A Framework Extending TLS/SSL Level Security To The Application Layer

Abstract

By design Transport Layer Security (TLS) and Secure Socket Layer (SSL) are not designed to work at the application layer. This means that there is considerable security protocol isolation between the upper and lower layers of the network stack. The core objective of this research is to extend security features of TLS and SSL to the application layer. The proposed solution intends to bind multiple security features such as authentication, mutual authentication, continuous authentication, and session management in a single secure scheme thereby ensuring that application developers do not have to deal with security implementations as the same is provisioned through the proposed scheme. The proposed scheme will embed security mechanisms like access control and group authentication on top of the extended security provisions. Thus, improving the overall security of the system drastically. Session management and authentication is achieved using asymmetric keys without the use of session cookies and session tokens thus mitigating attacks such as cookie theft, token forgery and nullifying a vast group of attack vectors. The proposed scheme has been implemented and tested for security conformance thereby proving its effectiveness and practicality.