Dos and Don'ts of Client Authentication on the Web
Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster

Client authentication has been a continuous source of problems on the Web.
Although many well-studied techniques exist for authentication, Web sites
continue to use extremely weak authentication schemes, especially in
non-enterprise environments such as store fronts. These weaknesses often
result from careless use of authenticators within Web cookies. Of the
twenty-seven sites we investigated, we weakened the client authentication on
two systems, gained unauthorized access on eight, and extracted the secret
key used to mint authenticators from one.

We provide a description of the limitations, requirements, and security
models specific to Web client authentication. This includes the introduction
of the interrogative adversary, a surprisingly powerful adversary that can
adaptively query a Web site.

We propose a set of hints for designing a secure client authentication
scheme. Using these hints, we present the design and analysis of a simple
authentication scheme secure against forgeries by the interrogative adversary.
In conjunction with SSL, our scheme is secure against forgeries by the active
adversary.

The technical report includes details not released in the USENIX proceedings.

http://cookies.lcs.mit.edu/pubs/webauth:tr.ps
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf

http://cookies.lcs.mit.edu/pubs/webauth:sec10-slides.ps.gz
http://cookies.lcs.mit.edu/pubs/webauth:sec10-slides.pdf

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]