ABSTRACT:

Client authentication on the web has remained in the Internet equivalent of the stone ages for the last two decades. Instead of adopting modern public-key-based authentication mechanisms, we seem to be stuck with passwords and cookies.

We propose to break this stalemate by presenting a fresh approach to public-key-based client authentication on the web. We describe a simple TLS extension that allows clients to establish strong authenticated channels with servers and to bind existing authentication tokens such as HTTP cookies to such channels. This allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening client authentication considerably against a wide range of attacks.

Our system is currently being implemented by major browser vendors and a major website, and we provide an evaluation of this implementation.

Pizza will be provided at the talk.

BIOGRAPHY:

Alexei Czeskis is a Ph.D. student at the University of Washington. His research interests broadly span security and privacy, from resource-constrained embedded devices (for example, in RFIDs or automotive systems) to online transactions involving powerful desktop computers, and, of course, mobile devices. In addition to the technical nature of systems, Alexei is also interested how they interact with users: where they break down, where they impede on privacy (or support it), and how user-facing security systems can be improved.