Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
1 J. Alex Halderman A Convenient Method for Securely Managing Passwords J. Alex Halderman Princeton Brent Waters Stanford Edward W. Felten Princeton.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Internet Phishing Not the kind of Fishing you are used to.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
User Authentication and Password Management John Mitchell CS 142 Winter 2009.
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lecture 22: April 17, 2007 Browser-based Security and Privacy Tools.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Iron Key and Portable Drive Security Zakary Littlefield.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
1 Privacy-protecting Techniques IS/CS 698 Min Song.
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew.
Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Quiz Review.
Norman SecureSurf Protect your users when surfing the Internet.
Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
Reliability & Desirability of Data
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.
CHAPTER 9 Sniffing.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Phishing & Pharming. 2 Oct to July 2005 APWG.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
E-Commerce & Bank Security By: Mark Reed COSC 480.
Big Picture How many ways can a system be attacked? What can we do about it?
Cross-Site Request Forgeries: Exploitation and Prevention
Strong Password Protocols
Password Authentication
Web Server Design Week 13 Old Dominion University
Web Server Design Week 13 Old Dominion University
Web Server Design Week 13 Old Dominion University
Stronger Password Authentication Using Browser Extensions
Cross Site Request Forgery (CSRF)
Presentation transcript:

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

2 Password Phishing Problem Bank A Fake Site u User cannot reliably identify fake sites u Captured password can be used at target site pwd A

3 Common Password Problem Bank A vulnerable site high security site pwd A pwd B = pwd A  Phishing attack or break-in at site B reveals pwd at A Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support Site B

4 Our Solution: PwdHash u Lightweight browser extension u Impedes password theft u Invisible to server u Invisible to user  Pwd Prefix  Pwd Hashing

5 Password Hashing Bank A hash(pwd B, SiteB) hash(pwd A, BankA) Site B u Generate a unique password per site HMAC fido:123 (banka.com)  Q7a+0ekEXb HMAC fido:123 (siteb.com)  OzX2+ICiqc pwd A pwd B =

6 Password Hashing: past attempts u Hash pwd with realm provided by remote site: HTTP 1.1 Digest Authentication Kerberos 5 Does not prevent phishing, common pwd u Hash pwd with network service name: Abadi, Bharat, Marais [PTO ’97] Standalone. Gabber, Gibbons, Mattias, Mayer [FC ’97]. Proxy. Relies on intercepting traffic  can’t handle https

7 Password Hashing: a popular idea u Recent password hashing projects: u Similar hashing algorithms u Only PwdHash defends against spoofing and is invisible to the user Site Password Password Maker Genpass Passwdlet Password Composer Magic Password Generator PwdHash Password Generator Extension

8 The Spoofing Problem u JavaScript can display password fields or dialogs: u Unhashed password sent to attacker in clear

9 Password Prefix u Original pwd should never be visible to web page OzX2+ICiqc Site B

10 Password Prefix: How it works u Normal operation: Prefix in password field u Abnormal operation: Prefix in non-password field Can just ignore the prefix and not hash Remind user not to enter password   ********** abcdefgh  fido:123 HMAC fido:123 (siteb.com)  Q7a+0ekEXb

11 Why use Password Prefix? u Protection mechanism “built in” to password u Does not rely on user to make a decision u Same prefix works for everyone u Distinguishes secure passwords from normal passwords social security numbers PINs u Only use it when you want to

12 Other Trusted Pwd Interfaces u Password prefix u Secure attention sequence u Trusted image or phrase: Passmark DSS Starts with

13 Other Challenges u Password Reset u Internet Cafes u Dictionary Attacks u Spyware, DNS poisoning (no protection) u Other issues (described in the paper) Choosing salt for hash Encoding hashed password Additional attacks and defenses

14 u After install, PwdHash can’t protect existing pwds Only passwords starting with are secure User can choose where to use PwdHash User must enter old password unhashed into password reset page u Pwd Prefix makes it easy Old passwords won’t be accidentally hashed New, secure passwords are automatically hashed Password Reset Starts with

15 Internet Cafes u Users cannot install software at Internet Cafes. u Would not be a problem if PwdHash were universally available u Interim solution: A secure web site for remote hashing, e.g. u Hash is computed using JavaScript Server never sees password Resulting hash is copied into clipboard Can also be used as a standalone password generator Internet Explorer Firefox

16 Dictionary attacks u After phishing attack or break-in to low security site, attacker can repeatedly guess password and check hash. Succeeds on  15% of passwords (unlike 100% today) Less effective on longer, stronger passwords u Solution: better authentication protocol (SPEKE, SRP, etc.) Requires server-side changes u Defense: user specifies a global pwd to strengthen all pwd hashes Creates a new pwd management problem for shared machines u Defense: slow hash function (Halderman, Waters, Felten ‘05) Increases time of dictionary attack aardvark, aback, abacus, abandon…

17 PwdHash: Try it out u Prototype for Internet Explorer and Mozilla Firefox u Defends against spoofing u Invisible to user u Invisible to server u Complementary to other anti-phishing solutions u Only use it when you want to

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.