Abstract
In an on-line transaction, a user sends her personal sensitive data (e.g., password) to a server for authentication. This process is known as Single Sign-On (SSO). Subject to phishing and pharming attacks, the sensitive data may be disclosed to an adversary when the user is allured to visit a bogus server. There has been much research in anti-phishing methods and most of them are based on enhancing the security of browser indicator. In this paper, we present a completely different approach of defeating phishing and pharming attacks. Our method is based on encrypted cookie. It tags the sensitive data with the server’s public key and stores it as a cookie on the user’s machine. When the user visits the server so as to perform an online transaction, the sensitive data in the cookie will be encrypted with the stored public key of the server. The ciphertext can only be decrypted by the genuine server. Our encrypted cookie scheme (ECS) has the advantage that the user can ignore SSL indicator in the transaction process. The security is guaranteed even if the user accepts a malicious self-signed certificate. This advantage greatly releases user’s burden of checking SSL indicator, which could be very difficult even for an experienced user when the phishing attacks have sophisticated vision design.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Zhensheng Guan, Invited talk in International ICT Security Exhibition & Conference, Guangzhou, China, Nov. 28, 2007.
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach, “Web spoofing: An Internet Con Game,” 20th National Information Systems Security Conference,1997. http://www.cs.princeton.edu/sip/pub/spoofing.html
Serge Lefranc, and David Naccache, “Cut and Paste Attacks with Java,” http://eprint.iacr.org/2002/010.ps
Evgeniy Gabrilovich, and Alex Gontmakher, “The homograph attack,” Communications of ACM, 45(2):128, 2002.
Martin Johns, “Using Java in anti DNS-pinning attacks,” http://shampoo.antville. org/stories/1566124/,February2007.
Avivah Litan, “Phishing Attack Victims Likely Targets for Identity Theft,” in Gartner First Take FT-22-8873. 2004, Gartner Research
Microsoft. Microsoft security bulletin MS01-017: Erroneous VeriSign-issued digital certificates pose spoofing hazard,March 2001. http://www.microsoft.com/ technet/security/Bulletin/MS01-017.mspx
Tyler Close, “Waterken YURL,” http://www.waterken.com/dev/YURL/httpsy/
Russell Housley, Warwick Ford, Tim Polk, and David Solo, “Internet X.509 public key infrastructure certificate and Certificate Revocation List (CRL) profile,” 2002. http://tools.ietf.org/html/rfc3280
V. Benjamin Livshits, and Monica S. Lam, “Finding security vulnerabilities in Java applications using static analysis,” USENIX Security Sym., pp.271-286, 2005.
Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, and John C. Mitchell, “A Browser Plug-in Solution to the Unique Password Problem,” Usenix Security Symposium, 2005.
mozilla.dev.security, “VeriSign Class 3 Secure Server CA?,” http://groups.google. com/group/mozilla.dev.security/browse_thread/threa{%}d/6830a8566de 4547/ 0be9dea1c274d0c5, March 2007.
A. Freier, P. Kariton, and P. Kocher, “The SSL Protocol: Version 3.0,” Netscape communications, Inc., 1996.
Tieyan Li, and Yongdong Wu, “Trust on Web Browser: Attack vs. Defense,” First MiAn International Conference on Applied Cryptography and Network Security, LNCS 2846, pp.241-253, 2003.
Jeffrey Horton, and Jennifer Seberry, “Covert Distributed Computing Using Java Through Web Spoofing,” ACISP, pp.48-57, 1998. http://www.uow.edu.au/ jennie/WEB/JavaDistComp.ps.
F. De Paoli, A.L. DosSantos, and R.A. Kemmerer, “Vulnerability of Secure Web Browsers,” National Information Systems Security Conference, 1997.
Batya Friedman, David Hurley, Daniel Howe, Edward Felten, and Helen Nissenbaum, “Users’ Conceptions of Web Security: A Comparative Study,” Conference on Human Factors in Computing Systems, pp.746-747, 2002.
Chris Karlof, Umesh Shankar, J.D. Tygar, and David Wagner, “Dynamic pharming attacks and the locked same-origin policies for web browsers,” CCS 2007.
Security Space and E-Soft, “Secure Server Survey,” http://www.securityspace.com/s_survey/sdata/200704/certca.html, May 2007.
Stephen Bell, “Invalid banking cert spooks only one user in 300,” ComputerWorld New Zealand, http://www.computerworld.co.nz/news.nsf/NL/-FCC8B
Rachna Dhamija, J. D. Tygar, and Marti Hearst, “Why phishing works,” SIGCHI Conference on Human Factors in Computing Systems, pp.581-590, 2006.
Min Wu, Robert C. Miller, and Simson Garfinkel, “Do security toolbars actually prevent phishing attacks?” the SIGCHI Conference on Human Factors in Computing Systems, pp.601-610, 2006.
RSA Security Inc, “SecurID product description,” http://rsasecurity.com/node. asp?id=1156.
Sudhir Aggarwal, Jasbinder Bali, Zhenhai Duan, Leo Kermes,Wayne Liu, Shahank Sahai, and Zhenghui Zhu,“The Design and Development of an Undercover Multipurpose Anti-Spoofing Kit (UnMask),” 23rd Annual Computer Security Applications Conference, 2007.
M. Burnside, Blaise Gassend, Thomas Kotwal, Matt Burnside, Marten van Dijk, Srinivas Devadas, and Ronald Rivest, “The untrusted computer problem and camerabased authentication,” International Conference on Pervasive Computing, LNCS 2414, pp.114-124, 2002.
Pim Tuyls, Tom Kevenaar, Geert-Jan Schrijen, Toine Staring, and Marten van Dijk, “Visual Crypto Displays enabling Secure Communications,” Proceeding of First International Conference on Security in Pervasive Computing, pp.12-14, 2003.
Yougu Yuan, Eileen Zishuang Ye, and Sean Smith, “Web Spoofing,” 2001. http://www.cs.dartmouth.edu/reports/abstracts/TR2001-409/
Eileen Zishuang Ye, and Sean Smith, “Trusted Paths for Browsers,” ACM Transactions on Information and System Security, 8(2):153-186, 2005.
J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and L. Stewart. HTTP Authentication: Basic and Digest Access Authentication, June 1999. http://www.ietf.org/rfc/rfc2617.txt.
Rachna Dhamija, and J.D. Tygar, “The Battle Against Phishing: Dynamic Security Skins,” Symposium On Usable Privacy and Security (SOUPS) 2005.
Andre Adelsbach, Sebastian Gajek, and Jorg Schwenk, “Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures,” Information Security Practice and Experience(ISPEC), LNCS 3469, pp.204-216, 2005.
Fang Qi, Tieyan Li, Feng Bao, and Yongdong Wu, “Preventing Web-Spoofing with Automatic Detecting Security Indicator,” ISPEC, LNCS 3903, pp. 112-122, 2006.
Ben Adida,“BeamAuth: Two-Factor Web Authentication with a Bookmark,” CCS 2007.
Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, and John C. Mitchell, “Client Side Defense Against Web-based Identity Theft,” http://crypto.stanford. edu/SpoofGuard/{#}publications
Ari Juels, Markus Jakobsson, and Tom N. Jagatic, “Cache Cookies for Browser Authentication,” IEEE Symp. on Security and Privacy, pp.301-305, 2006.
Ari Juels, Markus Jakobsson, and Sid Stamm,“Active Cookies for Browser Authentication,” http://www.ravenwhite.com/files/activecookies–28_Apr_06.pdf.
J. H. Saltzer, and M. D. Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE, 63(9):1278-308, Sept. 1975.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wu, Y., Yao, H., Bao, F. (2008). Minimizing SSO Effort in Verifying SSL Anti-phishing Indicators. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_4
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_4
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)