Service provider authentication assurance

Jøsang, Audun; Varmedal, Kent Are; Rosenberger, Christophe; Kumar, Rajendra

doi:10.1109/pst.2012.6297941

Cited by 9 publications

(13 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It would be interesting to apply the prototype methodology that we develop below to their ideal browser. Jøsang et al [16] point out that TLS does not provide semantic server authentication, and can be easily exploited by semantic attacks. However, web browsers can only do syntactic server authentication, while complex user models are needed to deal with semantic attacks.…”

Section: Related Workmentioning

confidence: 99%

Socio-technical formal analysis of TLS certificate validation in modern browsers

Bella

Giustolisi

Lenzini

2013

2013 Eleventh Annual Conference on Privacy, Security and Trust

View full text Add to dashboard Cite

Abstract-Authenticating a web server is crucial to the security of web browsing. It relies on TLS certificate validation, a property whose enforcement may require getting the user involved. Thus, certificate validation is a socio-technical property -it relies on traditional security technology as well as on social elements such as cultural values, trust and human-computer interaction. Hence the need for an appropriate methodology to study certificate validation from a socio-technical perspective. Certificate validation as carried out through today's most popular browsers -Chrome, Internet Explorer, Firefox and Opera Mini -is first represented by means of UML activity diagrams. It is then translated into CSP#, and expanded with the LTL formalization of four socio-technical properties pivoted on user involvement with certificate validation. The properties are then checked automatically using the PAT model checker. The findings turn out to be far from straightforward and, most importantly, allowed for prototyping a basic methodology for the sociotechnical formal analysis of security properties.

show abstract

Section: Related Workmentioning

confidence: 99%

Socio-technical formal analysis of TLS certificate validation in modern browsers

Bella

Giustolisi

Lenzini

2013

2013 Eleventh Annual Conference on Privacy, Security and Trust

View full text Add to dashboard Cite

show abstract

“…However, our solutions could also support AAL 4 by implementing support for user certificates in the OffPAD. It can be mentioned that there are currently no frameworks for server authentication assurance levels, although it has been proposed [20,49].…”

Section: Discussionmentioning

confidence: 99%

“…This is a serious vulnerability which is also the reason why phishing attacks often succeed even when TLS is being used for server authentication [20].…”

Section: Server Authentication Supported By the Offpadmentioning

confidence: 99%

See 1 more Smart Citation

Local user-centric identity management

Jøsang

Rosenberger

Miralabé³

et al. 2015

J Trust Manag

Self Cite

View full text Add to dashboard Cite

Identity management is a rather general concept that covers technologies, policies and procedures for recognising and authenticating entities in ICT environments. Current identity management solutions often have inadequate usability and scalability, or they provide inadequate authentication assurance. This article describes local user-centric identity management as an approach to providing scalable, secure and user friendly identity management. This approach is based on placing technology for identity management on the user side, instead of on the server side or in the cloud. This approach strengthens authentication assurance, improves usability, minimizes trust requirements, and has the advantage that trusted online interaction can be upheld even in the presence of malware infection in client platforms. More specifically, our approach is based on using an OffPAD (Offline Personal Authentication Device) as a trusted device to support the different forms of authentication that are necessary for trusted interactions. A prototype OffPAD has been implemented and tested in user experiments.

show abstract

“…Instead, server authentication assurance should also be considered. Of course, as typically adopted by the standards for network security such as X.800 (Security Architecture for Open Systems Interconnection), the following two types of authentication should be considered [22]:…”

Section: Presentation Tiermentioning

confidence: 99%

Towards a Framework for Supporting Unconditionally Secure Authentication Services within E-Government Infrastructures

Al-Janabi

2016

juhd

View full text Add to dashboard Cite

Abstract-It has been noticed by many researchers that the speed of ICT advancement in developing, deploying, and using e-government infrastructures is much faster than the development and deployment of security services. Therefore, government organizations are still suffering from the existence and emerging of security risks. One important category of cryptographic primitives that needs to be considered in this respect is the unconditionally secure message authentication codes (or A-codes). These A-codes are cryptographically approached based on information theory. They offer unconditional security, i.e., security independent of the computing power of an adversary. For many years, it was widely thought that A-codes were impractical for real applications. However, in recent years, many A-codes have been developed which are extremely efficient in terms of computations and key requirements.The aim of this work is to show the importance and validation of including unconditionally secure authentication services within e-government infrastructures. We believe that all main e-government services can get benefit from that in a way or another. This includes Government to Citizen (G2C), Government to Business (G2B), Government to Government (G2G), and Government to Constituents (E-Democracy) services. The work highlights the basic requirements for a general framework that facilitates the inclusion of such authentication services within the security infrastructure of e-government.

show abstract

Service provider authentication assurance

Cited by 9 publications

References 15 publications

Socio-technical formal analysis of TLS certificate validation in modern browsers

Socio-technical formal analysis of TLS certificate validation in modern browsers

Local user-centric identity management

Towards a Framework for Supporting Unconditionally Secure Authentication Services within E-Government Infrastructures

Contact Info

Product

Resources

About