skip to main content
article

Delayed password disclosure

Published: 01 September 2007 Publication History

Abstract

We present a new authentication protocol called Delayed Password Disclosure. Based on the traditional username and password paradigm, the protocol's goal is aimed at reducing the effectiveness of phishing/spoofing attacks that are becoming increasingly problematic for Internet users. This is done by providing the user with dynamic feedback while password entry occurs. While this is a process that would normally be frowned upon by the cryptographic community, we argue that it may result in more effective security than that offered by currently proposed "cryptographically acceptable" alternatives. While the protocol cannot prevent partial disclosure of one's password to the phisher, it does provide a user with the tools necessary to recognize an ongoing phishing attack, and prevent the disclosure of his/her entire password, providing graceful security degradation.

References

[1]
Vivek Anandpara, Andrew Dingman, Markus Jakobsson, Debin Liu, and Heather Roinestad. Phishing IQ tests measure fear, not ability. In Usable Security (USEC), 2007. http://www.informatics.indiana.edu/markus/papers/phish6.pdf.
[2]
M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In C. Canchin and J. Camenisch, editors, Advances in Cryptology- EUROCRYPT'04, pages 171--188. Springer, 2004.
[3]
Mihir Bellare and Silvio Micali. Non-interactive oblivious transfer and applications. In G. Brassard, editor, Advances in Cryptology---CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 547--557. Springer-Verlag, 1990, 20--24 August 1989.
[4]
Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. EUROCRYPT-Lecture Notes in Computer Science, 1807:139--155, 2000.
[5]
Steven M. Bellovin and Michael Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the IEEE Symposium on Security and Privacy, pages 72--84. IEEE Press, May 1992.
[6]
Steven M. Bellovin and Michael Merritt. Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise. In CCS '93: Proceedings of the 1st ACM conference on Computer and communications security, pages 244--250, New York, NY, USA, 1993. ACM Press.
[7]
Manuel Blum. How to exchange (secret) keys. In STOC '83: Proceedings of the fifteenth annual ACM symposium on Theory of computing, pages 440--447, New York, NY, USA, 1983. ACM Press.
[8]
Daniel R. L. Brown and Robert P. Gallant. The static Diffie-Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004. http://eprint.iacr.org/.
[9]
Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Bob Werner, editor, Proceedings of the 42nd Annual Symposium on Foundations of Computer Science (FOCS-01), pages 136--147, Los Alamitos, CA, October 14--17 2001. IEEE Computer Society.
[10]
Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. In Proceedings of the 30th Annual Symposium on Theory Of Computing (STOC), pages 209--218, Dallas, TX, USA, May 1998. ACM Press.
[11]
Fred Cate. Liability for phishing (chapter 18), In Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Editors Markus Jakobsson and Steven Myers, 2006.
[12]
Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell. Client-side defense against web-based identity theft, April 2004.
[13]
Rachna Dhamija. Hash visualization in user authentication. In Proceedings of ACM CHI 2000 Conference on Human Factors in Computing Systems, volume 2 of Short talks: multimodal interaction, pages 279--280. ACM Press, 2000.
[14]
Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI2006), 2006.
[15]
Rachna Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In SOUPS 05:Proceedings of the Symposium on Usable Privacy and Security, pages 77--88, New York, NY, USA, 2005. ACM Press.
[16]
Aaron Emigh. Online identity theft: Technology, chokepoints and countermeasures. In DHS Report, 2005.
[17]
Federal Financial Institutions Examination Council. Authentication in an internet banking environment, October 2005. http://www.ffiec.gov/pdf/authentication_guidance.pdf.
[18]
Warwick Ford and Jr. Burton S. Kaliski. Server-assisted generation of a strong secret from a password. In WETICE '00: Proceedings of the 9th IEEE International Workshops on Enabling Technologies, pages 176--180, Washington, DC, USA, 2000. IEEE Computer Society.
[19]
Matthew Franklin and Michael K. Reiter. Fair exchange with a semi-trusted third party, 4th ACM Conference on Computer and Communications Security. pages 1--5, 1997.
[20]
Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of CRYPTO 84 on Advances in cryptology, pages 10--18, New York, NY, USA, 1985. Springer-Verlag New York, Inc.
[21]
Juan A. Garay, Markus Jakobsson, and Philip MacKenzie. Abuse-free optimistic contract signing. Crypto '99, pages 449--466, 1999.
[22]
Simson Garfinkel and Robert Miller. Johnny 2: a user test of key continuity management with S/MIME and Outlook Express. In SOUPS 05:Proceedings of the Symposium on Usable Privacy and Security, pages 13 -- 24, New York, NY, USA, 2005. ACM Press.
[23]
Craig Gentry, Philip Mackenzie, and Zulfikar Ramzan. Password authenticated key exchange using hidden smooth subgroups. In CCS '05: Proceedings of the 12th ACM conference on Computer and communications security, pages 299--309, New York, NY, USA, 2005. ACM Press.
[24]
Shafi Goldwasser and Yael Tauman Kalai. On the (in)security of the Fiat-Shamir paradigm. In Proceedings of the 44th Symposium on Foundations of Computer Science (FOCS), pages 92--101. IEEE Computer Society Press, 2003.
[25]
Amir Herzberg and Ahmad Gbara. Trustbar: Protecting (even naive). web users from spoofing and phishing attacks, 2004.
[26]
Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th annual World Wide Web Conference, pages 737 -- 744, 2006.
[27]
Collin Jackson, Dan Simon, Desney Tan, and Adam Barth. An evaluation of extended validation and picture-in-picture phishing attacks, In Usable Security 2007. http://www.usablesecurity.org/papers/jackson.pdf.
[28]
Markus Jakobsson and Steven Myers (Eds). Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, 2006.
[29]
Markus Jakobsson, Tom N. Jagatic, and Sid Stamm. Phishing for clues: Inferring context using cascading style sheets and browser history, 2005. http://www.browser-recon.info.
[30]
Markus Jakobsson and Jacob Ratkiewicz. Designing ethical phishing experiments: A study of (ROT13) rOnl auction query features. In Proceedings of the 15th annual World Wide Web Conference, pages 513--522, 2006.
[31]
Markus Jakobsson and Sid Stamm. Invasive browser sniffing and countermeasures. In Proceedings of the 15th annual World Wide Web Conference, pages 523--532, 2006.
[32]
Markus Jakobsson and Alex Tsow. Making takedown difficult (chapter 11), In Phishing and Counter-measures: Understanding the Increasing Problem of Electronic Identity Theft. Editors Markus Jakobsson and Steven Myers, 2006.
[33]
Markus Jakobsson, Alex Tsow, Ankur Shah, Eli Blevis, and Yung-Kyung Lim. What instills trust? a qualitative study of phishing, 2007. Usable Security '07, http://www.informatics.indiana.edu/markus/papers/trust_USEC.pdf.
[34]
Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient password-authenticated key exchange using human-memorable passwords. In Birgit Pfitzmann, editor, Advances in Cryptology -- EUROCRYPT' 2001, volume 2045 of Lecture Notes in Computer Science, pages 473--492, Innsbruck, Austria, 2001. Springer-Verlag, Berlin Germany.
[35]
Changwei Liu. Fighting obfuscated spam, Second APWG eCrime Researchers Summit, October, 2007.
[36]
Philip MacKenzie, Sarvar Patel, and Ram Swaminathan. Password-authenticated key exchange based on RSA. ASIACRYPT '00: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security (Lecture Notes in Computer Science), 1976:599--613, 2000.
[37]
Tyler Moore and Richard Clayton. Examining the impact of website take-down on phishing, Second APWG eCrime Researchers Summit, October, 2007.
[38]
Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA-01), pages 448--457, New York, January 7--9 2001. ACM Press.
[39]
Netcraft News. More than 450 phishing attacks used SSL in 2005. http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_attacks_used_ssl_in_2005.html.
[40]
Bryan Parno, Cynthia Kuo, and Adrian Perrig. Phoolproof phishing prevention. In Giovanni Di Crescenzo and Avi Rubin, editors, Financial Cryptography, volume 4107 of Lecture Notes in Computer Science, pages 1--19. Springer, 2006.
[41]
Stuart Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. The emperor's new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy, pages 51--65, 2007.
[42]
Sean W. Smith. Trusted Computing Platforms: Design and Applications. Springer, 2005.
[43]
Sukamol Srikwan and Markus Jakobsson. Using cartoons to teach internet security. DIMACS Technical Report 2007--11, July, 2007. http://www.informatics.indiana.edu/markus/documents/security-education.pdf.
[44]
Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. Drive-by pharming, 2006. Indiana University Technical Report TR641, http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.
[45]
Webwhacker 5.0. http://www.bluesquirrel.com/products/webwhacker/, accessed July 26, 2007.
[46]
T. Whalen and K. M. Inkpen. Gathering evidence: use of visual security cues in web browsers. In Proceedings of the 2005 Conference on Graphics interface, pages 137--144, 2005.
[47]
Min Wu, Robert C. Miller, and Simson L. Garfinkel. Do security toolbars actually prevent phishing attacks? In CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 601--610, New York, NY, USA, 2006. ACM Press.
[48]
Yahoo! http://security.yahoo.com/article.html?aid=2006102507, accessed July 26, 2007.

Cited By

View all
  • (2021)SoKProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563590(339-357)Online publication date: 9-Aug-2021
  • (2016)CPasswordsProceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS)10.1109/HICSS.2016.457(3656-3665)Online publication date: 5-Jan-2016
  • (2014)A honeypots based anti-phishing framework2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)10.1109/ICCICCT.2014.6993036(618-625)Online publication date: Jul-2014
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM SIGACT News
ACM SIGACT News  Volume 38, Issue 3
September 2007
143 pages
ISSN:0163-5700
DOI:10.1145/1324215
Issue’s Table of Contents

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2007
Published in SIGACT Volume 38, Issue 3

Check for updates

Author Tags

  1. decisional
  2. doppelganger
  3. oblivious transfer
  4. password authenticated key exchange
  5. phishing
  6. static diffie-hellman
  7. user interfaces

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2021)SoKProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563590(339-357)Online publication date: 9-Aug-2021
  • (2016)CPasswordsProceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS)10.1109/HICSS.2016.457(3656-3665)Online publication date: 5-Jan-2016
  • (2014)A honeypots based anti-phishing framework2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT)10.1109/ICCICCT.2014.6993036(618-625)Online publication date: Jul-2014
  • (2009)A novel anti-phishing framework based on honeypots2009 eCrime Researchers Summit10.1109/ECRIME.2009.5342609(1-13)Online publication date: Oct-2009
  • (2008)pwdArmorProceedings of the 2008 Annual Computer Security Applications Conference10.1109/ACSAC.2008.46(443-452)Online publication date: 8-Dec-2008

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media