Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy
Gajek, S, Manulis, M and Schwenk, J (2008) Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy In: 13th Australasian Conference, ACISP 2008, 2008-07-07 - 2008-07-09, Wollongong, Australia.
Available under License : See the attached licence file.
The standard solution for mutual authentication between human users and servers on the Internet is to execute a TLS handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user’s browser. Unfortunately, this solution is susceptible to various impersonation attacks such as phishing as it turned out that average Internet users are unable to authenticate servers based on their certificates. In this paper we address security of cookie-based authentication using the concept of strong locked same origin policy for browsers introduced at ACM CCS’07. We describe a cookie-based authentication protocol between human users and TLS-servers and prove its security in the extended formal model for browser-based mutual authentication introduced at ACM ASIACCS’08. It turns out that the small modification of the browser’s security policy is sufficient to achieve provably secure cookie-based authentication protocols considering the ability of users to recognize images, video, or audio sequences.
|Item Type:||Conference or Workshop Item (Conference Paper)|
|Divisions :||Faculty of Engineering and Physical Sciences > Computing Science|
|Identification Number :||10.1007/978-3-540-70500-0_2|
|Additional Information :||The original publication is available at http://www.springerlink.com|
|Depositing User :||Symplectic Elements|
|Date Deposited :||12 Jun 2013 09:06|
|Last Modified :||09 Jun 2014 13:32|
Actions (login required)
Downloads per month over past year