PAKE-based mutual HTTP authentication for preventing phishing attacks

TL;DR

This paper introduces a novel password-based mutual authentication protocol for web systems that effectively prevents phishing attacks, enhances interoperability, and includes a user interface to distinguish genuine authentication dialogs from fake ones.

Contribution

The paper proposes a new PAKE-based mutual authentication protocol for HTTP that resists phishing, is interoperable with modern web applications, and includes a user interface design to prevent user deception.

Findings

Protocol prevents password theft even under dictionary attacks.

Implementation as an Apache extension and browser plugins.

Effective user interface distinguishes genuine from fake dialogs.

Abstract

This paper describes a new password-based mutual authentication protocol for Web systems which prevents various kinds of phishing attacks. This protocol provides a protection of user's passwords against any phishers even if dictionary attack is employed, and prevents phishers from imitating a false sense of successful authentication to users. The protocol is designed considering interoperability with many recent Web applications which requires many features which current HTTP authentication does not provide. The protocol is proposed as an Internet Draft submitted to IETF, and implemented in both server side (as an Apache extension) and client side (as a Mozilla-based browser and an IE-based one). The paper also proposes a new user-interface for this protocol which is always distinguishable from fake dialogs provided by phishers.