Ver Post

SSL/TLS session-aware user authentication against man-in-the-middle attacks

4 Abril 2013, 12:10 - Helena Maria Lopes Romão Borges

Rolf Oppliger
eSECURITY Technologies Rolf Oppliger

Data: 10 de  abril de 2013    Hora : 11H00    Sala : 020  INESC-ID
Rua Alves Redol 9, 1000-029 Lisboa

In spite of the fact that SSL/TLS is omnipresent in today's Internet commerce, it is highly vulnerable to man-in-the-middle (MITM) attacks. In this talk, we explain why this is the case and what possibilities one has at hand to protect SSL/TLS-secured Internet commerce against MITM attacks. In particular, we introduce, discuss, and put into perspective a technology called SSL/TLS session-aware (TLS-SA) user authentication that basically links a user authentication to a particular SSL/TLS session to reveal the existence of an MITM. The technology does not protect against malware taking control after user authentication (a so-called man-in-the-browser attack). So TLS-SA does not stop the general trend towards transaction authentication in addition to user authentication for applications with high security requirements, such as Internet banking.

Rolf Oppliger studied computer science, mathematics, and economics at the University of Bern, Switzerland, where he received M.Sc. and Ph.D. degrees in computer science in 1991 and 1993, respectively. In 1999, he received the venia legendi for computer science from the University of Zurich, Switzerland, where he was appointed adjunct professor in 2007. The focus of his professional activities is on technical information security and privacy. In these areas, he has published many books and scientific articles and papers, regularly participates at conferences and workshops (both as a contributor and a member of the respective program committees), serves on the editorial board of some leading magazines and journals (e.g., IEEE Computer and Security & Privacy), and is the editor of the Artech House information security and privacy book series. He's the founder and owner of eSECURITY Technologies Rolf Oppliger, works for the Swiss federal administration, and teaches at the University of Zurich. He is a senior member and distinguished speaker of the Association for Computing Machinery (ACM), a senior member of the Institute of Electrical and Electronics Engineers (IEEE), a member of the IEEE Computer Society, and a member of the International Association for Cryptologic Research (IACR). He also served as vice-chair of the IFIP TC 11 working group on network security.