Mutual authentication protocol for HTTP

Protocol Overview

Design principles

1. Easy to use

The protocol only uses usernames and passwords as a basis of authentication. Users are not required to manage secret keys and/or user certificates.

2. Location free

This protocol does not use any secret information (such as secret keys) stored in the local computer. You can simultanously use two or more computers to log in to the web sites.

3. Generic

This protocol, unlike many existing counter-phising technologies, does not depend on any "lists" provided by third parties.

On the contrary to phishing-warning toolbars using blacklist, the proposed protocol will work well with unknown phishing sites, and there is not cost to maintain the blacklist up-to-date.

Unlike EV-SSL certificates (which requires an amount of commercial transaction history), any service providers including personal websites can freely use this protocol for securing authentication.

4. Mutual authentication

This protocol ensures that when the server authenticates the client as a valid user, the client also authenticates that the server owns a valid password credential which the user was previously registered. It means that if when phishers (who do not own the user's password) sent the rogue authentication request, the authentication will always fail, and the phishers are not able to forge successful authentication. By this way, users can detect that they are not accessing to the genuine site.

5. Safe to offline attacks

Many authentication protocols (such as APOP, Digest and CRAM-MD5) are vulnerable to the offline attacks using exaustive search of possible passwords. If such weak protocols were used, when the client has sent a authentication challange to any phishing site, the password can be easily analyzed. For example, 7-character passwords of alpha-numeric characters has only about 3 trillion possibilities which can be exaustively searched using PCs.

This protocol uses a cryptographic technology to prevent such off-line attacks. Even when the user has communicated with phishing sites (where authentication will fail, as described in 4.), the password is not available to phishers.

6. Web system integration

The design of the protocol considers harmonization with existing authentication methods and Web application designed, so that this protocol can replace both HTTP Basic authentication and HTML form-based authentication in the future.