWP.pdf .
[11] B. Parno, C. Kuo, and A. Perrig, "Phoolproof Phishing Prevention," Proc. Financial Cryptography and Data Security, Springer-Verlag, 2006, pp. 1–19.
[12] A. Alkassar, C. Stüble, and A-R. Sadeghi, "Secure Object Identification—or: Solving the Chess Grandmaster Problem," Proc. 2003 Workshop New Security Paradigms, ACM Press, 2003, pp. 77–85.
[13] R. Oppliger et al., "A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication," Proc. Kommunikation Verteilten Systemen (KiVS 2007), Springer-Verlag, 2007, pp. 225–236.
[14] R. Oppliger and R. Hauser, "Protecting TLS-SA Implementations for the Challenge-Response Feature of EMV-CAP Against Challenge Collision Attacks," Security and Communication Networks, to appear.

Index Terms:
man-in-the-middle (MITM) attacks, security, user authentication, SSL/TLS protocols
Citation:
Rolf Oppliger, Ralf Hauser, David Basin, "SSL/TLS Session-Aware User Authentication," Computer, vol. 41, no. 3, pp. 59-65, Mar. 2008, doi:10.1109/MC.2008.98
Usage of this product signifies your acceptance of the Terms of Use.