Access the full text.
Sign up today, get DeepDyve free for 14 days.
M. Bellare, P. Rogaway (1993)
Entity Authentication and Key Distribution
B. Pfitzmann, M. Waidner (2001)
A model for asynchronous reactive systems and its application to secure message transmissionProceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001
Thomas Gross, B. Pfitzmann, A. Sadeghi (2005)
Browser Model for Security Analysis of Browser-Based Protocols
Victor Boyko, P. MacKenzie, Sarvar Patel (2000)
Provably Secure Password-Authenticated Key Exchange Using Diffie-HellmanIACR Cryptol. ePrint Arch., 2000
S. Gajek, Chen Xuan (2008)
On the Insecurity of Microsoft's Identity Metasystem
V. Shoup (2001)
OAEP ReconsideredIACR Cryptol. ePrint Arch., 2000
P. Buhler, T. Eirich, M. Waidner, M. Steiner (2001)
Secure password-based cipher suite for TLSACM Transactions on Information and System Security (TISSEC), 4
S. Gajek, M. Manulis, Olivier Pereira, A. Sadeghi, Jörg Schwenk (2008)
Universally Composable Security Analysis of TLS - Secure Sessions with Handshake and Record Layer ProtocolsIACR Cryptol. ePrint Arch., 2008
S. Gajek, M. Manulis, Olivier Pereira, A. Sadeghi, Jörg Schwenk (2008)
Universally Composable Security Analysis of TLS
Stuart Schechter, Rachna Dhamija, Andy Ozment, Ian Fischer (2007)
The Emperor's New Security Indicators2007 IEEE Symposium on Security and Privacy (SP '07)
Thomas Gross (2003)
Security analysis of the SAML single sign-on browser/artifact profile19th Annual Computer Security Applications Conference, 2003. Proceedings.
M. Bellare, D. Pointcheval, P. Rogaway (2000)
Authenticated Key Exchange Secure against Dictionary AttacksIACR Cryptol. ePrint Arch., 2000
Michel Abdalla, D. Pointcheval (2005)
Simple Password-Based Encrypted Key Exchange Protocols
(2007)
A deceit-augmented man in the middle attack against bank of America’s sitekey service. Available at: http://paranoia.dubfire.net/2007/04/ deceit-augmented-man-in-middle-attack.html
Paul Morrissey, N. Smart, B. Warinschi (2008)
A Modular Security Analysis of the TLS Handshake Protocol
H. Krawczyk (2001)
The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)IACR Cryptol. ePrint Arch., 2001
Jonathan Katz, R. Ostrovsky, M. Yung (2001)
Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords
Collin Jackson, A. Barth, Andrew Bortz, Weidong Shao, D. Boneh (2007)
Protecting browsers from dns rebinding attacksACM Transactions on The Web, 3
Rachna Dhamija, J. Tygar, Marti Hearst (2006)
Why phishing worksProceedings of the SIGCHI Conference on Human Factors in Computing Systems
T. Dierks, C. Allen (1999)
The TLS Protocol Version 1.0RFC, 2246
S. Bellovin, Michael Merritt (1993)
Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise
Tim Berners-Lee, R. Fielding, H. Nielsen (1997)
Hypertext Transfer Protocol - HTTP/1.1RFC, 2068
Chris Karlof, U. Shankar, Doug Tygar, D. Wagner (2007)
Dynamic pharming attacks and locked same-origin policies for web browsers
E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern (2001)
RSA-OAEP Is Secure under the RSA AssumptionJournal of Cryptology, 17
Thomas Gross, B. Pfitzmann, A. Sadeghi (2005)
Proving a WS-federation passive requestor profile with a browser model
S. Chiasson, P. Oorschot, R. Biddle (2007)
Graphical Password Authentication Using Cued Click Points
J. Jonsson, B. Kaliski (2002)
On the Security of RSA Encryption in TLS
Jonathan Katz, R. Ostrovsky, M. Yung (2002)
Forward Secrecy in Password-Only Key Exchange Protocols
M. Bellare, P. Rogaway (1993)
Random oracles are practical: a paradigm for designing efficient protocols
(2002)
The PAK suite: Protocols for Password-Authenticated Key Exchange
E. Bresson, O. Chevassut, D. Pointcheval (2003)
New Security Results on Encrypted Key Exchange
M. Bellare, P. Rogaway (2000)
The AuthA Protocol for Password-Based Authenticated Key Exchange
D. Kormann, A. Rubin (2000)
Risks of the Passport single signon protocolComput. Networks, 33
S. Vaudenay (2002)
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS
V. Shoup (2004)
Sequences of games: a tool for taming complexity in security proofsIACR Cryptol. ePrint Arch., 2004
Michel Abdalla, E. Bresson, O. Chevassut, Bodo Möller, D. Pointcheval (2005)
Provably secure password-based authentication in TLS
Rachna Dhamija, J. Tygar (2005)
The battle against phishing: Dynamic Security Skins
E. Bresson, O. Chevassut, D. Pointcheval (2003)
Security proofs for an efficient password-based key exchange
Michel Abdalla, O. Chevassut, D. Pointcheval (2005)
One-Time Verifier-Based Encrypted Key Exchange
The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.
International Journal of Applied Cryptography – Inderscience Publishers
Published: Jan 1, 2009
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.