Dos and don’ts of client authentication on the web
Authors: Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster

Date: August 2001
Publication: Proceedings of the USENIX Security Symposium
Publisher: USENIX
Source 1: http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
Source 2: http://pdos.csail.mit.edu/papers/webauth:tr.pdf

Abstract or Summary:
Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one.

We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site.

We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.

The technical report [second link] includes details not released in the USENIX proceedings.




Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index





[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com