Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Sat Sep 15 2001 - 18:41:58 CDT
Dos and Don'ts of Client Authentication on the Web
Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster
Client authentication has been a continuous source of problems on the Web.
Although many well-studied techniques exist for authentication, Web sites
continue to use extremely weak authentication schemes, especially in
non-enterprise environments such as store fronts. These weaknesses often
result from careless use of authenticators within Web cookies. Of the
twenty-seven sites we investigated, we weakened the client authentication on
two systems, gained unauthorized access on eight, and extracted the secret
key used to mint authenticators from one.
We provide a description of the limitations, requirements, and security
models specific to Web client authentication. This includes the introduction
of the interrogative adversary, a surprisingly powerful adversary that can
adaptively query a Web site.
We propose a set of hints for designing a secure client authentication
scheme. Using these hints, we present the design and analysis of a simple
authentication scheme secure against forgeries by the interrogative adversary.
In conjunction with SSL, our scheme is secure against forgeries by the active
The technical report includes details not released in the USENIX proceedings.
-- Elias Levy SecurityFocus http://www.securityfocus.com/ Si vis pacem, para bellum