Cryptology ePrint Archive: Report 2014/150

On the Effective Prevention of TLS Man-In-The-Middle Attacks in Web Applications

Nikolaos Karapanos and Srdjan Capkun

Abstract: In this paper we consider TLS MITM attacks in the context of web applications, where the attacker's goal is to impersonate the user to the legitimate server, and thus gain access to the user's online account. We describe in detail why the recently proposed TLS Channel ID-based client authentication, as well as client web authentication in general, cannot fully prevent such attacks.

We then leverage TLS Channel ID-based authentication and combine it with the concept of sender invariance to create a novel mechanism that we call SISCA: Server Invariance with Strong Client Authentication. SISCA resists user impersonation via TLS MITM attacks even if the attacker has obtained the private key of the legitimate server. We analyze our proposal and show how it can be integrated in today's web infrastructure.

Category / Keywords: applications / web security, TLS MITM attack prevention, TLS Channel ID, server invariance, SISCA

Date: received 27 Feb 2014, last revised 18 Mar 2014

Contact author: knikos at inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 20140318:093233 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]