Mutual Authentication Protocol for HTTP

AIST > RCIS > Mutual Authentication Protocol for HTTP


"HTTP Mutual Access Authentication Protocol" is a proposed new protocol for preventing Phishing attacks against Web systems. This protocol provides true mutual authentication between HTTP clients and servers using simple password-based authentication. Unlike Basic and Digest HTTP access authentication protocol, the protocol ensures that the server knows the user's entity (encrypted password) upon successful authentication. This prevents common phishing attacks: phishing attackers cannot convince users that the user has been authenticated to the genuine website. Furthermore, even when user has been authenticated against an illegitimate server, the server can not gain any bit of information about user's passwords.


The Protocol

Software Download

Trial websites

FAQ is available currently in Japanese.

This project is a result of the "joint research about security enhancement technologies for the Internet (in Japanese: インターネットにおけるセキュリティ強化技術の共同研究)" between RCIS, AIST and Yahoo! Japan, Inc.