[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secpapers
Subject:    Dos and Don'ts of Client Authentication on the Web
From:       aleph1 () securityfocus ! com
Date:       2001-09-15 23:41:58
[Download RAW message or body]

Dos and Don'ts of Client Authentication on the Web
Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster

Client authentication has been a continuous source of problems on the Web. 
Although many well-studied techniques exist for authentication, Web sites 
continue to use extremely weak authentication schemes, especially in 
non-enterprise environments such as store fronts. These weaknesses often 
result from careless use of authenticators within Web cookies. Of the 
twenty-seven sites we investigated, we weakened the client authentication on 
two systems, gained unauthorized access on eight, and extracted the secret 
key used to mint authenticators from one.

We provide a description of the limitations, requirements, and security 
models specific to Web client authentication. This includes the introduction 
of the interrogative adversary, a surprisingly powerful adversary that can 
adaptively query a Web site.

We propose a set of hints for designing a secure client authentication 
scheme. Using these hints, we present the design and analysis of a simple 
authentication scheme secure against forgeries by the interrogative adversary. 
In conjunction with SSL, our scheme is secure against forgeries by the active 
adversary.

The technical report includes details not released in the USENIX proceedings.

http://cookies.lcs.mit.edu/pubs/webauth:tr.ps
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf

http://cookies.lcs.mit.edu/pubs/webauth:sec10-slides.ps.gz
http://cookies.lcs.mit.edu/pubs/webauth:sec10-slides.pdf


-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

[prev in list] [next in list] [prev in thread] [next in thread]