Elsevier

Computer Networks

Volume 51, Issue 13, 12 September 2007, Pages 3715-3726
Computer Networks

SPP: An anti-phishing single password protocol

https://doi.org/10.1016/j.comnet.2007.03.007Get rights and content

Abstract

Most users have multiple accounts on the Internet where each account is protected by a password. To avoid the headache in remembering and managing a long list of different and unrelated passwords, most users simply use the same password for multiple accounts. Unfortunately, the predominant HTTP basic authentication protocol (even over SSL) makes this common practice remarkably dangerous: an attacker can effectively steal users’ passwords for high-security servers (such as an online banking website) by setting up a malicious server or breaking into a low-security server (such as a high-school alumni website). Furthermore, the HTTP basic authentication protocol is vulnerable to phishing attacks because a client needs to reveal his password to the server that the client wants to login.

In this paper, we propose a protocol that allows a client to securely use a single password across multiple servers, and also prevents phishing attacks. Our protocol achieves client authentication without the client revealing his password to the server at any point. Therefore, a compromised server cannot steal a client’s password and replay it to another server.

Our protocol is simple, secure, efficient and user-friendly. In terms of simplicity, it only involves three messages. In terms of security, the protocol is secure against the attacks that have been discovered so far including the ones that are difficult to defend, such as the malicious server attacks described above and the recent phishing attacks. Essentially our protocol is an anti-phishing password protocol. In terms of efficiency, each run of our protocol only involves a total of four computations of a one-way hash function. In terms of usability, the protocol requires a user to remember only one password consisting of eight (or more) random characters, and this password can be used for all of his accounts.

Introduction

Authentication of an entity is usually done by verifying one or more of the followings:

  • 1.

    Something the entity is (by biometric techniques, such as fingerprint or voiceprint identification).

  • 2.

    Something the entity has (by PKI certificate, ID cards, smart cards).

  • 3.

    Something the entity knows (by passwords, PINs).

Of these three authentication methodologies, only the last two are suitable for remote authentication. On today’s Internet, server authentication is usually done by SSL [5] using PKI certificates, which is something the server has, while client authentication is usually done using passwords, which is something the client knows.

Many people today have multiple accounts on the Internet. For example, one may have an email account on www.yahoo.com, a travel account on www.travelocity.com, a credit card account on www.discovercard.com, a banking account on www.chase.com, an online stock trading account on www.fidelity.com, etc. Forrester Research reports that a typical web user manages an average of 15 passwords on a daily basis [10]. Most of these accounts are protected by passwords. As more services move to the Internet, the number of accounts a user needs to manage is expected only to grow. If one uses different and unrelated passwords for each account, then remembering all these unique passwords is a daunting task. It has been observed in [1] that a typical user can only remember 4 or 5 passwords effectively. Because of this, the common practice is to use the same password for multiple accounts. However, the predominant HTTP basic authentication protocol (even over SSL) [4] makes this practice remarkably dangerous because the protocol allows a server to know the password of each of its clients.

Let us first examine how the HTTP basic authentication protocol works. A client C first registers with a server (such as a web site) S using password P. The registration results in S storing in its password file the pair of user name C and password verification information MD(P). Here MD denotes a message digest (one-way hash) function such as MD5 [16] and SHA-1 [18]. Later on when C wants to login on S, C sends his user name C and password P to S. Then S applies the message digest function MD to the received password and compares the result with the stored password verification information MD(P). If they are equal, then the authentication of C is successful; otherwise it is unsuccessful. The HTTP basic authentication protocol usually runs on top of SSL [5], which allows the client to authenticate the server using certificate mechanisms, and provides an encrypted channel between the client and the server.

Allowing a server to know the passwords of its clients like the HTTP basic authentication protocol does is incredibly dangerous because a server may be untrustworthy. An attacker can set up a malicious server (at cost as low as $100 US dollars), and allures people to register using passwords by offering free goods or services. The attacker can reasonably estimate that some of his clients use the same password for their financial accounts. After gathering those passwords from the registered clients, the attacker can impersonate them to login on some financial servers such as an online banking or stock trading server, which could cause significant loss to the clients. Furthermore, a server may be compromised. Instead of directly trying to break into a high-security server such as an online financial server to gain unauthorized access, which would be difficult, an attacker can first try to break a low-security server such as an art bulletin board set up by an amateur. Once a low-security server is broken, which is relatively easy, since some clients of the broken poorly-defended server may use the same password for their accounts on high-security servers, the attacker can then use the captured passwords to access those high-security servers.

Some users classify servers into high-security servers and low-security servers, and use one password for high-security servers and another different password for low-security servers. This practice is remarkably insecure. First, this classification is highly subjective and a typical user may not do it right. This would cause the same password being used on both a high-security server and a low-security server. Second, the two different passwords are possibly related, such as by being formed according to the same pattern. Thus knowing one password might enable an attacker to discover the other one. Third, not every high-security server is trustworthy. For example, an employee of a high-security server may be bribed to breach the passwords of its clients to attackers. In addition, gathering a user’s personal information from multiple low-security servers could be helpful in discovering the other password for high-security servers.

We call the attacks of stealing passwords by setting up a malicious server or by compromising a benign server “malicious server attacks”. We use the term “malicious servers” to denote the servers that are either set up or compromised by an attacker. When using the HTTP basic authentication protocol, a user has to use a different and unrelated password for every different server to prevent malicious server attacks. Remembering many totally different and unrelated passwords is certainly not viable for most users. And writing down all the user names and passwords on a piece of paper is certainly not a good idea because compromising of this list could cause serious loss.

In this paper, we propose a new password protocol, named Single Password Protocol (short for SPP), which allows a user to use one single password (and one single user name) for all of his accounts while defeating malicious server attacks. SPP uses two basic techniques: challenge/response and one-time server-specific tickets.

SPP works basically as follows. Let P be the single password that a client C remembers. When C registers with a server S, C generates a challenge and ticket verification information, then sends them to S, and S stores them in its password file. Later on, when C tries to login on S, S prompts C with the stored challenge. Then C uses the challenge, the server’s name S, and his password P to mint a one-time server-specific ticket, together with a new challenge and new ticket verification information, and sends them to S. Then, S verifies the received ticket using the stored ticket verification information. If the ticket is valid, then the authentication of C is successful, and S subsequently replaces the stored challenge and ticket verification information by the new challenge and new ticket verification information that S received along with the one-time server-specific ticket from C.

SPP allows a client to use the same user name and password for all of his accounts while defeating malicious server attacks because of the following two reasons:

  • 1.

    A server never knows a client’s password at any time. In SPP, a client uses the challenge received from a server, the server’s name, and his password, to mint a one-time server-specific ticket using a one-way hash function, and sends the one-time server-specific ticket, instead of his password, to the server for authentication. The password of a client is used for minting a one-time server-specific ticket, and it is the ticket that is used for authenticating the client. The server cannot feasibly compute the user’s password based on the one-time server-specific ticket and the ticket verification information stored in the server due to the use of one-way hash functions.

  • 2.

    Each ticket can only be used once. At any moment, for one client, ticket verification information in different servers are different. Therefore, a malicious server cannot replay a received ticket to other servers to gain unauthorized access. At any server, for one client, ticket verification information are changed unpredictably after each successful login.

The rest of this paper proceeds as follows. In Section 2, we present the single password protocol, while in Section 3, we give detailed security analysis of this protocol. In Section 4, we review and examine existing password protocols and compare them with our protocol. Section 5 concludes.

Section snippets

Single password protocol

In this section, we present our Single Password Protocol (SPP for short). For ease of understanding, we first present four intermediate versions of it starting from the HTTP basic authentication protocol. We show that each intermediate version is vulnerable to a particular attack, and each attack is countered by the following versions.

The notations used in this section is listed in Table 1.

Note that the message digest (one-way hash) function MD( ) used in this paper is assumed to have the

Security analysis

In this section, we discuss the security of SPP. We start our discussion by the assumptions we need to make for SPP to be secure. Then we analyze the security properties of SPP.

Related work

Many password protocols have been proposed, especially in the past decade. In this section, we review these password protocols and compare them with SPP.

Conclusions

The predominant HTTP basic authentication protocol (over SSL) makes the common practice of using the same password for multiple accounts remarkably dangerous: an attacker can effectively steal users’ passwords for high-security servers by setting up a malicious server or breaking into a low-security server. To defeat this type of malicious server attack, we propose the Single Password Protocol (SPP). SPP employs two basic techniques: challenge/response and one-time (server-specific) tickets.

SPP

Acknowledgements

The authors would like to thank Reza Curtmola for his valuable comments on the preliminary version of this paper. The authors also would like to thank the editor and the anonymous referees for their constructive comments and valuable suggestions in improving the presentation of this paper.

Mohamed G. Gouda was born in Egypt. His first B.Sc. was in Engineering and his second was in Mathematics; both are from Cairo University. Later, he obtained M.A. in Mathematics from York University and Masters and Ph.D. in Computer Science from the University of Waterloo. He worked for the Honeywell Corporate Technology Center in Minneapolis 1977–1980. In 1980, he joined the University of Texas at Austin where he currently holds the Mike A. Myers Centennial Professorship in Computer Sciences.

References (19)

  • D.P. Kormann et al.

    Risks of the passport single signon protocol

    Computer Networks

    (2000)
  • A. Adams et al.

    User are not the enemy

    Communications of the ACM

    (1999)
  • Anti-Phishing Working Group. http://www.antiphishing.org/. Accessed: January 30,...
  • S.M. Bellovin, M. Merritt, Encrypted key exchange: password-based protocols secure against dictionary attacks, in:...
  • J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart, Http authentication: Basic...
  • A.O. Freier, P. Karlton, P.C. Kocher, The ssl protocol version 3.0 internet draft, March 1996....
  • K. Fu, E. Sit, K. Smith, N. Feamster, Dos and don’ts of client authentication on the web, in: Proceedings of the 10th...
  • N. Haller, The s/key one-time password system, RFC 1760,...
  • N. Haller, C. Metz, A one-time password system, RFC 1938,...
There are more references available in the full text version of this article.

Cited by (0)

Mohamed G. Gouda was born in Egypt. His first B.Sc. was in Engineering and his second was in Mathematics; both are from Cairo University. Later, he obtained M.A. in Mathematics from York University and Masters and Ph.D. in Computer Science from the University of Waterloo. He worked for the Honeywell Corporate Technology Center in Minneapolis 1977–1980. In 1980, he joined the University of Texas at Austin where he currently holds the Mike A. Myers Centennial Professorship in Computer Sciences. He spent one summer at Bell labs in Murray Hill, one summer at MCC in Austin, and one winter at the Eindhoven Technical University in the Netherlands.

His research areas are distributed and concurrent computing and network protocols. In these areas, he has been working on abstraction, formality, correctness, nondeterminism, atomicity, reliability, security, convergence, and stabilization. He has published over 60 journal papers, and over 80 conference and workshop papers. He has supervised 19 Ph.D. dissertations.

He was the founding Editor-in-Chief of the Springer-Verlag journal Distributed Computing 1985–1989. He served on the editorial board of Information Sciences 1996–1999, and he is currently on the editorial boards of Distributed Computing and the Journal of High Speed Networks.

He was the program committee chairman of ACM SIGCOMM Symposium in 1989. He was the first program committee chairman of IEEE International Conference on Network Protocols in 1993. He was the first program committee chairman of IEEE Symposium on Advances in Computers and Communications, which was held in Egypt in 1995. He was the program committee chairman of IEEE International Conference on Distributed Computing Systems in 1999. He is on the steering committee of the IEEE International Conference on Network Protocols and on the steering committee of the Symposium on Self-Stabilizing Systems, and was a member of the Austin Tuesday Afternoon Club from 1984 till 2001.

He is the author of the textbook “Elements of Network Protocol Design”, published by John-Wiley & Sons in 1998. This is the first ever textbook where network protocols are presented in an abstract and formal setting. He also coauthored, with Tommy M. McGuire, the monograph “The Austin Protocol Compiler”, published by Springer in 2005.

He is the 1993 winner of the Kuwait Award in Basic Sciences. He was the recipient of an IBM Faculty Partnership Award for the academic year 2000–2001 and again for the academic year 2001–2002 and became a Fellow of the IBM Center for Advanced Studies in Austin in 2002. He won the 2001 IEEE Communication Society William R. Bennet Best Paper Award for his paper “Secure Group Communications Using Key Graphs”, coauthored with C. K. Wong and S. S. Lam and published in the February 2000 issue of the IEEE/ACM Transactions on Networking (Volume 8, Number 1, Pages 16–30). In 2004, his paper “Diverse Firewall Design”, coauthored with Alex X. Liu and published in the proceedings of the International Conference on Dependable Systems and Networks, won the William C. Carter award.

Alex X. Liu received his Ph.D. degree in computer science from the University of Texas at Austin in 2006. He is currently an assistant professor in the Department of Computer Science and Engineering of Michigan State University. He won the 2004 IEEE&IFIP William C. Carter Award, the 2004 National Outstanding Overseas Students Award sponsored by the Ministry of Education of China, the 2005 George H. Mitchell Award for Excellence in Graduate Research in the University of Texas at Austin, and the 2005 James C. Browne Outstanding Graduate Student Fellowship in the University of Texas at Austin. His research interests include computer and network security, dependable and high-assurance computing, applied cryptography, computer networks, operating systems, and distributed computing.

This material is based upon work supported by the National Science Foundation under Grant No. 0520250.

1

Lok M. Leung and Mohamed A. Alam participated in this work while they were undergraduate students in The University of Texas at Austin.

View full text