[prev in list] [next in list] [prev in thread] [next in thread]
List: secpapers
Subject: Dos and Don'ts of Client Authentication on the Web
From: aleph1 () securityfocus ! com
Date: 2001-09-15 23:41:58
[Download RAW message or body]
Dos and Don'ts of Client Authentication on the Web
Kevin Fu, Emil Sit, Kendra Smith, and Nick Feamster
Client authentication has been a continuous source of problems on the Web.
Although many well-studied techniques exist for authentication, Web sites
continue to use extremely weak authentication schemes, especially in
non-enterprise environments such as store fronts. These weaknesses often
result from careless use of authenticators within Web cookies. Of the
twenty-seven sites we investigated, we weakened the client authentication on
two systems, gained unauthorized access on eight, and extracted the secret
key used to mint authenticators from one.
We provide a description of the limitations, requirements, and security
models specific to Web client authentication. This includes the introduction
of the interrogative adversary, a surprisingly powerful adversary that can
adaptively query a Web site.
We propose a set of hints for designing a secure client authentication
scheme. Using these hints, we present the design and analysis of a simple
authentication scheme secure against forgeries by the interrogative adversary.
In conjunction with SSL, our scheme is secure against forgeries by the active
adversary.
The technical report includes details not released in the USENIX proceedings.
http://cookies.lcs.mit.edu/pubs/webauth:tr.ps
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf
http://cookies.lcs.mit.edu/pubs/webauth:sec10-slides.ps.gz
http://cookies.lcs.mit.edu/pubs/webauth:sec10-slides.pdf
--
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic