Sciweavers

CCS
2008
ACM

Provably secure browser-based user-aware mutual authentication over TLS

14 years 2 months ago
Provably secure browser-based user-aware mutual authentication over TLS
The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. We tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). We prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation. Categories and Subject Descriptors C.2.2 [Computer-Communication Networks]: Network Protocols; E.3 [Data Encryption]: Public key cryptosystems, standards General Terms Security Keywords Browser-based protocols, user authentication, TLS, phishing
Sebastian Gajek, Mark Manulis, Ahmad-Reza Sadeghi,
Added 12 Oct 2010
Updated 12 Oct 2010
Type Conference
Year 2008
Where CCS
Authors Sebastian Gajek, Mark Manulis, Ahmad-Reza Sadeghi, Jörg Schwenk
Comments (0)