A new protocol to counter online dictionary attacks

The most popular method of authenticating users is through passwords. Though passwords are the most convenient means of authentication, they bring along themselves the threat of dictionary attacks. While offline dictionary attacks are possible only if the adversary is able to collect data for a successful protocol execution by eavesdropping on the communication channel and can be successfully countered by using public key cryptography, online dictionary attacks can be performed by anyone and there is no satisfactory solution to counter them. In this paper, we propose an authentication protocol which is easy to implement without any infrastructural changes and yet prevents online dictionary attacks. Our protocol uses only one way hash functions and eliminates online dictionary attacks by implementing a challenge-response system. This challenge-response system is designed in a fashion that it hardly poses any difficulty to a genuine user but is extremely burdensome, time consuming and computationally intensive for an adversary trying to launch as many as hundreds of thousands of authentication requests as in case of an online dictionary attack. The protocol is perfectly stateless and thus less vulnerable to denial of service (DoS) attacks.