Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it possible to have secure authentication without using session, cookies and SSL ?
I have looked other protocols, such as SRP and Diffie-Hellman, but in the end you have to send the proof of key over the wire, and that would be vulnerable to "Man In The Middle" attacks…
Without some pre-shared information, nothing is safe from the man-in-the-middle attack. You always need some pre-shared information to be secure against man-in-the-middle. If you just want to be safe from passive eavesdropping, then pre-shared information is not needed.
The main reason why SSL works best is that you have the pre-shared security information – certificates. The web browsers are already bundled with it. For example, in Firefox look at Tools / Options / Advanced / Encryption / View certificates / Authorities, then select the certificate and click View.
You could of course have a different cryptographic protocol based on pre-shared information, so in principle it is possible without SSL. But in current practice, the only pre-shared information bundled with web browsers are SSL certificates.