Filters








90 Hits in 3.2 sec

SSL/TLS session-aware user authentication revisited

Rolf Oppliger, Ralf Hauser, David Basin
2008 Computers & security  
In [OHB06], we introduced the notion of SSL/TLS session-aware user authentication to protect SSL/TLSbased e-commerce applications against MITM attacks and we proposed an implementation based on impersonal  ...  These include multi-institution tokens, possibilities for changing the PIN, and, most importantly, different ways of making several popular and widely deployed user authentication systems SSL/TLS session-aware  ...  authentication systems SSL/TLS session-aware.  ... 
doi:10.1016/j.cose.2008.04.005 fatcat:dj3aw6chmvbktfy2kktjfwrtny

SoK: Lessons Learned from SSL/TLS Attacks [chapter]

Christopher Meyer, Jörg Schwenk
2014 Lecture Notes in Computer Science  
SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport.  ...  The attack requires compression to be enabled in an SSL/TLS session.  ...  Intercepting SSL/TLS Protected Traffic In [22] Canvel, Hiltgen, Vaudenay and Vuagnoux extended Vaudenay's attack (cf. 3.2) to decrypt a password from an SSL/TLS secured IMAP session.  ... 
doi:10.1007/978-3-319-05149-9_12 fatcat:u2hn3qqjzzbobmsm4h3tiibdl4

A Tangled World Wide Web of Security Issues

Joris Claessens, Bart Preneel, Joos Vandewalle
2002 First Monday  
SSL/TLS provides entity authentication, data authentication, and data confidentiality. In short, SSL/TLS works as follows.  ...  A Web server needs an SSL/TLS server private key. Users might need a private key for SSL/TLS client authentication, for SET, or for digitally signing documents.  ... 
doi:10.5210/fm.v7i3.935 fatcat:cssxalxebrcthadbtyi5epz4ma

Application Level Security in a Public Library: A Case Study

Richard Thomchick, Tonia San Nicolas-Rocca
2018 Information Technology and Libraries  
However, there are many methods that libraries can use to evaluate HTTPS and SSL/TLS implementation, including automated software tools and heuristic evaluations.  ...  ., e-commerce transactions, user authentication, etc.).  ... 
doi:10.6017/ital.v37i4.10405 fatcat:ppfcwpcymfapzdgmqbsyklh64m

Application Layer Security Authentication Protocols for the Internet of Things: A Survey

Shruthi Narayanaswamy, Anitha Vijaya Kumar
2019 Advances in Science, Technology and Engineering Systems  
The essence of the paper is an attempt to revisit the existing IoT based security authentication protocols operating in the Application Layer (AL) , AL being the end user's actual service provider.  ...  The author intends to support the users with information sufficient enough to decide on the type of protocol based on the application.  ...  Security in MQTT is based on SSL/TLS encryption, a relative standard for authentication in an IoT environment.  ... 
doi:10.25046/aj040131 fatcat:jibfkxftcvhx3cjpyo6hd23dii

Security Architecture for Sensitive Information Systems [chapter]

Xianping Wu, Phu Dung, Balasubramaniam Srinivas
2010 Convergence and Hybrid Information Technologies  
Session keys, used for securing all messages in the one communication session, are also called ephemeral keys. Their lifetimes are less than long-term shared keys.  ...  Session keys can be distributed by using a shared long-term key or a public key starting at every communication session. A one-time pad is normally exchanged via physical devices.  ...  Therefore, we study handshake protocol in SSL/TLS in detail.  ... 
doi:10.5772/9641 fatcat:cdq2t26wcfc3vc5czgqog3h5pu

Security Smells in Ansible and Chef Scripts: A Replication Study [article]

Akond Rahman and Md. Rayhanur Rahman and Chris Parnin and Laurie Williams
2020 arXiv   pre-print
infrastructure as code (IaC) scripts, such as Ansible and Chef scripts, are used to provision cloud-based servers and systems at scale, security smells in IaC scripts could be used to enable malicious users  ...  We provide examples below: • Awareness of HTTPS availability: We submitted a bug report for two instances of 'HTTP without SSL/TLS'.  ...  For example, as shown in Figure 5 , the authentication URL uses HTTP without SSL/TLS for 'auth_url'. Such usage of HTTP can be problematic, as an attacker can eavesdrop on the communication channel.  ... 
arXiv:1907.07159v2 fatcat:sean2vmobvdh3od542cjfutuoe

Why phishing works

Rachna Dhamija, J. D. Tygar, Marti Hearst
2006 Proceedings of the SIGCHI conference on Human Factors in computing systems - CHI '06  
We also found that some visual deception attacks can fool even the most sophisticated users.  ...  This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users.  ...  SSL/TLS authenticates a server by verifying that the server holds a certificate that has been digitally signed by a trusted certificate authority.  ... 
doi:10.1145/1124772.1124861 dblp:conf/chi/DhamijaTH06 fatcat:u442xlartfeyrmktoigd77dhbe

New Threats to SMS-Assisted Mobile Internet Services from 4G LTE: Lessons Learnt from Distributed Mobile-Initiated Attacks towards Facebook and Other Services [article]

Guan-Hua Tu, Yuanjie Li, Chunyi Peng, Chi-Yu Li, Muhammad Taqi Raza, Hsiao-Yun Tseng, Songwu Lu
2015 arXiv   pre-print
However, its shields to messaging integrity and user authentication are not in place.  ...  With more personalized mobile devices in hand, many services choose to offer alternative, usually more convenient, approaches to authenticating and delivering the content between mobile users and service  ...  For example, many mobile services bind username/password with the SSL/TLS connection between user and server.  ... 
arXiv:1510.08531v2 fatcat:qybv7d4nfjhszlo3t4x62iydau

Here's my cert, so trust me, maybe?

Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, Robin Sommer
2013 Proceedings of the 22nd international conference on World Wide Web - WWW '13  
We identify low-risk scenarios that consume a large chunk of the user attention budget and make concrete recommendations to browser vendors that will help maintain user attention in high-risk situations  ...  We study the impact on end users with a data set much larger in scale than the data sets used in previous TLS measurement studies.  ...  Bro's dynamic protocol detection identifies SSL/TLS traffic independent of the transport-layer port [9] .  ... 
doi:10.1145/2488388.2488395 dblp:conf/www/AkhaweAVS13 fatcat:4eztbtznk5brrf2m3v3c55vawa

SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements

J. Clark, P. C. van Oorschot
2013 2013 IEEE Symposium on Security and Privacy  
Internet users today depend daily on HTTPS for secure communication with sites they intend to visit.  ...  Meanwhile the number of browser-trusted (and thus, de facto, user-trusted) certificate authorities has proliferated, while the due diligence in baseline certificate issuance has declined.  ...  We acknowledge funding from the Natural Science and Engineering Research Council (NSERC) through a PDF (first author), Canada Research Chair in Authentication and Computer Security (second), and NSERC  ... 
doi:10.1109/sp.2013.41 dblp:conf/sp/ClarkO13 fatcat:xtazjddqd5d4bad5eqdkl5hvnq

Revisiting the Feasibility of Public Key Cryptography in Light of IIoT Communications

Jasone Astorga, Marc Barcelo, Aitor Urbieta, Eduardo Jacob
2022 Sensors  
Digital certificates are regarded as the most secure and scalable way of implementing authentication services in the Internet today.  ...  This paper revisits all these alternatives in light of industrial communication models, identifying their strengths and weaknesses, and providing an in-depth comparative analysis.  ...  Therefore, MQTT is usually implemented over SSL/TLS sessions.  ... 
doi:10.3390/s22072561 pmid:35408176 pmcid:PMC9003447 fatcat:v2mtdi52vbcxjmv4isltqcpr6q

The battle against phishing

Rachna Dhamija, J. D. Tygar
2005 Proceedings of the 2005 symposium on Usable privacy and security - SOUPS '05  
To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images.  ...  To authenticate content from the server, the user can visually verify that the images match. We contrast our work with existing anti-phishing proposals.  ...  However, there is work on integrating SRP with existing protocols (in particular, there is an IETF standards effort to integrate SRP with SSL/TLS [28] ), which may make widespread deployment more feasible  ... 
doi:10.1145/1073001.1073009 dblp:conf/soups/DhamijaT05 fatcat:m5cew46bq5fp5iwfgic3ismb7u

Modern Aspects of Cyber-Security Training and Continuous Adaptation of Programmes to Trainees

George Hatzivasilis, Sotiris Ioannidis, Michail Smyrlis, George Spanoudakis, Fulvio Frati, Ludger Goeke, Torsten Hildebrandt, George Tsakirakis, Fotis Oikonomou, George Leftheriotis, Hristo Koshutanski
2020 Applied Sciences  
This is due to security breaches on popular services that become publicly known and raise people's security awareness.  ...  Therefore, the potential target-group may range from simple users, who require basic knowledge on the current threat landscape and how to operate the related defense mechanisms, to security experts, who  ...  /TLS testing); -Application layer tools (e.g., security monitors, code analysis, as well as passive and active penetration testing tools such as authentication testing, database testing, session management  ... 
doi:10.3390/app10165702 fatcat:nskf4rvjhnccdoqzuvn7b6gz7a

Information-centric Networking and Security (Dagstuhl Seminar 16251)

Edith Ngai, Börje Ohlman, Gene Tsudik, Ersin Uzun, Marc Herbstritt
2016 Dagstuhl Reports  
Moreover, Deep Packet Inspection on SSL/TLS connections, while technically feasible, may violate the SoC statute and various other privacy rules.  ...  Users can obtain data directly from the sensors and the ICN routers, without going through the cloud.  ... 
doi:10.4230/dagrep.6.6.49 dblp:journals/dagstuhl-reports/NgaiOTU16 fatcat:fusbrulefreupaghfq3srkf3uq
« Previous Showing results 1 — 15 out of 90 results