Security '01 Abstract
Dos and Don'ts of Client Authentication on the Web
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster, MIT Laboratory for Computer Science
Client authentication has been a continuous source of
problems on the Web. Although many well-studied tech-niques
exist for authentication, Web sites continue to use
extremely weak authentication schemes, especially in
non-enterprise environments such as store fronts. These
weaknesses often result from careless use of authentica-tors
within Web cookies. Of the twenty-seven sites we
investigated, we weakened the client authentication on
two systems, gained unauthorized access on eight, and
extracted the secret key used to mint authenticators from
We provide a description of the limitations, require-ments,
and security models specific to Web client authen-tication.
This includes the introduction of the interrog-ative
adversary, a surprisingly powerful adversary that
can adaptively query a Web site.
We propose a set of hints for designing a secure client
authentication scheme. Using these hints, we present the
design and analysis of a simple authentication scheme
secure against forgeries by the interrogative adversary.
In conjunction with SSL, our scheme is secure against
forgeries by the active adversary.
- View the full text of this paper in
The Proceedings are published as a collective work, © 2001 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.