delayed password disclosure mutual authentication to fight phishing steve myers indiana university,...
Post on 21-Dec-2015
222 views
TRANSCRIPT
Delayed Password DisclosureMutual Authentication to Fight
Phishing
Steve MyersIndiana University, Bloomington
Joint work with:Markus JakobssonIndiana University, Bloomington
What is Phishing?
• Attack combines social engineering and technology
• An attack that tricks users out of confidential information:– Authentication– Financial (Credit Card, SSN,…)– Other possibilities in the future?
How It’s Typically Done?
• Create authentic looking fraudulent web-page
• Spam a large number of users, directing them to fraudulent site.
• Hope a certain percentage of people visit, and provide requested authentication information.
• Make use of provided information
Why is it Being Done &
Why is it Successful?• Low risk of being caught
• Easy to implement attack
• Potentially a very high payout
• Hard for users to differentiate between authentic site and phishers’.
• Users lack ability to authenticate site.
Real World Mutual Authentication
• Case Study: Bank transaction • Bank explicitly authenticates client
– Asks to see ID, Bank Card, etc….
• Client implicitly authenticates bank– Cost of building authentic looking branch or ATM– Banks protect trademarks, logos, etc…
• Done by legal enforcement.
– Hard to direct a lot of traffic to one branch.– High risks and low rewards for an impersonator
Implicit Authentication Assumptions Do Not Hold in the Digital World
• Easy to duplicate legitimate looking site– Bugs in browsers make this true even for
security experts
• Hard for companies to enforce trademarks online
• Easy to direct a large number of users to fraudulent site
• High reward and low risk for many impersonators
Traditional Phishing Attack
Why not use PAKE?
PAKE Protocol
PAKE Protocol
Doppelganger Monitor Attacks
Web-server running PAKE protocol
•Web-server with no security protocol•Window looks identical to that used for PAKE•Users password sent in clear to phisher
Doppelganger Monitor Attacks:Passive vs. Adaptive
Delayed Password Disclosure
• User feedback authenticates site• Each character of password provides
image/authenticity feedback.• Wrong Images=Wrong Site!
– Stop entering correct password.– User can stop before releasing whole
password
• Correct images cannot be inferred from fake session
Delayed Password Disclosure
• Protects against passive Doppelganger Monitor Attacks
• Phishers cannot provide correct images without performing Adaptive MIM Doppelganger Attack
Username= AliceAlice Enters P1
1-out-of-c OT
P1 P2 P3 P4Alice’s Password=
1-out-of-c2 OTAlice Enters P2 Database of Images specific to Alice
Password Authenticated Key ExchangeP1P2P3P4P5
P1P2P3P4P5
1-out-of-c3 OTAlice Enters P3
P5Bank
Pi 2[1..c]
• Issue: Very efficient 1-out-of-n OT algs are slow when n is large
• Solution:– Replace servers DB of images with seeds– Transmit seeds instead of images
• Client uses seeds to generate random-art
– DB of seeds in round i computed based on user previously selected seeds in rounds i-1
– Each OT round can be 1-out-of-c.
Efficiency?
Security & Correctness Requirements for Modifications
• Seeds need to be same in every execution– Ensures same pictures are always revealed
• Ensure password secrecy is maintained
• Ensure that j invocations of protocol are needed to learn j sequences of seeds.
Username= Alice
Alice Enters P1 1-out-of-c OT
P1 P2 P3 P4Alice’s Password=
1-out-of-c OTAlice Enters P2
P5 Bank
Pi 2[0.. (c-1)]
S2{0,1}n
Pic. corsp. v1=Fs(P1)
x12u[0..q-1]
x22u[0..q-1]
1-out-of-c OTAlice Enters P3
g is gen. for group of order q.F is a PRFG
Computational Costs
• Client performs 2 exps. per char. in password
• Server needs to perform c exponentiations per char. in password
• High computational load for server• New extension:
– Costs 2 extra comm. flows per char– 3 exps. per char. for client– 3 exps. per char. for server
Full Implementation Costs
• Efficient OT [NP01] (RO-Model)– One time cost of c exponentiations– Client 1 exp per OT– Server 1 exp per OT
• Efficient PAKE [KOY01] (Stand-Model)– Client & Server take 3 exp
Security and Usability of DPD
• DPD as secure as PAKE or SSL alternative.• User must protect images from prying eyes.• DPD not immune to Adptv. Dplgngr. Attck, but:
– Technically more challenging to perform– Attack should be easier for bank to detect.
• No extra hardware is required!• User Interface: more complicated• User education necessary!
Questions?