PAKE-based mutual HTTP authentication for preventing phishing attacks

Oiwa, Yutaka; Takagi, H.; Watanabe, Hajime; Suzuki, Hirofumi

doi:10.1145/1526709.1526898

Cited by 7 publications

(4 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, our results justify the general approach behind the proposals by Oiwa et al' [7,[36][37][38] and by Dacosta et al [18]. We caution that our theorems, which make use of security models for tPAuth and tPAKE, do not immediately imply security of those particular protocols.…”

Section: Contributionssupporting

confidence: 65%

See 1 more Smart Citation

Secure modular password authentication for the web using channel bindings

Manulis

Stebila

Kiefer³

et al. 2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Secure protocols for password-based user authentication are well-studied in the cryptographic literature but have failed to see wide-spread adoption on the internet; most proposals to date require extensive modifications to the Transport Layer Security (TLS) protocol, making deployment challenging. Recently, a few modular designs have been proposed in which a cryptographically secure password-based mutual authentication protocol is run inside a confidential (but not necessarily authenticated) channel such as TLS; the password protocol is bound to the established channel to prevent active attacks. Such protocols are useful in practice for a variety of reasons: security no longer relies on users' ability to validate server certificates and can potentially be implemented with no modifications to the secure channel protocol library. We provide a systematic study of such authentication protocols. Building on recent advances in modeling TLS, we give a formal definition of the intended security goal, which we call password-authenticated and confidential channel establishment (PACCE). We show generically that combining a secure Queensland University of Technology, Brisbane, Australia channel protocol, such as TLS, with a password authentication or password-authenticated key exchange protocol, where the two protocols are bound together using the transcript of the secure channel's handshake, the server's certificate, or the server's domain name, results in a secure PACCE protocol. Our prototypes based on TLS are available as a cross-platform client-side Firefox browser extension as well as an Android application and a server-side web application that can easily be installed on servers.

show abstract

Section: Contributionssupporting

confidence: 65%

“…Oiwa et al [7,[36][37][38] published an Internet-Draft that employs an ISOstandardized PAKE protocol (KAM3 [26, Sect. 6.3], [32]) and binds it to the TLS channel using either the server's certificate or the TLS master secret key, but no formal justification is given for security of the combined construction.…”

Section: Running Pake At the Application Layermentioning

confidence: 99%

Secure modular password authentication for the web using channel bindings

Manulis

Stebila

Kiefer³

et al. 2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…TLS-SA, however, requires client certificates and hardware tokens to resist offline dictionary attacks, affecting its adoption. Finally, the Mutual Authentication Protocol for HTTP [31] also combines user authentication with SSL/TLS channel binding, but it relies on the user's password instead of client certificates. To provide mutual authentication and prevent offline guessing attacks, this mechanism relies on the direct implementation of a PAKE protocol.…”

Section: Related Workmentioning

confidence: 99%

Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties

Dacosta

Ahamad

Traynor

2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

The security guarantees provided by SSL/TLS depend on the correct authentication of servers through certificates signed by a trusted authority. However, as recent incidents have demonstrated, trust in these authorities is not well placed. Increasingly, certificate authorities (by coercion or compromise) have been creating forged certificates for a range of adversaries, allowing seemingly secure communications to be intercepted via man-in-the-middle (MITM) attacks. A variety of solutions have been proposed, but their complexity and deployment costs have hindered their adoption. In this paper, we propose Direct Validation of Certificates (DVCert), a novel protocol that, instead of relying on thirdparties for certificate validation, allows domains to directly and securely vouch for their certificates using previously established user authentication credentials. By relying on a robust cryptographic construction, this relatively simple means of enhancing server identity validation is not only efficient and comparatively easy to deploy, but it also solves other limitations of third-party solutions. Our extensive experimental analysis in both desktop and mobile platforms shows that DVCert transactions require little computation time on the server (e.g., less than 1 ms) and are unlikely to degrade server performance or user experience. In short, we provide a robust and practical mechanism to enhance server authentication and protect web applications from MITM attacks against SSL/TLS.

show abstract

“…For instance, social engineering, one of the most severe threats in the cyber spaces, is used for both identity theft and malware infection in which the targets are human rather than computer systems. The research vectors against the attack are development of educational materials [5], [6], user interface for end users [7], [8], and detection methods [9]. Especially, the interface studies investigated the reasons of users' misoperations [10] and misjudgments [11].…”

Section: Related Workmentioning

confidence: 99%

Toward Automated Reduction of Human Errors Based on Cognitive Analysis

Miyamoto

Takahashi

2013

2013 Seventh International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing

View full text Add to dashboard Cite

Following the immense development of cyber society where various activities including e-commerce take place, the demands for security is rapidly growing. Among major causes of security flaws is human error, which is unintentionally caused by humans. To cope with that, we intend to build a human error database that automatically develops further. We conducted a survey on human factors and concluded that the root causes of human errors are related to the internal mental processes, and the cognitive-psychological methodology is a feasible for the estimation of them. Based on that this paper proposes a framework that consists of data collection methods and data structure. It also explores the usability of the data by presenting use cases of human error prevention and incident handling.

show abstract

PAKE-based mutual HTTP authentication for preventing phishing attacks

Cited by 7 publications

References 3 publications

Secure modular password authentication for the web using channel bindings

Secure modular password authentication for the web using channel bindings

Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties

Toward Automated Reduction of Human Errors Based on Cognitive Analysis

Contact Info

Product

Resources

About