A digital signature scheme secure against adaptive chosen-message attacks
SIAM Journal on Computing - Special issue on cryptography
STOC '91 Proceedings of the twenty-third annual ACM symposium on Theory of computing
Password authentication with insecure communication
Communications of the ACM
Password security: a case history
Communications of the ACM
Handbook of Applied Cryptography
Handbook of Applied Cryptography
IEEE Internet Computing
Relations Among Notions of Security for Public-Key Encryption Schemes
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
Single Sign-On Using Cookies for Web Applications
WETICE '99 Proceedings of the 8th Workshop on Enabling Technologies on Infrastructure for Collaborative Enterprises
Proofs of Security for the Unix Password Hashing Algorithm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Better Login Protocols for Computer Networks
Computer Security and Industrial Cryptography - State of the Art and Evolution, ESAT Course
Unlinkable Serial Transactions
FC '97 Proceedings of the First International Conference on Financial Cryptography
Selecting Cryptographic Key Sizes
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Hints for computer system design
SOSP '83 Proceedings of the ninth ACM symposium on Operating systems principles
Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Fast and secure distributed read-only file system
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Secure WWW transactions using standard HTTP and Java applets
WOEC'98 Proceedings of the 3rd conference on USENIX Workshop on Electronic Commerce - Volume 3
Provably secure password-authenticated key exchange using Diffie-Hellman
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
Privacy in browser-based attribute exchange
Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society
Securing Agent Based Architectures
EDCIS '02 Proceedings of the First International Conference on Engineering and Deployment of Cooperative Information Systems
Authentication for Distributed Web Caches
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Deanonymizing Users of the SafeWeb Anonymizing Service
Proceedings of the 11th USENIX Security Symposium
A General and Flexible Access-Control System for the Web
Proceedings of the 11th USENIX Security Symposium
Privacy Engineering for Digital Rights Management Systems
DRM '01 Revised Papers from the ACM CCS-8 Workshop on Security and Privacy in Digital Rights Management
Proving a WS-federation passive requestor profile with a browser model
Proceedings of the 2005 workshop on Secure web services
Doppelganger: Better browser privacy without the bother
Proceedings of the 13th ACM conference on Computer and communications security
SPP: An anti-phishing single password protocol
Computer Networks: The International Journal of Computer and Telecommunications Networking
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Security and identification indicators for browsers against spoofing and phishing attacks
ACM Transactions on Internet Technology (TOIT)
Analyzing websites for user-visible security design flaws
Proceedings of the 4th symposium on Usable privacy and security
Profit-aware overload protection in E-commerce Web sites
Journal of Network and Computer Applications
Secure session management with cookies
ICICS'09 Proceedings of the 7th international conference on Information, communications and signal processing
An automatic HTTP cookie management system
Computer Networks: The International Journal of Computer and Telecommunications Networking
Design and implementation of a public key-based group collaboration system
Computer Communications
Hardened stateless session cookies
Security'08 Proceedings of the 16th International conference on Security protocols
Proceedings of the 7th ACM symposium on QoS and security for wireless and mobile networks
On secure framework for web services in untrusted environment
OTM'05 Proceedings of the 2005 OTM Confederated international conference on On the Move to Meaningful Internet Systems
Browser model for security analysis of browser-based protocols
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Computer Networks: The International Journal of Computer and Telecommunications Networking
Getting web authentication right: a best-case protocol for the remaining life of passwords
SP'11 Proceedings of the 19th international conference on Security Protocols
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
ACM Transactions on Internet Technology (TOIT)
Model based security risk analysis for web applications: the CORAS approach
EuroWeb'02 Proceedings of the 2002 international conference on EuroWeb
A new scheme with secure cookie against SSLStrip attack
WISM'12 Proceedings of the 2012 international conference on Web Information Systems and Mining
Cookie-proxy: a scheme to prevent SSLStrip attack
ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Journal of Computer Security
| Hi-index | 0.00 |
Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one. We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site. We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.