PreAcher: Secure and Practical Password Pre-Authentication by Content Delivery Networks

Abstract

The widespread password authentication faces two fundamental vulnerabilities in today’s Internet: one is password exposure to third-party Content Delivery Networks (CDNs), and the other one is Application-layer DoS (ADoS) attacks. Currently, websites adopt CDNs to enhance both performance and security, but they have to trust CDNs to inspect the communications between the clients and servers. Besides, although CDNs provide Distributed Denial of Service (DDoS) protection for websites, they are much less effective in preventing ADoS attacks, especially the ADoS on the password login interfaces because of the heavy computation introduced by password authentication. In this paper, we introduce PreAcher, a combined authentication protocol and system architecture designed to mitigate both password exposure and ADoS attacks. At the heart of PreAcher is a novel authentication protocol inspired by Oblivious Pseudorandom Function (OPRF), which allows CDNs to pre-authenticate users without knowing the exact passwords. This capability helps filter out DDoS and ADoS traffic without compromising password security. Our evaluations demonstrate that PreAcher effectively enhances password security and boosts the resilience of website origin servers against both DDoS and ADoS attacks while incurring acceptable overhead. Importantly, PreAcher can be implemented immediately by websites alone today, without necessitating modifications to client software or CDNs.