Abstract:


A Proof of Concept Implementation of SSL/TLS 
Session-Aware User Authentication (TLS-SA)

Oppliger Rolf and Hauser Ralf and Basin David 
and Rodenhaeuser Aldo and Kaiser Bruno



Most SSL/TLS-based e-commerce applications 
employ conventional mechanisms for user 
authentication. These mechanisms - if decoupled 
from SSL/TLS session establishment - are vulnerable 
to man-in-the-middle (MITM) attacks. In this paper, 
we elaborate on the feasibility of MITM attacks, 
survey countermeasures, introduce the notion of SSL/TLS 
session-aware user authentication (TLS-SA), and 
present a proof of concept implementation of TLS-SA. 
We think that TLS-SA fills a gap between the use of 
public key certificates on the client side and currently 
deploymed user authentication mechanisms. Most importantly, 
it allows for the continued use of legacy two-factor 
authentication devices while still providing high levels 
of protection against MITM attacks.