Cookie-Based Virtual Password Authentication Protocol

The password is the most common technique used to authenticate Web users. Password-based authentication protocols are susceptible to automated dictionary attacks because most passwords are chosen by users from their personal domain. In this paper, we propose a cookie-based virtual password authentication protocol that preserves the advantages of conventional password authentication while simultaneously increasing the efforts required for online dictionary attacks. The Web server stores the cookie on the user's machine if the legitimate user authenticates to the Web server. Thereafter, the legitimate user can easily authenticate to the Web server from a machine that contains the cookie. However, the legitimate user requires some additional computational efforts during login from a machine that does not contain the cookie. The computation efforts required from the attacker during login to the Web server increases exponentially with each login failure. The user generated virtual password is different for the same user in different sessions of Secure Socket Layer (SSL) protocol. The concept used in this paper is to combine traditional password authentication with a challenge that is easy to answer by the legitimate user but computational cost increases for the attacker with each login failure. Therefore, even the automated programs cannot launch online dictionary attacks on the proposed protocol. This protocol provides good security against different types of attacks launched by the attacker. The proposed protocol is easy to implement and removes some of the drawbacks of earlier proposed password-based authentication protocols.