Date of Award


Document Type


Degree Name

Master of Science (MS)


Information Security

First Advisor

Zouheir Trabelsi

Second Advisor

Yousef AI Hammadi

Third Advisor

Huwida Said


This thesis proposes a secure authentication protocol against physical session hijacking attacks. In client/server technology, users establish sessions to access the services offered by the servers. However, using physical session hijacking attacks, malicious users may physically take control of ongoing sessions. Malicious users also can establish sessions with servers using stolen passwords. In both cases, the server will be communicating with the wrong user who pretends to be the real user. The goal of this authentication protocol is to continuously and dynamically ensure that during an ongoing session the current session’s user is himself the real person that is known to the server. The proposed continuous and dynamic verification process is based on the use of the session user ‟s biometrics data. The proposed protocol uses the 40-byte Option field in the IP header to continuously and dynamically verify the session user‟s biometrics. Since the biometrics data is potentially large, only random portion of biometrics data is used for authentication and is embed in the IP Option field. In this thesis, the focus is only on fingerprint and Iris biometrics data. The use of the IP Option field to embed the biometrics data will ensure that the proposed protocol is compatible with the current TCP/IP stack implementation. This would allow to not creating a new protocol or making major modification to the current TCP/IP stack implementation. This protocol has been simulated using Mat lab to evaluate its performance. In addition, the authenticity and secrecy of the proposed protocol has been validated using Scyther tool.