Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web
Venue
21st USENIX Security Symposium, The USENIX Association (2012), pp. 317-332
Publication Year
2012
Authors
Michael Dietz, Alexei Czeskis, Dirk Balfanz, Dan Wallach
BibTeX
Abstract
Client authentication on the web has remained in the internet-equivalent of the
stone ages for the last two decades. Instead of adopting modern public-key-based
authentication mechanisms, we seem to be stuck with passwords and cookies. In this
paper, we propose to break this stalemate by presenting a fresh approach to
public-key-based client authentication on the web. We describe a simple TLS
extension that allows clients to establish strong authenti- cated channels with
servers and to bind existing authen- tication tokens like HTTP cookies to such
channels. This allows much of the existing infrastructure of the web to remain
unchanged, while at the same time strengthening client authentication considerably
against a wide range of attacks. We implemented our system in Google Chrome and
Google’s web serving infrastructure, and provide a per- formance evaluation of this
implementation.
