23 Mar 2007: New Web authentication protocol against phishing developed
[23/Mar/07 Yahoo/RCIS Japanese Release, 30/Oct/07 Translation Posted]
Research Center for Information Security (Director: Hideki IMAI) of the National Institute of Advanced Industrial Science and Technology (AIST, President: Hiroyuki YOSHIKAWA), and Yahoo! Japan Corporation (President and CEO: Masahiro INOUE) jointly developed a password-based mutual authentication protocol for Web systems. This work is an outcome of the joint research project for strengthening Internet security, which started in January 2006.
This protocol is a solid solution to prevent passward theft and private information using phishing attacks, which have become a societal issue as the safe use of the Internet is threatened by them. Our protocol prevents phishing attacks by providing a mechanism to help users determine genuineness of the websites through password authentications. If the user performs the authentication trial on a phishing site by mistake, through this protocol, the mutual authentication will fail (because the correct credential for mutual authentication is not stored at the server), and the password never gets revealed to the phishing site. Even if the attacker forwards the received data to the genuine site, the mutual authentication will correctly fail. To realize this feature, we have used and extended the PAKE cryptographic authentication protocol and applied to the HTTP and HTTPS Internet standard protocol.
So far, we have designed the protocol and developed a prototype of the server/client extension modules. We will perform a demonstration test using the part of Yahoo! Auction website in early 2008. In the future, we will provide a open-source implementation to public and propose the protocol as the Internet Drafts for making it a future standard for the Web authentication.