Delayed Password DisclosureMutual Authentication to Fight

Phishing

Steve MyersIndiana University, Bloomington

Joint work with:Markus JakobssonIndiana University, Bloomington

What is Phishing?

• Attack combines social engineering and technology

• An attack that tricks users out of confidential information:– Authentication– Financial (Credit Card, SSN,…)– Other possibilities in the future?

How It’s Typically Done?

• Create authentic looking fraudulent web-page

• Spam a large number of users, directing them to fraudulent site.

• Hope a certain percentage of people visit, and provide requested authentication information.

• Make use of provided information

Why is it Being Done &

Why is it Successful?• Low risk of being caught

• Easy to implement attack

• Potentially a very high payout

• Hard for users to differentiate between authentic site and phishers’.

• Users lack ability to authenticate site.

Real World Mutual Authentication

• Case Study: Bank transaction • Bank explicitly authenticates client

– Asks to see ID, Bank Card, etc….

• Client implicitly authenticates bank– Cost of building authentic looking branch or ATM– Banks protect trademarks, logos, etc…

• Done by legal enforcement.

– Hard to direct a lot of traffic to one branch.– High risks and low rewards for an impersonator

Implicit Authentication Assumptions Do Not Hold in the Digital World

• Easy to duplicate legitimate looking site– Bugs in browsers make this true even for

security experts

• Hard for companies to enforce trademarks online

• Easy to direct a large number of users to fraudulent site

• High reward and low risk for many impersonators

Traditional Phishing Attack

Why not use PAKE?

PAKE Protocol

PAKE Protocol

Doppelganger Monitor Attacks

Web-server running PAKE protocol

•Web-server with no security protocol•Window looks identical to that used for PAKE•Users password sent in clear to phisher

Doppelganger Monitor Attacks:Passive vs. Adaptive

Delayed Password Disclosure

• User feedback authenticates site• Each character of password provides

image/authenticity feedback.• Wrong Images=Wrong Site!

– Stop entering correct password.– User can stop before releasing whole

password

• Correct images cannot be inferred from fake session

Delayed Password Disclosure

• Protects against passive Doppelganger Monitor Attacks

• Phishers cannot provide correct images without performing Adaptive MIM Doppelganger Attack

Username= AliceAlice Enters P1

1-out-of-c OT

P1 P2 P3 P4Alice’s Password=

1-out-of-c2 OTAlice Enters P2 Database of Images specific to Alice

Password Authenticated Key ExchangeP1P2P3P4P5

P1P2P3P4P5

1-out-of-c3 OTAlice Enters P3

P5Bank

Pi 2[1..c]

• Issue: Very efficient 1-out-of-n OT algs are slow when n is large

• Solution:– Replace servers DB of images with seeds– Transmit seeds instead of images

• Client uses seeds to generate random-art

– DB of seeds in round i computed based on user previously selected seeds in rounds i-1

– Each OT round can be 1-out-of-c.

Efficiency?

Security & Correctness Requirements for Modifications

• Seeds need to be same in every execution– Ensures same pictures are always revealed

• Ensure password secrecy is maintained

• Ensure that j invocations of protocol are needed to learn j sequences of seeds.

Username= Alice

Alice Enters P1 1-out-of-c OT

P1 P2 P3 P4Alice’s Password=

1-out-of-c OTAlice Enters P2

P5 Bank

Pi 2[0.. (c-1)]

S2{0,1}n

Pic. corsp. v1=Fs(P1)

x12u[0..q-1]

x22u[0..q-1]

1-out-of-c OTAlice Enters P3

g is gen. for group of order q.F is a PRFG

Computational Costs

• Client performs 2 exps. per char. in password

• Server needs to perform c exponentiations per char. in password

• High computational load for server• New extension:

– Costs 2 extra comm. flows per char– 3 exps. per char. for client– 3 exps. per char. for server

Full Implementation Costs

• Efficient OT [NP01] (RO-Model)– One time cost of c exponentiations– Client 1 exp per OT– Server 1 exp per OT

• Efficient PAKE [KOY01] (Stand-Model)– Client & Server take 3 exp

Security and Usability of DPD

• DPD as secure as PAKE or SSL alternative.• User must protect images from prying eyes.• DPD not immune to Adptv. Dplgngr. Attck, but:

– Technically more challenging to perform– Attack should be easier for bank to detect.

• No extra hardware is required!• User Interface: more complicated• User education necessary!

Questions?