Delayed password disclosure

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Delayed password disclosure

Full text

Pdf (955 KB)

Source

ACM SIGACT News archive
Volume 38 , Issue 3 (September 2007) table of contents

COLUMN: Distributed computing table of contents

Pages: 56 - 75

Year of Publication: 2007

ISSN:0163-5700

Authors

Markus Jakobsson	Indiana University at Bloomington
Steven Myers	Indiana University at Bloomington

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 12, Downloads (12 Months): 128, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1324215.1324228 What is a DOI?

ABSTRACT

We present a new authentication protocol called Delayed Password Disclosure. Based on the traditional username and password paradigm, the protocol's goal is aimed at reducing the effectiveness of phishing/spoofing attacks that are becoming increasingly problematic for Internet users. This is done by providing the user with dynamic feedback while password entry occurs. While this is a process that would normally be frowned upon by the cryptographic community, we argue that it may result in more effective security than that offered by currently proposed "cryptographically acceptable" alternatives. While the protocol cannot prevent partial disclosure of one's password to the phisher, it does provide a user with the tools necessary to recognize an ongoing phishing attack, and prevent the disclosure of his/her entire password, providing graceful security degradation.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Vivek Anandpara, Andrew Dingman, Markus Jakobsson, Debin Liu, and Heather Roinestad. Phishing IQ tests measure fear, not ability. In Usable Security (USEC), 2007. http://www.informatics.indiana.edu/markus/papers/phish6.pdf.
	2	M. Bellare, A. Boldyreva, and A. Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In C. Canchin and J. Camenisch, editors, Advances in Cryptology- EUROCRYPT'04, pages 171--188. Springer, 2004.
	3	Mihir Bellare , Silvio Micali, Non-Interactive Oblivious Transfer and Spplications, Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, p.547-557, August 20-24, 1989
	4	Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. EUROCRYPT-Lecture Notes in Computer Science, 1807:139--155, 2000.
	5	Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
	6	Steven M. Bellovin , Michael Merritt, Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise, Proceedings of the 1st ACM conference on Computer and communications security, p.244-250, November 03-05, 1993, Fairfax, Virginia, United States [doi>10.1145/168588.168618]
	7	Manuel Blum, How to exchange (secret) keys, Proceedings of the fifteenth annual ACM symposium on Theory of computing, p.440-447, December 1983 [doi>10.1145/800061.808775]
	8	Daniel R. L. Brown and Robert P. Gallant. The static Diffie-Hellman problem. Cryptology ePrint Archive, Report 2004/306, 2004. http://eprint.iacr.org/.
	9	R. Canetti, Universally Composable Security: A New Paradigm for Cryptographic Protocols, Proceedings of the 42nd IEEE symposium on Foundations of Computer Science, p.136, October 14-17, 2001
	10	Ran Canetti , Oded Goldreich , Shai Halevi, The random oracle methodology, revisited (preliminary version), Proceedings of the thirtieth annual ACM symposium on Theory of computing, p.209-218, May 24-26, 1998, Dallas, Texas, United States [doi>10.1145/276698.276741]
	11	Fred Cate. Liability for phishing (chapter 18), In Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Editors Markus Jakobsson and Steven Myers, 2006.
	12	Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell. Client-side defense against web-based identity theft, April 2004.
	13	Rachna Dhamija, Hash visualization in user authentication, CHI '00 extended abstracts on Human factors in computing systems, April 01-06, 2000, The Hague, The Netherlands [doi>10.1145/633292.633455]
	14	Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1124772.1124861]
	15	Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073009]
	16	Aaron Emigh. Online identity theft: Technology, chokepoints and countermeasures. In DHS Report, 2005.
	17	Federal Financial Institutions Examination Council. Authentication in an internet banking environment, October 2005. http://www.ffiec.gov/pdf/authentication_guidance.pdf.
	18	Warwick Ford , Burton S. Kaliski, Jr., Server-Assisted Generation of a Strong Secret from a Password, Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, p.176-180, June 04-16, 2000
	19	Matthew K. Franklin , Michael K. Reiter, Fair exchange with a semi-trusted third party (extended abstract), Proceedings of the 4th ACM conference on Computer and communications security, p.1-5, April 01-04, 1997, Zurich, Switzerland [doi>10.1145/266420.266424]
	20	Taher El Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, Proceedings of CRYPTO 84 on Advances in cryptology, p.10-18, August 1985, Santa Barbara, California, United States
	21	Juan A. Garay , Markus Jakobsson , Philip D. MacKenzie, Abuse-Free Optimistic Contract Signing, Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, p.449-466, August 15-19, 1999
	22	Simson L. Garfinkel , Robert C. Miller, Johnny 2: a user test of key continuity management with S/MIME and Outlook Express, Proceedings of the 2005 symposium on Usable privacy and security, p.13-24, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073003]
	23	Craig Gentry , Philip Mackenzie , Zulfikar Ramzan, Password authenticated key exchange using hidden smooth subgroups, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA [doi>10.1145/1102120.1102160]
	24	Shafi Goldwasser , Yael Tauman Kalai, On the (In)security of the Fiat-Shamir Paradigm, Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science, p.102, October 11-14, 2003
	25	Amir Herzberg and Ahmad Gbara. Trustbar: Protecting (even naive). web users from spoofing and phishing attacks, 2004.
	26	Collin Jackson , Andrew Bortz , Dan Boneh , John C. Mitchell, Protecting browser state from web privacy attacks, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135884]
	27	Collin Jackson, Dan Simon, Desney Tan, and Adam Barth. An evaluation of extended validation and picture-in-picture phishing attacks, In Usable Security 2007. http://www.usablesecurity.org/papers/jackson.pdf.
	28	Markus Jakobsson , Steven Myers, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, Wiley-Interscience, 2006
	29	Markus Jakobsson, Tom N. Jagatic, and Sid Stamm. Phishing for clues: Inferring context using cascading style sheets and browser history, 2005. http://www.browser-recon.info.
	30	Markus Jakobsson , Jacob Ratkiewicz, Designing ethical phishing experiments: a study of (ROT13) rOnl query features, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135853]
	31	Markus Jakobsson , Sid Stamm, Invasive browser sniffing and countermeasures, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135854]
	32	Markus Jakobsson and Alex Tsow. Making takedown difficult (chapter 11), In Phishing and Counter-measures: Understanding the Increasing Problem of Electronic Identity Theft. Editors Markus Jakobsson and Steven Myers, 2006.
	33	Markus Jakobsson, Alex Tsow, Ankur Shah, Eli Blevis, and Yung-Kyung Lim. What instills trust? a qualitative study of phishing, 2007. Usable Security '07, http://www.informatics.indiana.edu/markus/papers/trust_USEC.pdf.
	34	Jonathan Katz , Rafail Ostrovsky , Moti Yung, Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.475-494, May 06-10, 2001
	35	Changwei Liu , Sid Stamm, Fighting unicode-obfuscated spam, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.45-59, October 04-05, 2007, Pittsburgh, Pennsylvania [doi>10.1145/1299015.1299020]
	36	Philip D. MacKenzie , Sarvar Patel , Ram Swaminathan, Password-Authenticated Key Exchange Based on RSA, Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, p.599-613, December 03-07, 2000
	37	Tyler Moore , Richard Clayton, Examining the impact of website take-down on phishing, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.1-13, October 04-05, 2007, Pittsburgh, Pennsylvania [doi>10.1145/1299015.1299016]
	38	Moni Naor , Benny Pinkas, Efficient oblivious transfer protocols, Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms, p.448-457, January 07-09, 2001, Washington, D.C., United States
	39	Netcraft News. More than 450 phishing attacks used SSL in 2005. http://news.netcraft.com/archives/2005/12/28/more_than_450_phishing_attacks_used_ssl_in_2005.html.
	40	Bryan Parno, Cynthia Kuo, and Adrian Perrig. Phoolproof phishing prevention. In Giovanni Di Crescenzo and Avi Rubin, editors, Financial Cryptography, volume 4107 of Lecture Notes in Computer Science, pages 1--19. Springer, 2006.
	41	Stuart E. Schechter , Rachna Dhamija , Andy Ozment , Ian Fischer, The Emperor's New Security Indicators, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.51-65, May 20-23, 2007 [doi>10.1109/SP.2007.35]
	42	Sean W. Smith, Trusted Computing Platforms: Design and Applications, Springer-Verlag New York, Inc., Secaucus, NJ, 2004
	43	Sukamol Srikwan and Markus Jakobsson. Using cartoons to teach internet security. DIMACS Technical Report 2007--11, July, 2007. http://www.informatics.indiana.edu/markus/documents/security-education.pdf.
	44	Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. Drive-by pharming, 2006. Indiana University Technical Report TR641, http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.
	45	Webwhacker 5.0. http://www.bluesquirrel.com/products/webwhacker/, accessed July 26, 2007.
	46	Tara Whalen , Kori M. Inkpen, Gathering evidence: use of visual security cues in web browsers, Proceedings of Graphics Interface 2005, May 09-11, 2005, Victoria, British Columbia
	47	Min Wu , Robert C. Miller , Simson L. Garfinkel, Do security toolbars actually prevent phishing attacks?, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1124772.1124863]
	48	Yahoo! http://security.yahoo.com/article.html?aid=2006102507, accessed July 26, 2007.