Delayed password disclosure

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Delayed password disclosure

Full text

Pdf (270 KB)

Source

Workshop On Digital Identity Management archive
Proceedings of the 2007 ACM workshop on Digital identity management table of contents

Fairfax, Virginia, USA

SESSION: Usability and authentication table of contents

Pages: 17 - 26

Year of Publication: 2007

ISBN:978-1-59593-889-3

Authors

Markus Jakobsson	Indiana University, Bloomington, IN
Steven Myers	Indiana University, Bloomington, IN

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 5, Downloads (12 Months): 85, Citation Count: 2

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1314403.1314407 What is a DOI?

ABSTRACT

We present a new authentication protocol called Delayed Password Disclosure. Based on the traditional user name and password paradigm, the protocol's goal is aimed at reducing the effectiveness of phishing/spoofing attacks that are becoming increasingly problematic for Internet users. This is done by providing the user with dynamic feedback while password entry occurs. While this is a process that would normally be frowned upon by the cryptographic community, we argue that it may result in more effective security than that offered by currently proposed "cryptographically acceptable" alternatives. While the protocol cannot prevent partial disclosure of one's password to the phisher, it does provide a user with the tools necessary to recognizean on going phishing attack, and prevent the disclosure of his/her entire password, providing graceful security degradation.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In CCanchin and JCamenisch, editors, Advances in Cryptology-EUROCRYPT'04, pages 171--188. Springer, 2004.
	2	Mihir Bellare , Silvio Micali, Non-interactive oblivious transfer and applications, Proceedings on Advances in cryptology, p.547-557, July 1989, Santa Barbara, California, United States
	3	M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. EUROCRYPT-Lecture Notes in Computer Science, 1807:139--155, 2000.
	4	Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
	5	Steven M. Bellovin , Michael Merritt, Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise, Proceedings of the 1st ACM conference on Computer and communications security, p.244-250, November 03-05, 1993, Fairfax, Virginia, United States [doi>10.1145/168588.168618]
	6	D. R. L. Brown and R. P. Gallant. The static Diffie-Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004. http://eprint.iacr.org/.
	7	Ran Canetti , Oded Goldreich , Shai Halevi, The random oracle methodology, revisited (preliminary version), Proceedings of the thirtieth annual ACM symposium on Theory of computing, p.209-218, May 24-26, 1998, Dallas, Texas, United States [doi>10.1145/276698.276741]
	8	N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. C. Mitchell. Client-side defense against web-based identity theft, Apr. 2004.
	9	Rachna Dhamija, Hash visualization in user authentication, CHI '00 extended abstracts on Human factors in computing systems, April 01-06, 2000, The Hague, The Netherlands [doi>10.1145/633292.633455]
	10	Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073009]
	11	A. Emigh. Online identity theft: Technology, chokepoints and countermeasures. In DHS Report, 2005.
	12	Warwick Ford , Burton S. Kaliski, Jr., Server-Assisted Generation of a Strong Secret from a Password, Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, p.176-180, June 04-16, 2000
	13	Taher El Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, Proceedings of CRYPTO 84 on Advances in cryptology, p.10-18, August 1985, Santa Barbara, California, United States
	14	Craig Gentry , Philip Mackenzie , Zulfikar Ramzan, Password authenticated key exchange using hidden smooth subgroups, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102160]
	15	Shafi Goldwasser , Yael Tauman Kalai, On the (In)security of the Fiat-Shamir Paradigm, Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science, p.102, October 11-14, 2003
	16	A. Herzberg and A. Gbara. Trustbar: Protecting (even naive). web users from spoofing and phishing attacks, 2004.
	17	Markus Jakobsson , Jacob Ratkiewicz, Designing ethical phishing experiments: a study of (ROT13) rOnl query features, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135853]
	18	Jonathan Katz , Rafail Ostrovsky , Moti Yung, Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.475-494, May 06-10, 2001
	19	Philip D. MacKenzie , Sarvar Patel , Ram Swaminathan, Password-Authenticated Key Exchange Based on RSA, Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.599-613, December 03-07, 2000
	20	Moni Naor , Benny Pinkas, Efficient oblivious transfer protocols, Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms, p.448-457, January 07-09, 2001, Washington, D.C., United States
	21	B. Parno, C. Kuo, and A. Perrig. Phoolproof phishing prevention. In G. D. Crescenzo and A. Rubin, editors, Financial Cryptography, volume 4107 of Lecture Notes in Computer Science, pages 1--19. Springer, 2006.
	22	Stuart E. Schechter , Rachna Dhamija , Andy Ozment , Ian Fischer, The Emperor's New Security Indicators, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.51-65, May 20-23, 2007 [doi>10.1109/SP.2007.35]

CITED BY 2

	Sebastian Gajek , Mark Manulis , Ahmad-Reza Sadeghi , Jörg Schwenk, Provably secure browser-based user-aware mutual authentication over TLS, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
	Ye Cao , Weili Han , Yueran Le, Anti-phishing based on automated individual white-list, Proceedings of the 4th ACM workshop on Digital identity management, October 31-31, 2008, Alexandria, Virginia, USA