Dirk Balfanz

Dirk Balfanz

Authored Publications
Sort By
  • Title
  • Title, descending
  • Year
  • Year, descending
    Preview abstract The security of online user accounts is often protected by no more than a weak password. We present “Security Key”, a second-factor device based on open standards that protects users against phishing and man-in-the-middle attacks. The user carries a single device and can self-register it with any online web service that supports the standard. The devices are simple to implement and deploy, are not encumbered by patents, are simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in one of the mainstream web browsers. In addition, multiple device vendors produce security keys. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within our 50,000 person corporation and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 170 member companies spanning the industry. View details
    Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web
    Michael Dietz
    Alexei Czeskis
    Dan Wallach
    21st USENIX Security Symposium, The USENIX Association (2012), pp. 317-332
    Preview abstract Client authentication on the web has remained in the internet-equivalent of the stone ages for the last two decades. Instead of adopting modern public-key-based authentication mechanisms, we seem to be stuck with passwords and cookies. In this paper, we propose to break this stalemate by presenting a fresh approach to public-key-based client authentication on the web. We describe a simple TLS extension that allows clients to establish strong authenti- cated channels with servers and to bind existing authen- tication tokens like HTTP cookies to such channels. This allows much of the existing infrastructure of the web to remain unchanged, while at the same time strengthening client authentication considerably against a wide range of attacks. We implemented our system in Google Chrome and Google’s web serving infrastructure, and provide a per- formance evaluation of this implementation. View details
    (Under)mining Privacy in Social Networks
    Monica Chew
    W2SP 2008: Web 2.0 Security and Privacy 2008
    Preview