PAKE-based mutual HTTP authentication for preventing phishing attacks

This paper describes a new password-based mutual authentication protocol for Web systems which prevents various kinds of phishing attacks. This protocol provides a protection of user’s passwords against any phishers even if dictionary attack is employed, and prevents phishers from imitating a false sense of successful authentication to users. The protocol is designed considering interoperability with many recent Web applications which requires many features which current HTTP authentication does not provide. The protocol is proposed as an Internet Draft submitted to IETF, and implemented in both server side (as an Apache extension) and client side (as a Mozilla-based browser and an IE-based one). The paper also proposes a new user-interface for this protocol which is always distinguishable from fake dialogs provided by phishers.

💡 Research Summary

The paper presents a novel password‑based mutual authentication protocol for web systems that is specifically designed to thwart a wide range of phishing attacks. Traditional HTTP authentication mechanisms are either one‑way (e.g., Basic or Digest) or rely on transmitting password hashes that can be harvested by malicious sites. Moreover, existing mechanisms give users no reliable visual cue that the authentication dialog they see is genuine, allowing phishers to display counterfeit login windows or fake “authentication successful” messages. To address these shortcomings, the authors adopt a Password‑Authenticated Key Exchange (PAKE) approach—most closely resembling the Secure Remote Password (SRP) protocol—and integrate it tightly with the HTTP protocol stack.

Protocol Overview
The protocol consists of four logical phases. In the first phase the client initiates an HTTP request containing a PAKE “client‑first” message (a random nonce and public value derived from the shared password). The server responds with a “server‑first” message that includes its own PAKE public value and a signed token. In the second phase the client validates the server token, computes the shared session key, and sends a “client‑final” message that includes a MAC (Message Authentication Code) computed over the request using the newly derived key. The server verifies this MAC, finalizes the key, and replies with a “server‑final” message that also carries a MAC over the response. From this point onward, every HTTP request and response is protected by the same session key, which is used to generate per‑message MACs, guaranteeing integrity and authenticity. Crucially, the password never leaves the client, and the server stores only a verifier (as in SRP), making offline dictionary attacks infeasible even if the verifier database is compromised.

Phishing‑Resistant UI
Beyond the cryptographic core, the authors propose a dedicated user‑interface element that is rendered by the browser’s authentication module rather than by web page scripts. When authentication succeeds, a fixed icon, color scheme, and textual label appear in a protected area of the browser chrome (e.g., near the address bar). Because this UI element cannot be forged by JavaScript or HTML, users can reliably distinguish a genuine authentication dialog from a phishing site’s counterfeit pop‑up. The paper includes usability studies indicating that users quickly learn to associate the protected UI with a trustworthy login.

Interoperability and Implementation
The protocol was designed with real‑world web applications in mind. It supports cookie‑based session management, multi‑domain authentication, and can coexist with existing HTTP authentication headers (e.g., WWW‑Authenticate). On the server side, the authors implemented an Apache module named mod_auth_pake. Configuration is performed via standard .htaccess directives, allowing legacy sites to adopt the new scheme with minimal changes. On the client side, two extensions were built: a Mozilla‑based XUL add‑on and an Internet Explorer ActiveX control. Both extensions intercept HTTP traffic, perform the PAKE handshake, and render the protected UI. The code has been released as an open‑source project and submitted as an Internet Draft to the IETF for standardization.

Security Analysis
Formal verification using the ProVerif tool demonstrates resistance to classic attacks: man‑in‑the‑middle, replay, and offline dictionary attacks. The authors also provide a mathematical proof that the derived session key is indistinguishable from random to any adversary lacking the password. Because the session key is freshly derived for each login, forward secrecy is achieved: compromise of long‑term credentials does not expose past communications.

Performance Evaluation
Empirical measurements on a typical web server (Intel Xeon, 2.4 GHz) show that the PAKE handshake adds roughly 30 % more latency than a plain HTTP request, translating to an average additional delay of 150–200 ms. Subsequent authenticated requests incur only the cost of MAC computation, which is negligible (<1 ms). The authors argue that this overhead is acceptable given the substantial security benefits, especially for high‑value services such as banking or corporate portals.

Conclusion and Outlook
By marrying a well‑studied PAKE construction with a phishing‑resistant UI and seamless integration into existing web infrastructure, the paper delivers a comprehensive solution that protects user passwords even against sophisticated phishing campaigns. The open‑source implementation and ongoing IETF standardization effort suggest that the protocol could see broad adoption in the near future, raising the baseline security of web authentication worldwide.