Detailed Technical Discussion

An excellent analysis of the TLS protocol and how it defends phishing.

Some Highlights

  • Abstract — The most widely used secure Internet communication standard TLS (Transport Layer Security) has an optional client certificate authentication feature that in theory has significant security advantages over HTML form-based password authentication.
     
  • Active security research is being conducted to improve password security, educate users on how to resist phishing attacks, and to fix CA trust issues [1], [2]. However, the attacks mentioned above can be prevented or their impact can be greatly reduced by using TLS client certificate authentication (CCA), since the TLS CCA on the TLS protocol level protects the client’s account on a legitimate server from a MITM attacker even in the case of a very powerful attacker who has obtained a valid certificate signed by a trusted CA and who thus is able to impersonate the legitimate server. We believe that TLS CCA has great potential for improving Internet security, and therefore in this paper we discuss current issues with TLS CCA and provide solutions that will improve the security of TLS CCA and enable its usage on a larger scale.
     
  • The proof that the client has access to the private key that corresponds to the public key in the client’s certificate is given by calculating the hash of all the previous handshake messages exchanged between the client and the server so far and signing it with the client’s private key. This signature is sent in the client’s CertificateVerify message.
     
  • As can be seen, the signature given using the client’s private key is bound to the client’s and the server’s randomness, the server’s certificate and the encrypted pre-master secret sent by the client. This means that even an attacker that has obtained the signature in a MITM attack, cannot reuse the signature in any other TLS handshake either with the legitimate server or any other server. As a result, in cases where TLS CCA is used, the attacker cannot impersonate the victim to the legitimate server even if the attacker is able to impersonate the legitimate server.