Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
A Lightweight Approach to Authenticated Web Caching
SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Dos and don'ts of client authentication on the web
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
SPP: An anti-phishing single password protocol
Computer Networks: The International Journal of Computer and Telecommunications Networking
Sessionlock: securing web sessions against eavesdropping
Proceedings of the 17th international conference on World Wide Web
Email-Based Identification and Authentication: An Alternative to PKI?
IEEE Security and Privacy
pwdArmor: Protecting Conventional Password-Based Authentications
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
WSKE: web server key enabled cookies
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Secure session management with cookies
ICICS'09 Proceedings of the 7th international conference on Information, communications and signal processing
Hardened stateless session cookies
Security'08 Proceedings of the 16th International conference on Security protocols
Portable tunnel establishment with a strong authentication design for secure private cloud
Proceedings of the 2012 ACM Research in Applied Computation Symposium
Robust and flexible tunnel management for secure private cloud
ACM SIGAPP Applied Computing Review
Hi-index | 0.00 |
We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.