Hash-Based Password Authentication Protocol Against Phishing and Pharming Attacks

Abstract

Until now, although many researchers proposed a variety of authentication protocol to verify the identity of the clients, most of these protocols are inefficient and ineffective. Gouda et al. proposed an anti-phishing single password protocol, but it is vulnerable to pharming attacks. In this paper, we show that the protocol is insecure, and propose a hash-based password authentication protocol against phishing and pharming attacks. In the proposed protocol, the authentication tickets passed between clients and servers are secure because they are hash values which can be verified only by clients and servers. The authentication ticket is used only once, which ensures that the proposed protocol is secure against a variety of attacks such as replay, man-in-the-middle, phishing, and pharming. Because the proposed authentication protocol does not require encryption keys during the authentication phase, it is suitable for wireless and mobile communication systems.