TY - GEN
T1 - Getting web authentication right a best-case protocol for the remaining life of passwords
AU - Bonneau, Joseph
PY - 2011
Y1 - 2011
N2 - We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.
AB - We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.
UR - http://www.scopus.com/inward/record.url?scp=84855772545&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84855772545&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-25867-1_8
DO - 10.1007/978-3-642-25867-1_8
M3 - Conference contribution
AN - SCOPUS:84855772545
SN - 9783642258664
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 98
EP - 104
BT - Security Protocols XIX - 19th International Workshop, Revised Selected Papers
T2 - 19th International Security Protocols Workshop
Y2 - 28 March 2011 through 30 March 2011
ER -