1 / 25

The Battle Against Phishing: Dynamic Security Skins

The Battle Against Phishing: Dynamic Security Skins. Rachna Dhamija and J.D. Tygar U.C. Berkeley. Security Properties for Usability. Limited human skills property Unmotivated users property General purpose graphics property Golden arches property Barn door property.

saskia
Download Presentation

The Battle Against Phishing: Dynamic Security Skins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Battle Against Phishing:Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley

  2. Security Properties for Usability • Limited human skills property • Unmotivated users property • General purpose graphics property • Golden arches property • Barn door property

  3. Security Properties for Usability • Limited human skills property • Unmotivated users property • General purpose graphics property • Golden arches property • Barn door property

  4. Limited Human Skills Property • Limited password recall • Hard to parse domain names

  5. Security Properties for Usability • Limited human skills property • Unmotivated users property • Security is often the secondary goal • General purpose graphics property • Golden arches property • Barn door property

  6. Users Don’t Check Certificates

  7. Security Properties for Usability • Limited human skills property • Unmotivated users property • General purpose graphics property • Golden arches property • Barn door property

  8. Firefox Browser: 4 SSL indicators

  9. Firefox browser - No unsecure indicators

  10. Security Properties for Usability • Limited human skills property • Unmotivated users property • General purpose graphics property • Golden arches property • Train users not to automatically trust a logo or brand • Barn door property

  11. The golden arches property

  12. Security Properties for Usability • Limited human skills property • Unmotivated users property • General purpose graphics property • Golden arches property • Barn door property

  13. Strong Password Protocols • Stanford Web PwdHash • Password Authenticated Key Agreement • EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc… • Password • H(password, siteID) • Protocol • Password

  14. Password Authenticated Key Agreement • Advantages: • preserve familiar use of passwords • user doesn’t need a trusted device • secret stored in memory of the user • server doesn’t store password • no passwords sent over the network • user authentication (& mutual authentication) • But how to enter the password?

  15. Our Solution: Usability Goals • User must be able to verify password prompt, before entering password • Rely on human skills • To login, recognize 1 image & recall 1 password • To verify server, compare 2 images • Hard to spoof security indicators

  16. Trusted Password Window • Dedicated window • Trusted path  customization • Random photo assigned or chosen • Image stored in browser, do not have to go through server • Image overlaid across window • User recognizes image first • then enters password • Password not sent to server

  17. Security Indicators • How can user distinguish secure windows? • Static indicators (SSL) • Can be spoofed • User do not really examine it • User customized indicators (Passmark/Petnames) • Require extra efforts from the user • Automated customized indicators

  18. Our Solution: Dynamic Security Skins • Automatically customize secure windows • Visual hashes • Random Art - visual hash algorithm • Generate unique abstract image for each authentication • Use the image to “skin” windows or web content • Browser generated or server generated

  19. Browser Generated Images • Browser chooses random number and generates image • Can be used to modify border or web elements

  20. Server Generated Images • Server & browser independently generate same image • Server can customize its own page

  21. Conclusions • Benefits: • Achieves mutual authentication • Resistant to phishing and spoofing • Relies on human skills • Weaknesses: • Users must check images • easier than checking a cert • Local storage of personal image reduces portability, requires security • Doesn’t address spyware, keyloggers

  22. Status and Future Work • Iterative design & “lo-fi” testing of interface • Formal user study • DSS Mozilla extension

  23. Customized Indicators: Petname Toolbar

  24. Automated Indicators:Secure Random Dynamic Boundaries

More Related