Abstract
We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server’s database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.
Keywords
- Message Authentication Code
- Password Authentication
- User Password
- Passive Attacker
- Distribute System Security Symposium
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceeding of the 17th International Conference on World Wide Web, WWW 2008, pp. 517–524. ACM, New York (2008)
Blundo, C., Cimato, S., De Prisco, R.: A Lightweight Approach to Authenticated Web Caching. In: Proceedings of the The 2005 Symposium on Applications and the Internet, pp. 157–163. IEEE Computer Society, Washington, DC, USA (2005)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the Ninth Workshop on the Economics of Information Security (June 2010)
Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and don’ts of client authentication on the web. In: Proceedings of the 10th Conference on USENIX Security Symposium, SSYM 2001, vol. 10, p. 19. USENIX Association, Berkeley, CA, USA (2001)
Garfinkel, S.L.: Email-Based Identification and Authentication: An Alternative to PKI? IEEE Security and Privacy 1(6), 20–26 (2003)
Gouda, M.G., Liu, A.X., Leung, L.M., Alam, M.A.: SPP: An anti-phishing single password protocol. Computer Networks 51(13), 3715–3726 (2007)
Juels, A., Jakobsson, M., Stamm, S.: Active cookies for browser authentication. In: 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)
Liu, A.X., Kovacs, J.M., Huang, C.-T., Gouda, M.G.: A secure cookie protocol. In: 14th International Conference on Computer Communications and Networks (2005)
Masone, C., Baek, K.-H., Smith, S.: WSKE: Web Server Key Enabled Cookies. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 294–306. Springer, Heidelberg (2007)
Murdoch, S.J.: Hardened Stateless Session Cookies. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 93–101. Springer, Heidelberg (2011)
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 161–170. ACM, New York (2002)
Pujolle, G., Serhrouchni, A., Ayadi, I.: Secure session management with cookies. In: Proceedings of the 7th International Conference on Information, Communications and Signal Processing, ICICS 2009, pp. 689–694. IEEE Press, Piscataway, NJ, USA (2009)
van der Horst, T.: pwdArmor: Protecting Conventional Password-Based Authentications. In: Annual Computer Security Applications Conference (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bonneau, J. (2011). Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds) Security Protocols XIX. Security Protocols 2011. Lecture Notes in Computer Science, vol 7114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25867-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-25867-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25866-4
Online ISBN: 978-3-642-25867-1
eBook Packages: Computer ScienceComputer Science (R0)