Strengthening Web Authentication through TLS - Beyond TLS Client Certificates

Even though novel identification techniques like Single Sign-On (SSO) are on the rise, stealing the credentials used for the authentication is still possible. This situation can only be changed if we make novel use of the single cryptographic func-tionality a web browser offers, namely TLS. Although the use of client certificates for initial login has a long history, only two approaches to integrate TLS in the session cookie mechanism have been proposed so far: Origin Bound Client Certificates in [DCBW12], and the Strong Locked Same Origin Policy (SLSOP) in [KSTW07]. In this paper, we propose a third method based on the TLS-unique API proposed in RFC 5929 [AWZ10]: A single TLS session is uniquely identified through each of the two Finished messages exchanged during the TLS handshake, and RFC 5929 proposes to make the first Finished message available to higher layer protocols through a novel browser API. We show how this API can be used to strengthen all commonly used types of authentication, ranging from simple password based authentication and SSO to session cookie binding.