Web Authentication Protocol Using Zero Knowledge Proof

Market research surveys report that 75% of hacks occur at the application layer. Of the multiple vulnerabilities that exist in Web application software, proper authentication of the client and the server to each other is fundamental to the security of the system. In the current scenario, we manage this with the adoption of password-based client authentication and PKI-based server authentication. There exist unresolved vulnerabilities in this system due to the misuse of the client's passwords (impersonation) by those managing the servers. The clients' trust of the server based on the certificates issued by an increasing number of certification authorities is questionable in terms of validity and freshness. For proper authentication in Web applications, we need to verify two conditions: 1) the binding of the identity of the entity with the publicly known name or key and 2) the entity does possess the corresponding private key for the identified public key. In this paper, we use the elliptic curve discrete log problem-based version of classical zero knowledge protocol for proving number 2 and modifications of the existing schemes for proving number 1. We have done a prototype implementation of the solution and security analysis required to satisfy the security objectives.