Communications of the ACM
Risks of the passport single signon protocol
Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Password authentication with insecure communication
Communications of the ACM
Dos and don'ts of client authentication on the web
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Independent one-time passwords
SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
One time passwords in everything (OPIE): experiences with building and using stronger authentication
SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
SSS '08 Proceedings of the 10th International Symposium on Stabilization, Safety, and Security of Distributed Systems
Website credential storage and two-factor web authentication with a java SIM
WISTP'10 Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart Devices
Getting web authentication right: a best-case protocol for the remaining life of passwords
SP'11 Proceedings of the 19th international conference on Security Protocols
Single password authentication
Computer Networks: The International Journal of Computer and Telecommunications Networking
ECC-based anti-phishing protocol for cloud computing services
International Journal of Security and Networks
PhishSafe: leveraging modern JavaScript API's for transparent and robust protection
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
Most users have multiple accounts on the Internet where each account is protected by a password. To avoid the headache in remembering and managing a long list of different and unrelated passwords, most users simply use the same password for multiple accounts. Unfortunately, the predominant HTTP basic authentication protocol (even over SSL) makes this common practice remarkably dangerous: an attacker can effectively steal users' passwords for high-security servers (such as an online banking website) by setting up a malicious server or breaking into a low-security server (such as a high-school alumni website). Furthermore, the HTTP basic authentication protocol is vulnerable to phishing attacks because a client needs to reveal his password to the server that the client wants to login. In this paper, we propose a protocol that allows a client to securely use a single password across multiple servers, and also prevents phishing attacks. Our protocol achieves client authentication without the client revealing his password to the server at any point. Therefore, a compromised server cannot steal a client's password and replay it to another server. Our protocol is simple, secure, efficient and user-friendly. In terms of simplicity, it only involves three messages. In terms of security, the protocol is secure against the attacks that have been discovered so far including the ones that are difficult to defend, such as the malicious server attacks described above and the recent phishing attacks. Essentially our protocol is an anti-phishing password protocol. In terms of efficiency, each run of our protocol only involves a total of four computations of a one-way hash function. In terms of usability, the protocol requires a user to remember only one password consisting of eight (or more) random characters, and this password can be used for all of his accounts.