Sciweavers

COMCOM
2006

SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle

14 years 15 days ago
SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle
Abstract. Man-in-the-middle attacks pose a serious threat to SSL/TLSbased electronic commerce applications, such as Internet banking. In this paper, we argue that most deployed user authentication mechanisms fail to provide protection against this type of attack, even when they run on top of SSL/TLS. As a possible countermeasure, we introduce the notion of SSL/TLS session-aware user authentication, and present different possibilities for implementing it. More specifically, we start with a basic implementation that employs impersonal authentication tokens. Afterwards, we address extensions and enhancements and discuss possibilities for implementing SSL/TLS session-aware user authentication in software. Keywords. Security, man-in-the-middle (MITM) attack, SSL/TLS protocol, user authentication, electronic commerce
Rolf Oppliger, Ralf Hauser, David A. Basin
Added 11 Dec 2010
Updated 11 Dec 2010
Type Journal
Year 2006
Where COMCOM
Authors Rolf Oppliger, Ralf Hauser, David A. Basin
Comments (0)