251 ;;Quote: gained unauthorized access to 8 of 27 Web sites; extracted the secret key from one

251 ;;Quote: an interrogative adversary uses adaptive chosen message attacks; every user on the Web, powerful; e.g., attempted forgeries and creating new accounts

253 ;;Quote: existential and selective forgery of users; a total break recovers the secret key used to mint authenticators

254 ;;Quote: an eavesdropping adversary can see, but not modify, traffic between users and server; can replay authenticators and act as an interrogative adversary

254 ;;Quote: an active adversary can see and modify all communications traffic; e.g., a proxy service and man-in-the-middle attacks

258 ;;Quote: URLs can leak authenticators through the Referer header, allows cross-site scripting attacks without eavesdropping

258 ;;Quote: do not store authenticators in persistent cookies; leaked cookie files and public systems allow full access to the user account

259 ;;Quote: for authentication cookies, use expiration data, data, and message digest; use session ID for sensitive data; use SSL to counter eavesdroppers

259 ;;Quote: use keyed, non-malleable MACs such as HMAC-MD5 and HMAC-SHA1; valid plaintext/ciphertext pairs do not give away the secret key

260 ;;Quote: revoke all authenticators by changing the server key; requires new logins and identifies unused accounts

261 ;;Quote: MAC authentication cookies allow constant-time authentication without replicated state; only needs the server's private key

261 ;;Quote: use random keys and key rotation to counter brute force key attacks; suggested key size

262 ;;Quote: HMAC-SHA1 authenticators were nearly as fast as unauthenticated HTTP; SSL is 10x slower