Bruno Kaiser | Uni Zürich (original) (raw)
Related Authors
CSIC (Consejo Superior de Investigaciones Científicas-Spanish National Research Council)
Uploads
Papers by Bruno Kaiser
Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications, ... more Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications, such as Internet banking. SSL/TLS session-aware user authentication can be used to mitigate the risks and to protect users against MITM attacks in an SSL/TLS setting. In this paper, we further delve into SSL/TLS session-aware user authentication and possibilities to implement it. More specifically, we overview, discuss, and put into perspective a proof of concept implementation that demonstrates the feasibility of the token-based approach. The results are promising, and we intend to develop turnkey solutions that can be used to secure e-commerce applications in terms of protection against MITM attacks.
Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication... more Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to manin-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proof of concept implementation of TLS-SA. We think that TLS-SA fills a gap between the use of public key certificates on the client side and currently deployed user authentication mechanisms. Most importantly, it allows for the continued use of legacy two-factor authentication devices while still providing high levels of protection against MITM attacks.
There is a common understanding that requirements engineering is crucial for software engineering... more There is a common understanding that requirements engineering is crucial for software engineering. This is not only true for the development of software but also for the composition of software systems and business processes. For example, the Architecture Development Method (ADM) of TOGAF (The Open Group Architecture Framework) positions requirements engineering in the center of its development cycle [1]. But it must be observed that this common understanding is not put into practice.
Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications, ... more Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications, such as Internet banking. SSL/TLS session-aware user authentication can be used to mitigate the risks and to protect users against MITM attacks in an SSL/TLS setting. In this paper, we further delve into SSL/TLS session-aware user authentication and possibilities to implement it. More specifically, we overview, discuss, and put into perspective a proof of concept implementation that demonstrates the feasibility of the token-based approach. The results are promising, and we intend to develop turnkey solutions that can be used to secure e-commerce applications in terms of protection against MITM attacks.
Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication... more Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to manin-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proof of concept implementation of TLS-SA. We think that TLS-SA fills a gap between the use of public key certificates on the client side and currently deployed user authentication mechanisms. Most importantly, it allows for the continued use of legacy two-factor authentication devices while still providing high levels of protection against MITM attacks.
There is a common understanding that requirements engineering is crucial for software engineering... more There is a common understanding that requirements engineering is crucial for software engineering. This is not only true for the development of software but also for the composition of software systems and business processes. For example, the Architecture Development Method (ADM) of TOGAF (The Open Group Architecture Framework) positions requirements engineering in the center of its development cycle [1]. But it must be observed that this common understanding is not put into practice.