[Cryptography] Client certificates as a defense against MITM attacks
Nico Williams
nico at cryptonector.com
Mon Mar 17 17:00:11 EDT 2014
On Mon, Mar 17, 2014 at 9:56 AM, Jerry Leichter <leichter at lrw.com> wrote:
> On Mar 17, 2014, at 8:43 AM, Thierry Moreau <thierry.moreau at connotech.com> wrote:
>>> Am I missing something obvious here?
>>
>> Maybe you merely (re-)invented the HTML cookie holding the client private key.
> An HTML cookie isn't bound to the end-to-end connection context. A MITM simply passes it through. The signed information I'm suggesting the client send *is* bound to that context, and isn't subject to this trivial vulnerability.
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final162.pdf
http://tools.ietf.org/html/draft-balfanz-tls-channelid-01
http://tools.ietf.org/html/draft-balfanz-tls-obc-01
http://www.ietf.org/proceedings/82/slides/tls-1.pdf
...
The idea is: you generate an ephemeral client keypair (and cert) for
every "origin" and you use it to "authenticate" the client in TLS, the
server then binds that public key into the web cookies it sets when
you login (with a typical username&password form, or whatever else),
and then every time you use the same cookies the server verifies that
the TLS user credentials you used match what's bound into the cookies.
This provides protection against cookie theft/compromise.
Nico
--
More information about the cryptography
mailing list