An Anti-Phishing Password Authentication Protocol

Authors

ผศ.ดร.ปราโมทย์ กั่วเจริญ

Published

International Journal of Network Security

Abstract

Password authentication is commonly used to authenticate the user in web-based services such as internet banking due to its simplicity and convenience. Many users have multiple accounts and use the same password. The password is usually sent to the server over an HTTPS connection. However, this common practice makes the system vulnerable. An attacker can set up a phishing site masquerading as the genuine site and attempts to steal the user’s credentials. If the user’s credentials are successfully stolen, all accounts are compromised. Moreover, since passwords are common, a break-in to a system that is not well protected might cause a cascaded break-in. This paper describes an authentication protocol which enables the user to securely use the same password for multiple servers, and protects against phishing attacks. The protocol also allows multiple authentication sessions simultaneously while preventing replay attacks. Furthermore, the protocol is also resilient against denial-of-service attacks since no state is maintained on the server during the authentication process.

(2017). An Anti-Phishing Password Authentication Protocol. International Journal of Network Security, 2017(5), 711-719.