Secure authentication without using HTTPS

V.Y. Filimoshin, L.Z. Davletkireeva

Abstract


The purpose of this article is to present a secure authentication algorithm for web resources without using HTTPS. The main idea of the algorithm is to avoid transferring a password in open way. So the password is presented to the server hashed and encrypted. If someone manages to intercept and decrypt the password hash, he will receive only a salted password hash and won't be able to receive the initial password. Some implementation results of the algorithm written in PHP are described to demonstrate how to protect the password from being compromised. The article could be useful for web developers.


Full Text:

PDF (Russian)

References


Shapiro L. Dvuhfaktornaja autentifikacija v Sluzhbe Kataloga Active Directory Domain Services [Jelektronynj resurs]. URL: http://itband.ru/2010/09/authentication-part1/

Google Security Blog Moving towards a more secure web [Jelektronnyj resurs]. URL: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Wikipedia HTTPS [Jelektronnyj resurs]. URL: https://ru.wikipedia.org/wiki/HTTPS

Wikipedia Heshirovanie [Jelektronnyj resurs]. URL: https://ru.wikipedia.org/wiki/%D0%A5%D0%B5%D1%88%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5

Wikipedia Sol' (kriptografija) [Jelektronnyj resurs]. URL: https://ru.wikipedia.org/wiki/%D0%A1%D0%BE%D0%BB%D1%8C_(%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B3%D1%80%D0%B0%D1%84%D0%B8%D1%8F)


Refbacks

  • There are currently no refbacks.


IT-EDU-2017   RTUWO 2017

ISSN: 2307-8162