Dirk Balfanz
Research Areas
Authored Publications
Sort By
Preview abstract
The security of online user accounts is often protected
by no more than a weak password. We present “Security Key”, a second-factor device based on open standards that protects users against phishing and man-in-the-middle attacks. The user carries a single device and
can self-register it with any online web service that supports the standard. The devices are simple to implement
and deploy, are not encumbered by patents, are simple to
use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in one of
the mainstream web browsers. In addition, multiple device vendors produce security keys.
In this work, we demonstrate that Security Keys lead
to both an increased level of security and user satisfaction by analyzing a two year deployment which began
within our 50,000 person corporation and has extended
to our consumer-facing web applications. The Security
Key design has been standardized by the FIDO Alliance,
an organization with more than 170 member companies
spanning the industry.
View details
Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web
Michael Dietz
Alexei Czeskis
Dan Wallach
21st USENIX Security Symposium, The USENIX Association (2012), pp. 317-332
Preview abstract
Client authentication on the web has remained in the internet-equivalent of the stone ages for the last two decades. Instead of adopting modern public-key-based authentication mechanisms, we seem to be stuck with passwords and cookies.
In this paper, we propose to break this stalemate by presenting a fresh approach to public-key-based client authentication on the web. We describe a simple TLS extension that allows clients to establish strong authenti- cated channels with servers and to bind existing authen- tication tokens like HTTP cookies to such channels. This allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening client authentication considerably against a wide range of attacks.
We implemented our system in Google Chrome and Google’s web serving infrastructure, and provide a per- formance evaluation of this implementation.
View details
