Skip to main content
SpringerLink
Log in

Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords

  • Conference paper
Security Protocols XIX (Security Protocols 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7114))

Included in the following conference series:

Abstract

We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server’s database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceeding of the 17th International Conference on World Wide Web, WWW 2008, pp. 517–524. ACM, New York (2008)

    Chapter  Google Scholar 

  2. Blundo, C., Cimato, S., De Prisco, R.: A Lightweight Approach to Authenticated Web Caching. In: Proceedings of the The 2005 Symposium on Applications and the Internet, pp. 157–163. IEEE Computer Society, Washington, DC, USA (2005)

    Google Scholar 

  3. Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the Ninth Workshop on the Economics of Information Security (June 2010)

    Google Scholar 

  4. Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and don’ts of client authentication on the web. In: Proceedings of the 10th Conference on USENIX Security Symposium, SSYM 2001, vol. 10, p. 19. USENIX Association, Berkeley, CA, USA (2001)

    Google Scholar 

  5. Garfinkel, S.L.: Email-Based Identification and Authentication: An Alternative to PKI? IEEE Security and Privacy 1(6), 20–26 (2003)

    Article  Google Scholar 

  6. Gouda, M.G., Liu, A.X., Leung, L.M., Alam, M.A.: SPP: An anti-phishing single password protocol. Computer Networks 51(13), 3715–3726 (2007)

    Article  MATH  Google Scholar 

  7. Juels, A., Jakobsson, M., Stamm, S.: Active cookies for browser authentication. In: 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)

    Google Scholar 

  8. Liu, A.X., Kovacs, J.M., Huang, C.-T., Gouda, M.G.: A secure cookie protocol. In: 14th International Conference on Computer Communications and Networks (2005)

    Google Scholar 

  9. Masone, C., Baek, K.-H., Smith, S.: WSKE: Web Server Key Enabled Cookies. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 294–306. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Murdoch, S.J.: Hardened Stateless Session Cookies. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 93–101. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  11. Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 161–170. ACM, New York (2002)

    Google Scholar 

  12. Pujolle, G., Serhrouchni, A., Ayadi, I.: Secure session management with cookies. In: Proceedings of the 7th International Conference on Information, Communications and Signal Processing, ICICS 2009, pp. 689–694. IEEE Press, Piscataway, NJ, USA (2009)

    Google Scholar 

  13. van der Horst, T.: pwdArmor: Protecting Conventional Password-Based Authentications. In: Annual Computer Security Applications Conference (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Joseph Bonneau

Authors
  1. Joseph Bonneau
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science, University of Hertfordshire, AL10 9AB, Hatfield, UK

    Bruce Christianson  & James Malcolm  & 

  2. Faculty of Mathematical, Physical and Natural Sciences, University of Trento, Via Sommarive 14, 38100, Trento, Italy

    Bruno Crispo

  3. Computer Laboratory, University of Cambridge, 15 JJ Thomson Avenue, CB3 0FD, Cambridge, UK

    Frank Stajano

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bonneau, J. (2011). Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds) Security Protocols XIX. Security Protocols 2011. Lecture Notes in Computer Science, vol 7114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25867-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25867-1_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25866-4

  • Online ISBN: 978-3-642-25867-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation