Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties
作者: Italo Dacosta , Mustaque Ahamad , Patrick Traynor
DOI: 10.1007/978-3-642-33167-1_12
关键词:
摘要: The security guarantees provided by SSL/TLS depend on the correct authentication of servers through certificates signed a trusted authority. However, as recent incidents have demonstrated, trust in these authorities is not well placed. Increasingly, certificate (by coercion or compromise) been creating forged for range adversaries, allowing seemingly secure communications to be intercepted via man-in-the-middle (MITM) attacks. A variety solutions proposed, but their complexity and deployment costs hindered adoption. In this paper, we propose Direct Validation Certificates (DVCert), novel protocol that, instead relying third-parties validation, allows domains directly securely vouch using previously established user credentials. By robust cryptographic construction, relatively simple means enhancing server identity validation only efficient comparatively easy deploy, it also solves other limitations third-party solutions. Our extensive experimental analysis both desktop mobile platforms shows that DVCert transactions require little computation time (e.g., less than 1 ms) are unlikely degrade performance experience. short, provide practical mechanism enhance protect web applications from MITM attacks against SSL/TLS.
springer.com
ufl.edu
ieee-security.org 
core.ac.uk 参考文章(26)
Bruce Schneier, Carl Ellison, Ten Risks of Pki: WHAT YOU ARE NOT BEING TOLD ABOUT PUBLIC KEY INFRASTRUCTURE Auerbach Publications. ,(2004) , 10.1201/9780203498156.CH23
Victor Boyko, Philip MacKenzie, Sarvar Patel, Provably secure password-authenticated key exchange using Diffie-Hellman theory and application of cryptographic techniques. pp. 156- 171 ,(2000) , 10.1007/3-540-45539-6_12
Bryan Parno, Cynthia Kuo, Adrian Perrig, Phoolproof phishing prevention financial cryptography. pp. 1- 19 ,(2006) , 10.1007/11889663_1
Lorrie Faith Cranor, Neha Atri, Joshua Sunshine, Hazim Almuhimedi, Serge Egelman, Crying wolf: an empirical study of SSL warning effectiveness usenix security symposium. pp. 399- 416 ,(2009)
Joseph Bonneau, Mike Just, Greg Matthews, What's in a name? Evaluating statistical attacks on personal knowledge questions financial cryptography. pp. 98- 113 ,(2010) , 10.1007/978-3-642-14577-3_10
Christopher Soghoian, Sid Stamm, Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL Social Science Research Network. ,(2010) , 10.2139/SSRN.1591033
Zishuang (Eileen) Ye, Sean Smith, Trusted Paths for Browsers usenix security symposium. pp. 263- 279 ,(2002)
Thomas D. Wu, The Secure Remote Password Protocol. network and distributed system security symposium. ,(1998)
Christopher Soghoian, Sid Stamm, Certified lies: detecting and defeating government interception attacks against SSL (short paper) financial cryptography. pp. 250- 259 ,(2011) , 10.1007/978-3-642-27576-0_20
C. Adams, S. Farrell, Internet X.509 Public Key Infrastructure Certificate Management Protocols RFC. ,vol. 2510, pp. 1- 72 ,(1999)