skip to main content
10.1145/1314403.1314407acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Delayed password disclosure

Published: 02 November 2007 Publication History

Abstract

We present a new authentication protocol called Delayed Password Disclosure. Based on the traditional user name and password paradigm, the protocol's goal is aimed at reducing the effectiveness of phishing/spoofing attacks that are becoming increasingly problematic for Internet users. This is done by providing the user with dynamic feedback while password entry occurs. While this is a process that would normally be frowned upon by the cryptographic community, we argue that it may result in more effective security than that offered by currently proposed "cryptographically acceptable" alternatives. While the protocol cannot prevent partial disclosure of one's password to the phisher, it does provide a user with the tools necessary to recognizean on going phishing attack, and prevent the disclosure of his/her entire password, providing graceful security degradation.

References

[1]
M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In CCanchin and JCamenisch, editors, Advances in Cryptology-EUROCRYPT'04, pages 171--188. Springer, 2004.
[2]
M. Bellare and S. Micali. Non-interactive oblivious transfer and applications. In G. Brassard, editor, Advances in Cryptology-CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 547--557. Springer-Verlag, 1990, 20--24 Aug. 1989.
[3]
M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. EUROCRYPT-Lecture Notes in Computer Science, 1807:139--155, 2000.
[4]
S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the IEEE Symposium on Security and Privacy, pages 72--84. IEEE Press, May 1992.
[5]
S. M. Bellovin and M. Merritt. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In CCS '93: Proceedings of the 1st ACM conference on Computer and communications security, pages 244--250, New York, NY, USA, 1993. ACM Press.
[6]
D. R. L. Brown and R. P. Gallant. The static Diffie-Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004. http://eprint.iacr.org/.
[7]
R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited. In Proceedings of the 30th Annual Symposium on Theory Of Computing (STOC), pages 209--218, Dallas, TX, USA, May 1998. ACM Press.
[8]
N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C. Mitchell. Client-side defense against web-based identity theft, Apr. 2004.
[9]
R. Dhamija. Hash visualization in user authentication. In Proceedings of ACM CHI 2000 Conference on Human Factors in Computing Systems, volume~2 of Short talks: multimodal interaction, pages 279--280. ACM Press, 2000.
[10]
R. Dhamija and J. Tygar. The battle against phishing: Dynamic security skins. In SOUPS 05:Proceedings of the Symposium on Usable Privacy and Security, pages 77--88, New York, NY, USA, 2005. ACM Press.
[11]
A. Emigh. Online identity theft: Technology, chokepoints and countermeasures. In DHS Report, 2005.
[12]
W. Ford and J. Burton S. Kaliski. Server-assisted generation of a strong secret from a password. In WETICE '00: Proceedings of the 9th IEEE International Workshops on Enabling Technologies, pages 176--180, Washington, DC, USA, 2000. IEEE Computer Society.
[13]
T. E. Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of CRYPTO 84 on Advances in cryptology, pages 10--18, New York, NY, USA, 1985. Springer-Verlag New York, Inc.
[14]
C. Gentry, P. Mackenzie, and Z. Ramzan. Password authenticated key exchange using hidden smooth subgroups. In CCS '05: Proceedings of the 12th ACM conference on Computer and communications security, pages 299--309, New York, NY, USA, 2005. ACM Press.
[15]
S. Goldwasser and Y. T. Kalai. On the (in)security of the Fiat-Shamir paradigm. In Proceedings of the 44th Symposium on Foundations of Computer Science (FOCS), pages 92--101. IEEE Computer Society Press, 2003.
[16]
A. Herzberg and A. Gbara. Trustbar: Protecting (even naive). web users from spoofing and phishing attacks, 2004.
[17]
M. Jakobsson and J. Ratkiewicz. Designing ethical phishing experiments: A study of (ROT13) rOnl auction query features. In Proceedings of the 15th annual World Wide Web Conference, pages 513--522, 2006.
[18]
J. Katz, R. Ostrovsky, and M. Yung. Efficient password-authenticated key exchange using human-memorable passwords. In BPfitzmann, editor, Advances in Cryptology - EURO-CRYPT' 2001, volume 2045 of Lecture Notes in Computer Science, pages 473--492, Innsbruck, Austria, 2001. Springer-Verlag, Berlin Germany.
[19]
P. MacKenzie, S. Patel, and R. Swaminathan. Password-authenticated key exchange based on RSA. ASIACRYPT '00: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security (Lecture Notes in Computer Science), 1976:599--613, 2000.
[20]
M. Naor and B. Pinkas. Efficient oblivious transfer protocols. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA-01), pages 448--457, New York, Jan7-9 2001. ACM Press.
[21]
B. Parno, C. Kuo, and A. Perrig. Phoolproof phishing prevention. In G. D. Crescenzo and A. Rubin, editors, Financial Cryptography, volume 4107 of Lecture Notes in Computer Science, pages 1--19. Springer, 2006.
[22]
S. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy, pages 51--65, 2007.

Cited By

View all
  • (2013)Geo-location based QR-Code authentication scheme to defeat active real-time phishing attackProceedings of the 2013 ACM workshop on Digital identity management10.1145/2517881.2517889(51-62)Online publication date: 8-Nov-2013
  • (2010)Phishing within e-commerce: A trust and confidence game2010 Information Security for South Africa10.1109/ISSA.2010.5588333(1-8)Online publication date: Aug-2010
  • (2009)Visual security is feeble for anti-phishingProceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication10.5555/1719110.1719138(118-123)Online publication date: 20-Aug-2009
  • Show More Cited By

Index Terms

  1. Delayed password disclosure

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    DIM '07: Proceedings of the 2007 ACM workshop on Digital identity management
    November 2007
    98 pages
    ISBN:9781595938893
    DOI:10.1145/1314403
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 02 November 2007

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. authentication
    2. decisional & static diffie-hellman assumption
    3. oblivious transfer
    4. password authenticated key exchange
    5. phishing
    6. user interfaces

    Qualifiers

    • Article

    Conference

    CCS07
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 16 of 34 submissions, 47%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)2
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 17 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2013)Geo-location based QR-Code authentication scheme to defeat active real-time phishing attackProceedings of the 2013 ACM workshop on Digital identity management10.1145/2517881.2517889(51-62)Online publication date: 8-Nov-2013
    • (2010)Phishing within e-commerce: A trust and confidence game2010 Information Security for South Africa10.1109/ISSA.2010.5588333(1-8)Online publication date: Aug-2010
    • (2009)Visual security is feeble for anti-phishingProceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication10.5555/1719110.1719138(118-123)Online publication date: 20-Aug-2009
    • (2009)Visual security is feeble for anti-phishing2009 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication10.1109/ICASID.2009.5276940(118-123)Online publication date: Aug-2009
    • (2008)Anti-phishing based on automated individual white-listProceedings of the 4th ACM workshop on Digital identity management10.1145/1456424.1456434(51-60)Online publication date: 31-Oct-2008
    • (2008)Provably secure browser-based user-aware mutual authentication over TLSProceedings of the 2008 ACM symposium on Information, computer and communications security10.1145/1368310.1368354(300-311)Online publication date: 18-Mar-2008

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media