用户感知的可证明的安全协议，用于基于浏览器的相互认证

Int. J. Appl. Cryptogr. Pub Date : 2009-08-01 DOI:10.1504/IJACT.2009.028028

S. Gajek, M. Manulis, Jörg Schwenk

{"title":"用户感知的可证明的安全协议，用于基于浏览器的相互认证","authors":"S. Gajek, M. Manulis, Jörg Schwenk","doi":"10.1504/IJACT.2009.028028","DOIUrl":null,"url":null,"abstract":"The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.","PeriodicalId":350332,"journal":{"name":"Int. J. Appl. Cryptogr.","volume":"60 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"User-aware provably secure protocols for browser-based mutual authentication\",\"authors\":\"S. Gajek, M. Manulis, Jörg Schwenk\",\"doi\":\"10.1504/IJACT.2009.028028\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.\",\"PeriodicalId\":350332,\"journal\":{\"name\":\"Int. J. Appl. Cryptogr.\",\"volume\":\"60 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Int. J. Appl. Cryptogr.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1504/IJACT.2009.028028\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Int. J. Appl. Cryptogr.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1504/IJACT.2009.028028","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

internet上人类用户和服务器之间相互认证的标准解决方案是执行传输层安全(TLS)握手，在此期间，服务器使用X.509证书进行身份验证，然后使用用户自己的密码或存储在用户浏览器中的某些cookie进行身份验证。然而，由于人类用户验证X.509证书的能力较差，因此有可能出现各种形式的(社会)模拟攻击。在本文中，我们引入了人类感知认证(HPA)作为一个概念，通过可识别的认证器(如图像、视频或音频序列)对服务器进行安全的用户感知认证。我们在基于浏览器的相互认证的安全模型中正式指定HPA;为此，我们扩展了传统的Bellare-Rogaway模型，将人类用户作为固有的协议参与者来处理。利用HPA和经典的TLS握手协议，我们进一步设计了两种高效的可证明安全的密码认证协议和cookie认证协议。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

User-aware provably secure protocols for browser-based mutual authentication

The standard solution for mutual authentication between human users and servers on the internet is to execute a transport layer security (TLS) handshake during which the server authenticates using a X.509 certificate followed by the authentication of the user either with own password or with some cookie stored within the user's browser. However, poor ability of human users to validate X.509 certificates allows for various forms of (social) impersonation attacks. In this paper, we introduce human perceptible authentication (HPA) as a concept for the secure user-aware authentication of servers via recognisable authenticators such as images, video or audio sequences. We formally specify HPA within a security model for browser-based mutual authentication; for this, we extend the traditional Bellare-Rogaway model to deal with human users as inherent protocol participants. Using HPA and the classical TLS handshake, we furthermore design two efficient provably secure password- and cookie-authentication protocols.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Int. J. Appl. Cryptogr.

自引率

0.00%

发文量