Secure Modular Password Authentication for the Web Using Channel Bindings

  • Mark Manulis
  • Douglas Stebila
  • Nick Denham
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8893)


Secure protocols for password-based user authentication are well-studied in the cryptographic literature but have failed to see wide-spread adoption on the Internet; most proposals to date require extensive modifications to the Transport Layer Security (TLS) protocol, making deployment challenging. Recently, a few modular designs have been proposed in which a cryptographically secure password-based mutual authentication protocol is run inside a confidential (but not necessarily authenticated) channel such as TLS; the password protocol is bound to the established channel to prevent active attacks. Such protocols are useful in practice for a variety of reasons: security no longer relies on users’ ability to validate server certificates and can potentially be implemented with no modifications to the secure channel protocol library.

We provide a systematic study of such authentication protocols. Building on recent advances in modelling TLS, we give a formal definition of the intended security goal, which we call password-authenticated and confidential channel establishment (PACCE). We show generically that combining a secure channel protocol, such as TLS, with a password authentication protocol, where the two protocols are bound together using either the transcript of the secure channel’s handshake or the server’s certificate, results in a secure PACCE protocol. Our prototype based on TLS is available as a cross-platform client-side Firefox browser extension and a server-side web application which can easily be installed on deployed web browsers and servers.


password authentication Transport Layer Security channel binding 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: 2007 IEEE Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society Press (2007)Google Scholar
  2. 2.
    Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: An empirical study of SSL warning effectiveness. In: USENIX Security 2009 (2009)Google Scholar
  3. 3.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617 (Draft Standard), Updated by RFC 7235 (1999)Google Scholar
  4. 4.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols secure against dictionary attacks. In: 1992 IEEE Symposium on Security and Privacy, pp. 72–84. IEEE Computer Society Press (1992)Google Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Abdalla, M., Catalano, D., Chevalier, C., Pointcheval, D.: Efficient two-party password-based key exchange protocols in the UC framework. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 335–351. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    International Organization for Standardization (ISO): ISO/IEC 11770-4: Information technology — security techniques — key management — part 4: Mechanisms based on weak secrets (2006)Google Scholar
  9. 9.
    ITU-T X.1035: Password-authenticated key exchange (PAK) protocol (2007)Google Scholar
  10. 10.
    IEEE P1363.2: Standard specifications for password-based public-key cryptographic techniques (2008)Google Scholar
  11. 11.
    Wu, T.D.: The secure remote password protocol. In: NDSS 1998. The Internet Society (1998)Google Scholar
  12. 12.
    Engler, J., Karlof, C., Shi, E., Song, D.: Is it too late for PAKE? In: Web 2.0 Security and Privacy (W2SP) 2009 (2009)Google Scholar
  13. 13.
    Taylor, D., Wu, T., Mavrogiannopoulos, N., Perrin, T.: Using the Secure Remote Password (SRP) Protocol for TLS Authentication. RFC 5054, Informational (2007)Google Scholar
  14. 14.
    Abdalla, M., Bresson, E., Chevassut, O., Möller, B., Pointcheval, D.: Provably secure password-based authentication in TLS. In: Lin, F.C., Lee, D.T., Lin, B.S., Shieh, S., Jajodia, S. (eds.) ASIACCS 2006, pp. 35–45. ACM Press (2006)Google Scholar
  15. 15.
    Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Hao, F., Ryan, P.Y.A.: Password authenticated key exchange by juggling. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 159–171. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Altman, J., Williams, N., Zhu, L.: Channel Bindings for TLS. RFC 5929 (Proposed Standard) (2010)Google Scholar
  18. 18.
    Oiwa, Y., Takagi, H., Watanabe, H., Suzuki, H.: PAKE-based mutual HTTP authentication for preventing phishing attacks. In: Maarek, Y., Nejdl, W. (eds.) Proc. 18th International World Wide Web Conference (WWW 2009), pp. 1143–1144. ACM (2009)Google Scholar
  19. 19.
    Oiwa, Y., Watanabe, H., Takagi, H.: PAKE-based mutual HTTP authentication for preventing phishing attacks (2009),
  20. 20.
    Oiwa, Y., Watanabe, H., Takagi, H., Ioku, Y., Hayashi, T.: Mutual authentication protocol for HTTP (2012), Internet-Draft,
  21. 21.
    AIST Research Center for Information Security: (Mutual authentication protocol for HTTP),
  22. 22.
    Kwon, T.: Authentication and key agreement via memorable passwords. In: NDSS 2001. The Internet Society (2001)Google Scholar
  23. 23.
    Dacosta, I., Ahamad, M., Traynor, P.: Trust no one else: Detecting MITM attacks against SSL/TLS without third-parties. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 199–216. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Boyko, V., MacKenzie, P.D., Patel, S.: Provably secure password-authenticated key exchange using diffie-hellman. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 156–171. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  25. 25.
    Borisov, N., Goldberg, I., Brewer, E.A.: Off-the-record communication, or, why not to use PGP. In: ACM Workshop on Privacy in Electronic Society (WPES 2004), pp. 77–84. ACM Press (2004)Google Scholar
  26. 26.
    Alexander, C., Goldberg, I.: Improved user authentication in Off-The-Record messaging. In: Yu, T. (ed.) ACM Workshop on Privacy in Electronic Society (WPES 2007), pp. 41–47. ACM Press (2007)Google Scholar
  27. 27.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  28. 28.
    Bergsma, F., Dowling, B., Kohlar, F., Schwenk, J., Stebila, D.: Multi-ciphersuite security of the Secure Shell (SSH) protocol. In: Yung, M., Li, N. (eds.) ACM CCS 2014. ACM Press (2014)Google Scholar
  29. 29.
    Brzuska, C., Smart, N.P., Warinschi, B., Watson, G.J.: An analysis of the EMV channel establishment protocol. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 373–386. ACM Press (2013)Google Scholar
  30. 30.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: A systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  31. 31.
    Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, Report 2013/367 (2013),
  32. 32.
    Giesen, F., Kohlar, F., Stebila, D.: On the security of TLS renegotiation. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 387–398. ACM Press (2013)Google Scholar
  33. 33.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: Generic compilers for authenticated key exchange. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 232–249. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  35. 35.
    Fleischhacker, N., Manulis, M., Azodi, A.: A Modular Framework for Multi-Factor Authentication and Key Exchange. Cryptology ePrint Archive, Report 2012/181 (2012),
  36. 36.
    Manulis, M., Stebila, D., Denham, N.: Secure modular password authentication for the web using channel bindings (full version). Cryptology ePrint Archive, Report 2014/731 (2014),
  37. 37.
    National Institute of Standards and Technology: Recommended elliptic curves for federal government use (1999),
  38. 38.
    Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: Cranor, L.F., Zurko, M.E. (eds.) Symposium on Usable Privacy and Security (SOUPS 2005), pp. 77–88. ACM Press (2005)Google Scholar
  39. 39.
    Rescorla, E.: Keying Material Exporters for Transport Layer Security (TLS). RFC 5705 (Proposed Standard) (2010)Google Scholar
  40. 40.
    Abdalla, M., Bresson, E., Chevassut, O., Möller, B., Pointcheval, D.: Strong password-based authentication in TLS using the three-party group Diffie–Hellman protocol. International Journal of Security and Networks 2, 284–296 (2007)CrossRefGoogle Scholar
  41. 41.
    Certicom Research: SEC 1: Elliptic curve cryptography, Version 2.0 (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Mark Manulis
    • 1
  • Douglas Stebila
    • 2
  • Nick Denham
    • 2
  1. 1.Surrey Centre for Cyber SecurityUniversity of SurreyUK
  2. 2.Queensland University of TechnologyBrisbaneAustralia

Personalised recommendations