Dos and doníts of client authentication on the web
Date: August 2001
Publication: Proceedings of the USENIX Security Symposium
Source 1: http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
Source 2: http://pdos.csail.mit.edu/papers/webauth:tr.pdf
Abstract or Summary:
Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one.
We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site.
We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.
The technical report [second link] includes details not released in the USENIX proceedings.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.