Abstract | ||
---|---|---|
Secure protocols for password-based user authentication are well-studied in the cryptographic literature but have failed to see wide-spread adoption on the internet; most proposals to date require extensive modifications to the Transport Layer Security (TLS) protocol, making deployment challenging. Recently, a few modular designs have been proposed in which a cryptographically secure password-based mutual authentication protocol is run inside a confidential (but not necessarily authenticated) channel such as TLS; the password protocol is bound to the established channel to prevent active attacks. Such protocols are useful in practice for a variety of reasons: security no longer relies on users' ability to validate server certificates and can potentially be implemented with no modifications to the secure channel protocol library. We provide a systematic study of such authentication protocols. Building on recent advances in modeling TLS, we give a formal definition of the intended security goal, which we call password-authenticated and confidential channel establishment (PACCE). We show generically that combining a secure channel protocol, such as TLS, with a password authentication or password-authenticated key exchange protocol, where the two protocols are bound together using the transcript of the secure channel's handshake, the server's certificate, or the server's domain name, results in a secure PACCE protocol. Our prototypes based on TLS are available as a cross-platform client-side Firefox browser extension as well as an Android application and a server-side web application that can easily be installed on servers. |
Year | DOI | Venue |
---|---|---|
2014 | 10.1007/s10207-016-0348-7 | Int. J. Inf. Sec. |
Keywords | Field | DocType |
Password authentication,Transport Layer Security,Channel binding | World Wide Web,Challenge-Handshake Authentication Protocol,Challenge–response authentication,Computer science,Computer security,S/KEY,Hypertext Transfer Protocol over Secure Socket Layer,One-time password,Authentication protocol,Password,Transport Layer Security | Journal |
Volume | Issue | ISSN |
15 | 6 | 1615-5262 |
Citations | PageRank | References |
1 | 0.43 | 30 |
Authors | ||
3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Mark Manulis | 1 | 636 | 50.11 |
Douglas Stebila | 2 | 578 | 48.66 |
Nick Denham | 3 | 1 | 0.43 |