Return to search

Secure web applications against off-line password guessing attack : a two way password protocol with challenge response using arbitrary images

Indiana University-Purdue University Indianapolis (IUPUI) / The web applications are now being used in many security oriented areas, including online shopping, e-commerce, which require the users to transmit sensitive information on
the Internet. Therefore, to successfully authenticate each party of web applications is very important. A popular deployed technique for web authentication is the Hypertext Transfer
Protocol Secure (HTTPS) protocol. However the protocol does not protect the careless users who connect to fraudulent websites from being trapped into tricks. For example, in
a phishing attack, a web user who connects to an attacker may provide password to the attacker, who can use it afterwards to log in the target website and get the victim’s
credentials. To prevent phishing attacks, the Two-Way Password Protocol (TPP) and Dynamic Two-Way Password Protocol (DTPP) are developed. However there still exist
potential security threats in those protocols. For example, an attacker who makes a fake website may obtain the hash of users’ passwords, and use that information to arrange offline
password guessing attacks. Based on TPP, we incorporated challenge responses with arbitrary images to prevent the off-line password guessing attacks in our new protocol,
TPP with Challenge response using Arbitrary image (TPPCA). Besides TPPCA, we developed another scheme called Rain to solve the same problem by dividing shared
secrets into several rounds of negotiations. We discussed various aspects of our protocols, the implementation and experimental results.

Identiferoai:union.ndltd.org:IUPUI/oai:scholarworks.iupui.edu:1805/3425
Date14 August 2013
CreatorsLu, Zebin
ContributorsZou, Xukai, 1963-, Liang, Yao, Fang, Shiaofen, Li, Feng
Source SetsIndiana University-Purdue University Indianapolis
Languageen_US
Detected LanguageEnglish

Page generated in 0.0019 seconds