Abstract
Most SSL/TLS-based electronic commerce (e-commerce) applications (including Internet banking) are vulnerable to man in the middle attacks. Such attacks arise since users are often unable to authenticate a server effectively, and because user authentication methods are typically decoupled from SSL/TLS session establishment. Cryptographically binding the two authentication procedures together, a process referred to here as SSL/TLS session-aware user authentication (TLS-SA), is a lightweight and effective countermeasure. In this paper we propose a means of implementing TLS-SA using a GAA bootstrapped key. The scheme employs a GAA-enabled user device with a display and an input capability (e.g. a 3G mobile phone) and a GAA-aware server. We describe a simple instantiation of the scheme which makes the password authentication mechanism SSL/TLS session-aware; in addition we describe two possible variants that give security-efficiency trade-offs. Analysis shows that the scheme is effective, secure and scalable. Moreover, the approach fits well to the multi-institution scenario.
Chapter PDF
Similar content being viewed by others
Keywords
References
Anti-phishing working group phishing archive, http://anti-phishing.org/phishing_archive.htm
3rd Generation Partnership Project (3GPP). 3G Security: Access Secure for IP-based Services, Version 9.3.0 (2009)
3rd Generation Partnership Project (3GPP). 3rd Generation Partnership Project, Technical Specification Group Services and Systems Aspects, Generic Authentication Architecture (GAA), Generic Bootstrapping Architecture, Version 9.2.0 (2009)
3rd Generation Partnership Project (3GPP). Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS), Version 9.0.0 (2009)
3rd Generation Partnership Project (3GPP). Bootstrapping interface (Ub) and network application function interface (Ua); Protocol details, Version 9.0.0 (2009)
3rd Generation Partnership Project (3GPP). Numbering, Addressing and Identification, Version 9.2.0 (2009)
Abdalla, M., Bresson, E., Chevassut, O., Möller, B., Pointcheval, D.: Provably secure password-based authentication in TLS. In: ASIACCS 2006: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, pp. 35–45. ACM, New York (2006)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: CHI 2006: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM, New York (2006)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008)
Engler, J., Karlof, C., Shi, E., Song, D.: Is it too late for PAKE? In: W2SP 2009: Proceedings of the Web 2.0 Security and Privacy Workshop, Oakland, California, USA (May 2009)
Eronen, P., Tschofenig, H.: Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279 (Proposed Standard) (December 2005)
Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol—Version 3.0. Internet Draft, Transport Layer Security Working Group (November 1996)
Gajek, S., Liao, L., Schwenk, J.: Stronger TLS bindings for SAML assertions and SAML artifacts. In: SWS 2008: Proceedings of the 5th ACM CCS Workshop on Secure Web Services, pp. 11–20. ACM, New York (2008)
Holtmanns, S., Niemi, V., Ginzboorg, P., Laitinen, P., Asokan, N.: Cellular Authentication for Mobile and Internet Services. John Wiley and Sons, Chichester (2008)
International Organization for Standardization, Genève, Switzerland. ISO/IEC 19772:2009 Information technology—Security techniques—Authenticated encryption (Feburary 2009)
International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-4:1999/Cor 1:2009 Information technology—Security techniques—Entity authentication—Part 4: Mechanisms using a cryptographic check function (September 2009)
Kohlar, F., Schwenk, J., Jensen, M., Gajek, S.: On cryptographically secure bindings of SAML assertions to TLS sessions. In: ARES 2010: Proceedings of the 5th International Conference on Availability, Reliability and Security, pp. 62–69. IEEE Computer Society, Los Alamitos (2010)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational) (February 1997)
Lopez, J., Oppliger, R., Pernul, G.: Why have public key infrastructures failed so far? Internet Research 15, 554–556 (2005)
Mitchell, J.C., Shmatikov, V., Stern, U.: Finite-state analysis of SSL 3.0. In: USENIX 1998: Proceedings of the 7th USENIX Security Symposium, pp. 201–216. USENIX Association, San Antonio (1998)
National Institute of Standards and Technology, Federal Information Processing Standards (FIPS) Publication 180-3. Secure Hash Standard (SHS) (October 2008)
Niemi, V., Nyberg, K.: UMTS Security. John Wiley and Sons, Chichester (2003)
Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication or how to effectively thwart the man-in-the-middle. Computer Communications 29(12), 2238–2246 (2006)
Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication revisited. Computers and Security 27(3-4), 64–70 (2008)
Oppliger, R., Hauser, R., Basin, D., Rodenhaeuser, A., Kaiser, B.: A proof of concept implementation of SSL/TLS session-aware user authentication (TLS-SA). In: Brauer, W., Braun, T., Carle, G., Stiller, B. (eds.) Kommunikation in Verteilten Systemen (KiVS). Informatik Aktuell, pp. 225–236. Springer, Heidelberg (2007)
Paulson, L.C.: Inductive analysis of the internet protocol TLS. ACM Transactions on Information and System Security (TISSEC) 2(3), 332–351 (1999)
Steiner, M., Buhler, P., Eirich, T., Waidner, M.: Secure password-based cipher suite for TLS. ACM Transactions on Information and System Security (TISSEC) 4(2), 134–157 (2001)
Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: Using the Secure Remote Password (SRP) protocol for TLS authentication. RFC 5054 (Informational) (November 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chen, C., Mitchell, C.J., Tang, S. (2011). SSL/TLS Session-Aware User Authentication Using a GAA Bootstrapped Key. In: Ardagna, C.A., Zhou, J. (eds) Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication. WISTP 2011. Lecture Notes in Computer Science, vol 6633. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21040-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-21040-2_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21039-6
Online ISBN: 978-3-642-21040-2
eBook Packages: Computer ScienceComputer Science (R0)