Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

User-aware provably secure protocols for browser-based mutual authentication

User-aware provably secure protocols for browser-based mutual authentication The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png International Journal of Applied Cryptography Inderscience Publishers

User-aware provably secure protocols for browser-based mutual authentication

Download PDF
19 pages

Loading next page...
 
/lp/inderscience-publishers/user-aware-provably-secure-protocols-for-browser-based-mutual-x7dDi62dFQ
Publisher
Inderscience Publishers
Copyright
Copyright © Inderscience Enterprises Ltd. All rights reserved
ISSN
1753-0563
eISSN
1753-0571
DOI
10.1504/IJACT.2009.028028
Publisher site
See Article on Publisher Site

Abstract

The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.

Journal

International Journal of Applied CryptographyInderscience Publishers

Published: Jan 1, 2009

There are no references for this article.