This Article 
 Bibliographic References 
 Add to: 
SSL/TLS Session-Aware User Authentication
March 2008 (vol. 41 no. 3)
pp. 59-65
Rolf Oppliger, eSECURITY Technologies
Ralf Hauser, PrivaSphere AG
David Basin, ETH Zurich
Overall, transport layer security with session-aware user authentication offers a promising approach to solving man-in-the-middle attack problems by leveraging the legacy authentication mechanisms and systems that the general public has become accustomed to using.

1. T. Dierks and E. Rescorla, "The TLS Protocol Version 1.1," RFC 4346, Apr. 2006.
2. R. Oppliger, R. Hauser, and D. Basin, "SSL/TLS Session-Aware User Authentication—Or How to Effectively Thwart the Man-in-the-Middle," Computer Comm., Aug. 2006, pp. 2238–2246.
3. A. Fiat and A. Shamir, "How to Prove Yourself: Practical Solutions to Identification and Signature Problems," Proc. CRYPTO 86, LNCS 263, Springer, 1987, pp. 186–194.
4. P. Eronen and H. Tschofenig, eds., "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)," Standards Track RFC 4279, Dec. 2005.
5. M. Badra and I. Hajjeh, "Key-Exchange Authentication Using Shared Secrets," Computer, Mar. 2006, pp. 58–66.
6. M. Steiner et al., "Secure Password-Based Cipher Suite for TLS," ACM Trans. Information and System Security, May 2001, pp. 134–157.
7. R.L. Rivest and A. Shamir, "How to Expose an Eavesdropper," Comm. ACM, vol. 27, no. 4, 1984, pp. 393–395.
8. S.M. Bellovin and M. Merritt, "An Attack on the Interlock Protocol When Used for Authentication," IEEE Trans. Information Theory, Jan. 1994, pp. 273–275.
9. N. Asokan, V. Niemi, and K. Nyberg, "Man-in-the-Middle in Tunneled Authentication Protocols," Proc. Int'l Workshop Security Protocols, Springer-Verlag, 2003, pp. 15–24.
10. RSA Security Technology Backgrounder, "Enhancing One-Time Passwords for Protection Against Real-Time Phishing Attacks;" .
11. B. Parno, C. Kuo, and A. Perrig, "Phoolproof Phishing Prevention," Proc. Financial Cryptography and Data Security, Springer-Verlag, 2006, pp. 1–19.
12. A. Alkassar, C. Stüble, and A-R. Sadeghi, "Secure Object Identification—or: Solving the Chess Grandmaster Problem," Proc. 2003 Workshop New Security Paradigms, ACM Press, 2003, pp. 77–85.
13. R. Oppliger et al., "A Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication," Proc. Kommunikation Verteilten Systemen (KiVS 2007), Springer-Verlag, 2007, pp. 225–236.
14. R. Oppliger and R. Hauser, "Protecting TLS-SA Implementations for the Challenge-Response Feature of EMV-CAP Against Challenge Collision Attacks," Security and Communication Networks, to appear.

Index Terms:
man-in-the-middle (MITM) attacks, security, user authentication, SSL/TLS protocols
Rolf Oppliger, Ralf Hauser, David Basin, "SSL/TLS Session-Aware User Authentication," Computer, vol. 41, no. 3, pp. 59-65, March 2008, doi:10.1109/MC.2008.98
Usage of this product signifies your acceptance of the Terms of Use.