Sammendrag
This Master's project investigates how to strengthen the server authentication for end users using an Offline Personal Authentication Device (OffPAD), especially when combined with DNSSEC. The Master's project is a part of the Local User-Centric Identity Management (LUCIDMAN) project - http://www.lucidman.org - a Franco-Norwegian research project seeking to strengthen the security usability for end users. The research project's main focus is an OffPAD, which is a physical device that should be mainly offline and should help the user in the authentication and transaction process when using services online on a computer or when in a physical location like a shop. The device contains functionality to help the end user in securing its activity and transactions, protecting its credentials and avoid phishing and network attacks. The goal of this thesis is to find a solution to authentication of online servers when the authentication process happens in an offline device. The information required for the authentication process must be transferred through an untrusted online device, like the user's computer, that might be infected with Trojans, or an online device in the shop, that might have been tampered with. The proposal is motivated by the increasing lack of trust in the Public-Key Infrastructure using X.509 that is used for HTTPS today, and the increased trust and popularity in using DNSSEC for authenticated information. By using DNSSEC for storing authenticated information, the OffPAD could make use of the newly standardized TLSA specification, which defines how to store certificates in DNS and how to use them in HTTPS and for other protocols. The solution should still be able to use the current X.509 PKI for servers that is not set up with DNSSEC or TLSA. The proposed solutions will in parts be useful for online entities too, as DNSSEC have been blocked in some networks, and might be slow to process for clients with a requirement of short response times, like web browsers.