[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: web authentication paper from MIT
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf Likely a useful read as we design and do security considerations. - RL "Bob" --- "Dos and Don'ts of Client Authentication on the Web" Abstract Client authentication has been a continuous source of problems on the Web. Although many well-studied tech-niques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authentica-tors within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one. We provide a description of the limitations, require-ments, and security models specific to Web client authen-tication. This includes the introduction of the interrog-ative adversary, a surprisingly powerful adversary that can adaptively query a Web site. We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.
Powered by eList eXpress LLC