Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web
Authors:
Michael Dietz, Rice University; Alexei Czeskis, University of Washington; Dirk Balfanz, Google Inc.; Dan S. Wallach, Rice University
Abstract:
Client authentication on the web has remained in the internet-equivalent of the stone ages for the last two decades. Instead of adopting modern public-key-based authentication mechanisms, we seem to be stuck with passwords and cookies.
In this paper, we propose to break this stalemate by presenting a fresh approach to public-key-based client authentication on the web. We describe a simple TLS extension that allows clients to establish strong authenticated channels with servers and to bind existing authentication tokens like HTTP cookies to such channels. This allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening client authentication considerably against a wide range of attacks.
We implemented our system in Google Chrome and Google’s web serving infrastructure, and provide a performance evaluation of this implementation.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {180221,
author = {Michael Dietz and Alexei Czeskis and Dirk Balfanz and Dan S. Wallach},
title = {{Origin-Bound} Certificates: A Fresh Approach to Strong Client Authentication for the Web},
booktitle = {21st USENIX Security Symposium (USENIX Security 12)},
year = {2012},
isbn = {978-931971-95-9},
address = {Bellevue, WA},
pages = {317--331},
url = {https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/dietz},
publisher = {USENIX Association},
month = aug
}
connect with us