Title: User-aware provably secure protocols for browser-based mutual authentication

Authors: Sebastian Gajek, Mark Manulis, Jorg Schwenk

Addresses: Ruhr University Bochum, Universitatsstr. 150, Bochum 44780, Germany. ' Cryptographic Protocols Group, Technische Universitat Darmstadt, Mornewegstr. 32, Darmstadt 64289, Germany. ' Ruhr University Bochum, Universitatsstr. 150, Bochum 44780, Germany

Abstract: The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user|s browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.

Keywords: user awareness; provably secure protocols; mutual authentication; web browsers; security models; web servers; impersonation attacks; human perceptible authentication; password authentication; cookie authentication.

DOI: 10.1504/IJACT.2009.028028

International Journal of Applied Cryptography, 2009 Vol.1 No.4, pp.290 - 308

Published online: 31 Aug 2009 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article