OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: web authentication paper from MIT


Likely a useful read as we design and do security considerations.

 - RL "Bob"


"Dos and Don'ts of Client Authentication on the Web"


Client authentication has been a continuous source of problems on
the Web. Although many well-studied tech-niques exist for authentication,
Web sites continue to use extremely weak authentication schemes,
especially in non-enterprise environments such as store fronts. These
weaknesses often result from careless use of authentica-tors within Web
cookies. Of the twenty-seven sites we investigated, we weakened the client
authentication on two systems, gained unauthorized access on eight, and
extracted the secret key used to mint authenticators from one.

We provide a description of the limitations, require-ments, and security
models specific to Web client authen-tication. This includes the
introduction of the interrog-ative adversary, a surprisingly powerful
adversary that can adaptively query a Web site.

We propose a set of hints for designing a secure client authentication
scheme. Using these hints, we present the design and analysis of a simple
authentication scheme secure against forgeries by the interrogative
adversary. In conjunction with SSL, our scheme is secure against forgeries
by the active adversary.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC