To establish credentials, a user network station transmits a first value. An authenticating entity network station generates a first key portion based on the transmitted first value and a second value unknown to the user, splits one of a private key and a public key of a user asymmetric crypto-key into the first key portion and a second key portion, stores the second key portion of the one key so as to be accessible only to the authenticating entity network device, generates a cookie including the second value, transmits the generated cookie to the user network station, and destroys the transmitted first value, the second value, the one key, and the first key portion of the one key. The first value represents a first and the second value included in the transmitted cookie represents a second user credential useable to authenticate the user.

Augmented single factor split key asymmetric cryptography-key generation and distributor

The different illustrative embodiments provide a method, a computer program product, and an apparatus for restoring secure sessions. A determination is made whether cached information for a session for the requestor is stored at the data processing system using a session cookie responsive to receiving a request at a data processing system from a requestor to access a resource. Access to the resource is controlled using the cached information and a number of privileges for the requestor associated with the cached information responsive to a determination that the cached information for the session is stored at the data processing system. A migration cookie is requested from the requestor responsive to an absence of a determination that the cached information for the session is stored at the data processing system. The cached information is generated for the session using the migration cookie.

Restoring Secure Sessions

The different illustrative embodiments provide a method, a computer program product, and an apparatus for managing secure sessions. An identity of a requestor is verified in response to receiving a request from the requestor to access a resource. The identity of the requestor comprises authentication information used to identify a number of privileges to the resource for the requestor. A session cookie is sent to the requestor by a first data processing system. The session cookie identifies the number of privileges for a session. A migration cookie is sent to the requestor by the first data processing system, wherein the migration cookie is used to recreate the session on a second data processing system.

Managing secure sessions

A user network station transmits a cookie that includes a user identifier and an augmenting factor transformed with one key of a first asymmetric crypto-key or with a symmetric crypto-key. An authenticating entity network station recovers the augmenting factor from the transformed augmenting factor included in the transmitted cookie, with the other key of the first asymmetric crypto-key or with the symmetric crypto-key, and transmits a customized login page corresponding to the user identifier. The user network station transmits a factor responsive to the transmitted customized login page. The authenticating entity network station generates a first key portion based on the transmitted factor and the recovered augmenting factor, and validates the generated first key portion based on a second key portion of one key of a second asymmetric crypto-key associated with the user and on the other key of the second asymmetric crypto-key, to thereby authenticate the user.

Secure login using augmented single factor split key asymmetric cryptography

A user network station transmits a cookie including a user identifier and an augmenting factor transformed with one key of a first asymmetric crypto-key or with a symmetric crypto-key. A authenticating entity network station recovers the augmenting factor from the transformed augmenting factor with the other key of the first asymmetric crypto-key or with the symmetric crypto-key, and transmits a customized login page corresponding to the user identifier included in the received cookie. The user network station transmits a factor responsive to the transmitted customized login page. The authenticating entity network station generates a first key portion based on the transmitted factor, and validates the generated first key portion based on a second key portion of one key of a second asymmetric crypto-key associated with the user and on the other key of the second asymmetric crypto-key, and the recovered augmenting factor, to thereby authenticate the user.

Secure login using single factor split key asymmetric cryptography and an augmenting factor

Because of the stateless character of HTTP, cookies were invented to maintain continuity and states on the Web. Cookies which have user-related information are transmitted and stored, so an attacker can easily copy and modify them for his own purpose. Therefore, cookies are exposed to serious security threats such as network threats, end-system threats, and cookie-harvesting threats. In this paper, we present a secure cookie system for solving these security weaknesses of typical web cookies. Since our system is based on the Public Key Infrastructure (PKI), it provides mutual authentication between clients and servers, and ensures the confidentiality and integrity of user information. We have implemented our secure cookie system and compare it here to the Secure Socket Layer (SSL) protocol that is widely used to provide the security in the HTTP environment.

A New Design for a Practical Secure Cookies System

Threshold signature schemes distribute secret information to several servers and make the whole system that maintains the secret information fault-tolerant. Since threshold signature schemes typically assume that the shared signing function can only be activated by a quorum number of servers. If anyone has a power to activate the signing function of servers, he can easily compute valid signatures for a specific organization without knowing the private key. S. Xu et al. proposed a general construction to build threshold signature schemes (called as server assisted threshold signatures) which provide an organization (e.g., a user) with controllability for activating his private signing function in a certain enhanced way. In this paper, we newly propose proactive secret sharing schemes which are suitable for server-assisted threshold signatures.

A proactive secret sharing for server assisted threshold signatures

The SEM approach to PKl offers several advantages, such as immediate revocation of users' signing ability without CRLs and compatibility with the standard RSA. However, it has a weakness against denial of service attack caused by breaking down or being compromised. G. Vanrenen et al. proposed a distributed SEM approach to overcome the weaknesses. However, it does not provide the desirable properties such as instant availability and immunity against denial of service attack, due to inadequate usage of threshold cryptography and proactive secret sharing. In this paper, we point out its structural contradictions and propose a modified version of distributed SEM approach.

Practical Revision for Implementing the Distributing Security-Mediated PKI

The HTTP does not support continuity for browser-server interaction between successive visits of a user due to a stateless feature. Cookies were invented to maintain continuity and state on the Web. Because cookies are transmitted in plain and contain text-character strings encoding relevant information about the user, the attacker can easily copy and modify them for his undue profit. In this paper, we design a secure cookies scheme based on public key certificate for solving these security weakness of typical web cookies. Our secure cookies scheme provides not only mutual authentication between client and server but also confidentiality and integrity of user information. Additionally, we implement our secure cookies scheme and compare it to the performance with SSL (Secure Socket Layer) protocol that is widely used for security of HTTP environment.

https://link.springer.com/content/pdf/10.1007%2F3-540-36231-2_25.pdf

The Design and Implementation of Improved Secure Cookies Based on Certificate

Mobile commerce is becoming more and more commonplace, but security is still a major concern. To provide security, theWAP (Wireless Application Protocol) forum suggests theWAP security architecture. However, it needs theWAP gateway for intermediate process between the WTLS (Wireless Transport Layer Security) and the SSL (Secure Socket Layer) protocol, and it does not guarantee end-to-end security between the mobile devices and the WAP servers. In this paper, we propose a new authentication protocol to solve this problem. Our solution is based on the design of a new network component that is called CRL-agent. Furthermore, we also analyze and evaluate the security strength of the proposed protocol.

Jong-Phil Yang

Papers

A New Design for a Practical Secure Cookies System

A proactive secret sharing for server assisted threshold signatures

Practical Revision for Implementing the Distributing Security-Mediated PKI

The Design and Implementation of Improved Secure Cookies Based on Certificate

An End-to-End Authentication Protocol in Wireless Application Protocol