Abstract
Today, with the presence of a large number of Man-In-The-Middle (MITM) attacks, identity authentication plays an important role in computer communication network. Series of authentication protocols have been proposed to resist against MITM attacks. Due to the lack of two-way certification between the client and the server, an attack named Man-In-The-Middle-Script-In-The-Browser (MITM-SITB) still works in most protocols. In order to protect against this kind of attack, a Channel-ID based authentication protocol named Server-Invariance-with-Strong-Client-Authentication (SISCA) is put forward. This protocol can not support key update and execute inefficiently. To solve this problem, we propose a Communication-Effectiveness-of-Web-Authentication (CEWA) protocol. We design a new certification process to make the protocol support key update, thus avoiding the risk of key leaks. Simultaneously, We designed the key storage method to manage the keys. We improve the efficiency of implementation. We also analyze its security and the experimental analysis shows the better performance of the efficiency than that in SISCA protocol.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle. Comput. Commun. 29(12), 2238–2246 (2006)
Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the HTTPS protocol. IEEE Secur. Priv. 7(1), 78–81 (2009)
Stricot-Tarboton, S., Chaisiri, S., Ko, R.K.L.: Taxonomy of man-in-the-middle attacks on HTTPS. In: TrustCom/BigDataSE/ISPA (2017)
Huang, L.S., Rice, A., Ellingsen, E., et al.: Analyzing forged SSL certificates in the wild. In: IEEE Symposium on Security and Privacy, pp. 83–97 (2014)
Mayer, W., Zauner, A., Schmiedecker, M., et al.: No need for black chambers: testing TLS in the e-mail ecosystem at large, pp. 10–20 (2015)
Dietz, M., Czeskis, A., Balfanz, D., et al.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: USENIX Conference on Security Symposium, p. 16 (2012)
Karapanos, N., Capkun, S.: On the effective prevention of TLS man-in-the-middle attacks in web applications. In: 23rd USENIX Security Symposium, pp. 671–686 (2014)
Karlof, C., Shankar, U., Tygar, J.D., et al.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, pp. 58–71, October 2007
Chen, K., Lin, D., Yan, L., Sun, X.: Environment-bound SAML assertions: a fresh approach to enhance the security of SAML assertions. In: Lin, D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 361–376. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12087-4_23
Xia, H.: Hardening web browsers against man-in-the-middle and eavesdropping attacks. In: International Conference on World Wide Web, WWW 2005, Chiba, Japan, pp. 489–498, May 2005
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE Computer Security Foundations Symposium, pp. 247–262 (2012)
Zhou, Y., Evans, D.: SSOScan: automated testing of web applications for single sign-on vulnerabilities. In: USENIX Security Symposium (2014)
Chang, P.H., Kim, W., Agha, G.: An adaptive programming framework for web applications. In: Proceedings of the International Symposium on Applications and the Internet, pp. 152–159 (2004)
Xiao, Y., Rayi, V., Sun, B., Du, X., Hu, F., Galloway, M.: A survey of key management schemes in wireless sensor networks. J. Comput. Commun. 30(11–12), 2314–2341 (2007)
Du, X., Xiao, Y., Guizani, M., Chen, H.H.: An effective key management scheme for heterogeneous sensor networks. Ad Hoc Netw. 5(1), 24–34 (2007)
Du, X., Guizani, M., Xiao, Y., Chen, H.H.: A routing-driven elliptic curve cryptography based key management scheme for heterogeneous sensor networks. IEEE Trans. Wirel. Commun. 8(3), 1223–1229 (2009)
Dierks, T., Rescorla, E.: RFC 5246 - The transport layer security (TLS) protocol - Version 1.2 (2008)
Xiao, Y., Du, X., Zhang, J., Guizani, S.: Internet protocol television (IPTV): the killer application for the next generation internet. IEEE Commun. Mag. 45(11), 126–134 (2007)
Lennox, I.D.J., Rosenberg, J., Schulzrinne, H.: Internet Engineering Task Force. RFC, pp. 82–89, 11 August 2001
Tschofenig, H., Fossati, T.: Transport layer security (TLS)/datagram transport layer security (DTLS) profiles for the internet of things. Physiol. Rev. 66(4), 1121–1188 (2016)
Du, X., Chen, H.H.: Security in wireless sensor networks. IEEE Wirel. Commun. Mag. 15(4), 60–66 (2008)
Yee, P.: Updates to the internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. Harefuah 131(5–6), 184 (2013)
Fielding, R., Gettys, J., Mogul, J., et al.: RFC 2616: Hypertext Transfer Protocol - HTTP/1.1. Comput. Sci. Commun. Dict. 7(9), 3969–3973 (1999)
Du, X., Guizani, M., Xiao, Y., Chen, H.H.: Secure and efficient time synchronization in heterogeneous sensor networks. IEEE Trans. Veh. Technol. 57(4), 2387–2394 (2008)
Acknowledgment
This work is partially supported by China National Key Research and Development Program No. 2016YFB0800301.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhang, Z., Shen, C., Zhu, L., Xu, C., Wazir, S.K., Chen, C. (2018). Achieving Communication Effectiveness of Web Authentication Protocol with Key Update. In: Zhu, L., Zhong, S. (eds) Mobile Ad-hoc and Sensor Networks. MSN 2017. Communications in Computer and Information Science, vol 747. Springer, Singapore. https://doi.org/10.1007/978-981-10-8890-2_11
Download citation
DOI: https://doi.org/10.1007/978-981-10-8890-2_11
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-8889-6
Online ISBN: 978-981-10-8890-2
eBook Packages: Computer ScienceComputer Science (R0)