Access the full text.
Sign up today, get DeepDyve free for 14 days.
Loading next page...
/lp/inderscience-publishers/user-aware-provably-secure-protocols-for-browser-based-mutual-x7dDi62dFQ
References (39)
-
M. Bellare, P. Rogaway (1993)
Entity Authentication and Key Distribution -
B. Pfitzmann, M. Waidner (2001)
A model for asynchronous reactive systems and its application to secure message transmissionProceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001
-
Thomas Gross, B. Pfitzmann, A. Sadeghi (2005)
Browser Model for Security Analysis of Browser-Based Protocols -
Victor Boyko, P. MacKenzie, Sarvar Patel (2000)
Provably Secure Password-Authenticated Key Exchange Using Diffie-HellmanIACR Cryptol. ePrint Arch., 2000
-
S. Gajek, Chen Xuan (2008)
On the Insecurity of Microsoft's Identity Metasystem -
V. Shoup (2001)
OAEP ReconsideredIACR Cryptol. ePrint Arch., 2000
-
P. Buhler, T. Eirich, M. Waidner, M. Steiner (2001)
Secure password-based cipher suite for TLSACM Transactions on Information and System Security (TISSEC), 4
-
S. Gajek, M. Manulis, Olivier Pereira, A. Sadeghi, Jörg Schwenk (2008)
Universally Composable Security Analysis of TLS - Secure Sessions with Handshake and Record Layer ProtocolsIACR Cryptol. ePrint Arch., 2008
-
S. Gajek, M. Manulis, Olivier Pereira, A. Sadeghi, Jörg Schwenk (2008)
Universally Composable Security Analysis of TLS -
Stuart Schechter, Rachna Dhamija, Andy Ozment, Ian Fischer (2007)
The Emperor's New Security Indicators2007 IEEE Symposium on Security and Privacy (SP '07)
-
Thomas Gross (2003)
Security analysis of the SAML single sign-on browser/artifact profile19th Annual Computer Security Applications Conference, 2003. Proceedings.
-
M. Bellare, D. Pointcheval, P. Rogaway (2000)
Authenticated Key Exchange Secure against Dictionary AttacksIACR Cryptol. ePrint Arch., 2000
-
Michel Abdalla, D. Pointcheval (2005)
Simple Password-Based Encrypted Key Exchange Protocols -
(2007)
A deceit-augmented man in the middle attack against bank of America’s sitekey service. Available at: http://paranoia.dubfire.net/2007/04/ deceit-augmented-man-in-middle-attack.html -
Paul Morrissey, N. Smart, B. Warinschi (2008)
A Modular Security Analysis of the TLS Handshake Protocol -
H. Krawczyk (2001)
The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)IACR Cryptol. ePrint Arch., 2001
-
Jonathan Katz, R. Ostrovsky, M. Yung (2001)
Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords -
Collin Jackson, A. Barth, Andrew Bortz, Weidong Shao, D. Boneh (2007)
Protecting browsers from dns rebinding attacksACM Transactions on The Web, 3
-
Rachna Dhamija, J. Tygar, Marti Hearst (2006)
Why phishing worksProceedings of the SIGCHI Conference on Human Factors in Computing Systems
-
T. Dierks, C. Allen (1999)
The TLS Protocol Version 1.0RFC, 2246
-
S. Bellovin, Michael Merritt (1993)
Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise -
Tim Berners-Lee, R. Fielding, H. Nielsen (1997)
Hypertext Transfer Protocol - HTTP/1.1RFC, 2068
-
Chris Karlof, U. Shankar, Doug Tygar, D. Wagner (2007)
Dynamic pharming attacks and locked same-origin policies for web browsers -
E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern (2001)
RSA-OAEP Is Secure under the RSA AssumptionJournal of Cryptology, 17
-
Thomas Gross, B. Pfitzmann, A. Sadeghi (2005)
Proving a WS-federation passive requestor profile with a browser model -
S. Chiasson, P. Oorschot, R. Biddle (2007)
Graphical Password Authentication Using Cued Click Points -
J. Jonsson, B. Kaliski (2002)
On the Security of RSA Encryption in TLS -
Jonathan Katz, R. Ostrovsky, M. Yung (2002)
Forward Secrecy in Password-Only Key Exchange Protocols -
M. Bellare, P. Rogaway (1993)
Random oracles are practical: a paradigm for designing efficient protocols -
(2002)
The PAK suite: Protocols for Password-Authenticated Key Exchange -
E. Bresson, O. Chevassut, D. Pointcheval (2003)
New Security Results on Encrypted Key Exchange -
M. Bellare, P. Rogaway (2000)
The AuthA Protocol for Password-Based Authenticated Key Exchange -
D. Kormann, A. Rubin (2000)
Risks of the Passport single signon protocolComput. Networks, 33
-
S. Vaudenay (2002)
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS -
V. Shoup (2004)
Sequences of games: a tool for taming complexity in security proofsIACR Cryptol. ePrint Arch., 2004
-
Michel Abdalla, E. Bresson, O. Chevassut, Bodo Möller, D. Pointcheval (2005)
Provably secure password-based authentication in TLS -
Rachna Dhamija, J. Tygar (2005)
The battle against phishing: Dynamic Security Skins -
E. Bresson, O. Chevassut, D. Pointcheval (2003)
Security proofs for an efficient password-based key exchange -
Michel Abdalla, O. Chevassut, D. Pointcheval (2005)
One-Time Verifier-Based Encrypted Key Exchange
- Publisher
- Inderscience Publishers
- Copyright
- Copyright © Inderscience Enterprises Ltd. All rights reserved
- ISSN
- 1753-0563
- eISSN
- 1753-0571
- DOI
- 10.1504/IJACT.2009.028028
- Publisher site
- See Article on Publisher Site
Abstract
The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.
Journal
International Journal of Applied Cryptography – Inderscience Publishers
Published: Jan 1, 2009