This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Remote Client Authentication
July/August 2008 (vol. 6 no. 4)
pp. 36-43
Thomas Weigold, IBM's Zurich Research Laboratory
Thorsten Kramp, IBM's Zurich Research Laboratory
Michael Baentsch, IBM's Zurich Research Laboratory
The effectiveness of remote client-authentication schemes varies significantly in relation to today's security challenges, which include phishing, man-in-the-middle attacks, and malicious software. A survey of remote authentication methods shows how each measures up and includes recommendations for solution developers and consumers.

1. B. Schneier, "Two-Factor Authentication: Too Little, Too Late," Comm. ACM, vol. 48, no. 4, 2005, p. 136.
2. L. Lamport, "Password Authentication with Insecure Communication," Comm. ACM, vol. 24, no. 11, 1981, pp. 770–772.
3. R.E. Smith, Authentication: From Passwords to Public Keys, Addison-Wesley, 2002.
4. U. Waldmann et al., "Protected Transmission of Biometric User Authentication Data for Oncard-Matching," Proc. ACM Symp. Applied Computing, ACM Press, 2004, pp. 425–430.
5. X. Leroy, "Java Bytecode Verification: Algorithms and Formalizations," J. Automated Reasoning, vol. 30, nos. 3–4, 2003, pp. 235–269.
6. The Keys to Truly Interoperable Communications, Near Field Communication Forum, 2007; www.nfc-forum.org/resources/white_papers nfc_forum_marketing_white_paper.pdf.
7. Proximity Integrated Circuit Cards (PICCs), ISO/IEC 14443, parts 1–4, http://wg8.desd1.html#14443.
8. Specification of the SIM Application Toolkit (SAT), 3GPP Standard TS 11.14 v. 8.5.0, www.3gpp.org/ftp/Specs/archive/11_series/ 11.141114-850.zip.
9. Report on Phishing, Binational Working Group on Cross-Border Mass Marketing Fraud, US Department of Justice &Ministry on Public Safety, Oct. 2006, www.usdoj.gov/opareport_on_phishing.pdf.
10. M. Steiner et al, "Secure Password-Based Cipher Suite for TLS," ACM Trans., vol. 4, no. 2, 2001, pp. 134–157.
11. K. Fu et al., "Dos and Don'ts of Client Authentication on the Web," Proc. Usenix Security Forum, Usenix Assoc., 2001, pp. 251–268.
12. Semi-Annual Report, Federal Office of Police, Swiss Reporting and Analysis Centre for Information Assurance (MELANI), 2007; www.melani.admin.ch/dokumentation/00123/ 00124/01029index.html?lang=en.
13. T. Weigold et al., "The Zurich Trusted Information Channel—An Efficient Defence against Man-in-the-Middle and Malicious Software Attacks," P. Lipp, A.R. Sadeghi, and K.M. Koch, eds., Proc. Trust Conf. (Trust 2008), LNCS 4968, Springer-Verlag, 2008, pp. 75–91.
14. The WPKI Non-Profit Association, WPKI Main Specification, v. 2.0, March 2006; www.wpki.net/filesWPKI%20Main%20Specification%202.0.pdf .
15. R. Thompson, "Why Spyware Poses Multiple Threats to Security," Comm. ACM, vol. 48, no. 8, 2005, pp. 41–43.
16. US-Cert: Quarterly Trends and Analysis Report, vol. 2, no. 2, U.S. Computer Emergency Readiness Team, June 2007; www.us-cert.gov/press_roomtrendsandanalysisQ207.pdf
17. Korea Phishing Activity Trends Report, Korea Internet Security Center, Mar. 2007; www.krcert.or.kr/english_www/publication 8_1_publication_list.jsp?boardType=PUB.
18. R. Dhamija et al., "Why Phishing Works," Proc. Conf. Human Factors in Computing Systems (CHI), ACM Press, 2006, pp. 581–590.
19. A. Hiltgen et al., "Secure Internet Banking Authentication," IEEE Security &Privacy, vol. 4, no. 2, 2006, pp. 21–29.
20. F. Puente et al., "Improving Online Banking Security with Hardware Devices," Proc. 39th Int'l Carnahan Conf. on Security Technology (CCST), IEEE Press, p. 174–177.

Index Terms:
remote authentication, computer security, phishing, man-in-the-middle attacks
Citation:
Thomas Weigold, Thorsten Kramp, Michael Baentsch, "Remote Client Authentication," IEEE Security & Privacy, vol. 6, no. 4, pp. 36-43, July-Aug. 2008, doi:10.1109/MSP.2008.93
Usage of this product signifies your acceptance of the Terms of Use.