A PAKE – SRP 6 BROWSER EXTENSION Alexandru

The username/password paradigm is a well-known authentication mechanism. Probably the most common version in use is the password authentication via an HTML form. The user has to type his/her password directly into a web page from the site to which he/she wishes to authenticate himself/herself. The problem with using this approach is that it relies on the user to determine when it is safe to enter his/her password. If the user authenticates himself/herself to a phishing website by disclosing his/her password, the password is stolen even though the session is fully encrypted. In other words in traditional password authentication, passwords are used only for client-side authentication. Passwordauthenticated key exchange (PAKE) on the other hand, offers password-based mutual authentication. This mutual authentication is different because its client-side authentication cannot be separated from its server-side authentication part. This paper shows that PAKE can represent a practical alternative approach to protect passwords without relying on a Public Key Infrastructure (PKI). Therefore, the goal of this work was to study how to integrate PAKE into web applications, not to develop a standalone PAKE implementation. We analyzed the PAKE client-side implementation within a web browser and tested it with a server-side implementation on a web server. The developed extension is a Mozilla Firefox web browser extension. The implementation is just a proof of concept that shows that a password authenticated key exchange can be done over HTTP and can be used against phishing attacks.