Mutual Authentication Protocol for HTTP

AIST > RCIS > Mutual Authentication Protocol for HTTP


"HTTP Mutual Access Authentication Protocol" is a proposed new protocol for preventing Phishing attacks against Web systems. This protocol provides true mutual authentication between HTTP clients and servers using simple password-based authentication. Unlike Basic and Digest HTTP access authentication protocol, the protocol ensures that the server knows the user's entity (encrypted password) upon successful authentication. This prevents common phishing attacks: phishing attackers cannot convince users that the user has been authenticated to the genuine website. Furthermore, even when user has been authenticated against an illegitimate server, the server can not gain any bit of information about user's passwords.


The Protocol

Software Download

Trial website

Access the following URL using the above MutualTestFox. The username is "aris" and the password is "aris".

This project contains a result of the "joint research about security enhancement technologies for the Internet (in Japanese: インターネットにおけるセキュリティ強化技術の共同研究)" between AIST and Yahoo! Japan, Inc.