Ph.D. Defense of Dissertation Announcement

Title: Practical Authentication in Large-Scale Internet Applications

Italo Dacosta
School of Computer Science
College of Computing
Georgia Institute of Technology

Date: Friday, June 1st, 2012
Time: 9:00 AM - 11:00 AM
Location: Klaus 3126 (GTISC War Room)

Committee:

• Prof. Mustaque Ahamad, School of Computer Science (Advisor)
• Prof. Patrick Traynor,  School of Computer Science (Advisor)
• Prof. Jonathon Giffin, School of Computer Science
• Prof. Alexandra Boldyreva, School of Computer Science
• Prof. Raheem A. Beyah, School of Electrical & Computer Engineering

Abstract:
The rapid adoption of Internet applications such as VoIP and Web applications has resulted in systems with high performance and scalability requirements.  Such systems typically need to support millions of users located in different geographical areas -- a scenario no other system has faced before. Due to these requirements, application architects and developers have made performance and scalability their primary goals while giving less importance to security. As a result, many large-scale Internet applications rely on weak-but-efficient security mechanisms, particularly authentication protocols. However, the increasing popularity and importance of Internet applications have also raised their risk to attacks. For example, weaknesses on authentication protocols have being actively exploited by a variety of adversaries, including criminal organizations and governments. While more robust authentication protocols have been proposed, most of them fail to address the unique requirements of large-scale Internet applications and, therefore, such protocols have not been widely deployed.

Therefore, the unprecedented performance and scalability requirements of large-scale Internet applications have hindered the use of more robust authentication mechanisms. We can build efficient and scalable authentication mechanisms with stronger integrity guarantees and resistance to active attacks by better understanding the specific requirements of such class of applications.

This dissertation presents the following contributions. First, we show how even a simple authentication mechanism such as SIP Digest authentication can significantly impact the performance and scalability of a highly distributed VoIP infrastructure. Hence, we propose Proxychain, a SIP authentication protocol that not only provides better security guarantees than Digest authentication but also improved performance and scalability. Second, we propose One-Time Cookies (OTC), an alternative to the use of HTTP cookies as session authentication tokens. OTC is inherently robust against active attacks such as session hijacking while preserving the efficiency of cookies. Third, we develop Direct Validation of SSL/TLS Certificates (DVCert), a practical mechanism that offers more robust validation of SSL/TLS server certificates to prevent MITM attacks without requiring external third-parties or additional infrastructure.