Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

Learning the Basics – Lesson 1
Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Chapter 1 Creating a Flyer
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Module 5: Configuring Access for Remote Clients and Networks.
Toolbox Mirror -Overview Effective Distributed Learning.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology
Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong
Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.
Dreamweaver 8 Concepts and Techniques Introduction Web Site Development and Macromedia Dreamweaver 8.
Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.
FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.
Trust and Semantic Attacks- Phishing Hassan Takabi October 20, 2009.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Chapter 11 Adding Media and Interactivity. Flash is a software program that allows you to create low-bandwidth, high-quality animations and interactive.
Authentication Approaches over Internet Jia Li
Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.
Adobe Dreamweaver CS3 Revealed CHAPTER ONE: GETTING STARTED WITH DREAMWEAVER.
Adobe Dreamweaver CS5 Introduction Web Site Development and Adobe Dreamweaver CS5.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
Java Omar Rana University of South Asia. Course Overview JAVA  C/C++ and JAVA Comparison  OOP in JAVA  Exception Handling  Streams  Graphics User.
Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.
Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.
CPSC 203 Introduction to Computers Lab 23 By Jie Gao.
The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
Macromedia Dreamweaver 8 Revealed DREAMWEAVER GETTING STARTED WITH.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 1 1 Browser Basics Introduction to the Web and Web Browser Software Tutorial.
BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.
National Center for Supercomputing Applications NCSA OPIE Presentation November 2000.
Deepnet Unified Authentication for Outlook Anywhere.
12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.
1 After completing this lesson, you will be able to: Transfer your files to the Internet. Choose a method for posting your Web pages. Use Microsoft’s My.
D´ej`a Vu: A User Study Using Images for Authentication Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人:張淯閎.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.
Web Application for Mobile access to students exam Information.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
FILE MANAGEMENT Computer Basics 1.3. FILE EXTENSIONS.txt.pdf.jpg.bmp.png.zip.wav.mp3.doc.docx.xls.xlsx.ppt.pptx.accdb.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
KERBEROS SYSTEM Kumar Madugula.
Innovation is Our Passion Online Banking Past, Present and Future.
Presentation on Storage over Internet Protocol By Kulpreet Singh Gill B
Web Programming Language
Web Site Development and Macromedia Dreamweaver 8
Conveying Trust Serge Egelman.
Strengthening Password-based Authentication
4.02 Develop web pages using various layouts and technologies.
Electronic Payment Security Technologies
Presentation transcript:

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005

2 Security Properties for Usability 1.Limited human skills property 2.Unmotivated users property 3.General purpose graphics property 4.Golden arches property 5.Barn door property

3 Password Authenticated Key Agreement  A number of protocols exist: –EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc…  Advantages: –user doesn’t need a trusted device –secret stored in memory of the user –server doesn’t store password –no passwords sent over the network –user authentication & mutual authentication  BUT won’t stop phishing!

4 Our Solution: Usability Goals  User must be able to verify password prompt, before entering password  Rely on human skills –To login, recognize 1 image & recall 1 password –To verify server, compare 2 images  Hard to spoof security indicators

5 Trusted Password Window  Dedicated window  Trusted path  customization  Random photo assigned or chosen  Image stored in browser  Image overlaid across window  User recognizes image first –then enters password  Password not sent to server

6 Security Indicators  How can the user distinguish secure windows? –static indicators –user customization –automated customization

7 Firefox Browser - 4 SSL indicators

8 Firefox browser - No unsecure indicators

9 Customized Indicators: Petname Toolbar

10 Automated Indicators: Secure Random Dynamic Boundaries

11 Our Solution: Dynamic Security Skins  Automatically customize secure windows  Visual hashes – Random Art - visual hash algorithm – Generate unique abstract image for each authentication – Use the image to “skin” windows or web content – Browser generated or server generated

12 Browser Generated Images  Browser chooses random number and generates image  Can be used to modify border or web elements

13 Server Generated Images  Server & browser independently generate same image  Server can customize its own page

14 Conclusions  Benefits: –Achieves mutual authentication –Resistant to phishing and spoofing –Relies on human skills  Weaknesses: –Users must check images (easier than checking a cert) –Local storage of personal image reduces portability, requires security –Doesn’t address spyware, keyloggers

15 Status and Future Work  Iterative design & “lo-fi” testing of interface (Mozilla XUL and CSS)  Formal user study  DSS Mozilla extension  Published in SOUPS `05

16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.