Inverse Cookie-based Virtual Password Authentication Protocol

Abstract

Password is the most commonly used authentication technique to authenticate the users on the web. Password based authentication protocols are susceptible to dictionary attacks by means of automated programs because most of the user chosen passwords are limited to the user's personal domain. In this paper, we propose an inverse cookie based virtual password authentication protocol that preserves the advantages of basic password authentication and simultaneously increasing the efforts required for online dictionary attacks. The Web server stores the cookie on the client's computer when the client has not submitted correct identity and password for its authentication to the Web server. The legitimate client can easily authenticate itself to the Web server from any computer irrespective of whether that computer contains cookie or not. However, the computational efforts required from the attacker during login on to the Web server increases with each login failure. The client generated virtual password is different for the same user in different sessions of Secure Socket Layer (SSL) protocol. The concept used in this paper is to combine traditional password authentication with a challenge that is easy to answer by the legitimate client and the computational cost of authentication increases for the attacker with each login failure. Therefore, even the automated programs can not launch online dictionary attacks on the proposed protocol. This protocol provides better protection against different types of attacks launched by the attacker. The proposed protocol is easy to implement and it removes some of the deficiencies of previously suggested password based authentication protocols.