Visible to the public Biblio

Filters: Author is Zhang, Xiaokun  [Clear All Filters]
2020-04-17
Wang, Congli, Lin, Jingqiang, Li, Bingyu, Li, Qi, Wang, Qiongxiao, Zhang, Xiaokun.  2019.  Analyzing the Browser Security Warnings on HTTPS Errors. ICC 2019 - 2019 IEEE International Conference on Communications (ICC). :1—6.
HTTPS provides authentication, data confidentiality, and integrity for secure web applications in the Internet. In order to establish secure connections with the target website but not a man-in-the-middle or impersonation attacker, a browser shows security warnings to users, when different HTTPS errors happen (e.g., it fails to build a valid certificate chain, or the certificate subject does not match the domain visited). Each browser implements its own design of warnings on HTTPS errors, to balance security and usability. This paper presents a list of common HTTPS errors, and we investigate the browser behaviors on each error. Our study discloses browser defects on handling HTTPS errors in terms of cryptographic algorithm, certificate verification, name validation, HPKP, and HSTS.
2020-01-21
Bao, Xuhua, Zhang, Xiaokun, Lin, Jingqiang, Chu, Dawei, Wang, Qiongxiao, Li, Fengjun.  2019.  Towards the Trust-Enhancements of Single Sign-On Services. 2019 IEEE Conference on Dependable and Secure Computing (DSC). :1–8.

Single sign-on (SSO) becomes popular as the identity management and authentication infrastructure in the Internet. A user receives an SSO ticket after being authenticated by the identity provider (IdP), and this IdP-issued ticket enables him to sign onto the relying party (RP). However, there are vulnerabilities (e.g., Golden SAML) that allow attackers to arbitrarily issue SSO tickets and then sign onto any RP on behalf of any user. Meanwhile, several incidents of certification authorities (CAs) also indicate that the trusted third party of security services is not so trustworthy as expected, and fraudulent TLS server certificates are signed by compromised or deceived CAs to launch TLS man-in-the-middle attacks. Various approaches are then proposed to tame the absolute authority of (compromised) CAs, to detect or prevent fraudulent TLS server certificates in the TLS handshakes. The trust model of SSO services is similar to that of certificate services. So this paper investigates the defense strategies of these trust-enhancements of certificate services, and attempts to apply these strategies to SSO to derive the trust-enhancements applicable in the SSO services. Our analysis derives (a) some security designs which have been commonly-used in the SSO services or non-SSO authentication services, and (b) two schemes effectively improving the trustworthiness of SSO services, which are not widely discussed or adopted.