Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords

Capítulo de livro Revisado por pares

Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords

2011; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-642-25867-1_8

ISSN

1611-3349

Autores

Joseph Bonneau,

Tópico(s)

Internet Traffic Analysis and Secure E-voting

Resumo

We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server’s database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.

Ver no editor

Altmetric

PlumX

Entrar

Lembrar minha senha

Receber meu e-mail de confirmação

Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords