Dos and don'ts of client authentication on the web

TitleDos and don'ts of client authentication on the web
Publication TypeConference Papers
Year of Publication2001
AuthorsFu K, Sit E, Smith K, Feamster N
Conference NameProceedings of the 10th conference on USENIX Security Symposium - Volume 10
Date Published2001///
PublisherUSENIX Association
Conference LocationBerkeley, CA, USA

Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one. We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site. We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.