Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005."— Presentation transcript:

1 Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005

2 2 Security Properties for Usability 1.Limited human skills property 2.Unmotivated users property 3.General purpose graphics property 4.Golden arches property 5.Barn door property

3 3 Password Authenticated Key Agreement  A number of protocols exist: –EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc…  Advantages: –user doesn’t need a trusted device –secret stored in memory of the user –server doesn’t store password –no passwords sent over the network –user authentication & mutual authentication  BUT won’t stop phishing!

4 4 Our Solution: Usability Goals  User must be able to verify password prompt, before entering password  Rely on human skills –To login, recognize 1 image & recall 1 password –To verify server, compare 2 images  Hard to spoof security indicators

5 5 Trusted Password Window  Dedicated window  Trusted path  customization  Random photo assigned or chosen  Image stored in browser  Image overlaid across window  User recognizes image first –then enters password  Password not sent to server

6 6 Security Indicators  How can the user distinguish secure windows? –static indicators –user customization –automated customization

7 7 Firefox Browser - 4 SSL indicators

8 8 Firefox browser - No unsecure indicators

9 9 Customized Indicators: Petname Toolbar

10 10 Automated Indicators: Secure Random Dynamic Boundaries

11 11 Our Solution: Dynamic Security Skins  Automatically customize secure windows  Visual hashes – Random Art - visual hash algorithm – Generate unique abstract image for each authentication – Use the image to “skin” windows or web content – Browser generated or server generated

12 12 Browser Generated Images  Browser chooses random number and generates image  Can be used to modify border or web elements

13 13 Server Generated Images  Server & browser independently generate same image  Server can customize its own page

14 14 Conclusions  Benefits: –Achieves mutual authentication –Resistant to phishing and spoofing –Relies on human skills  Weaknesses: –Users must check images (easier than checking a cert) –Local storage of personal image reduces portability, requires security –Doesn’t address spyware, keyloggers

15 15 Status and Future Work  Iterative design & “lo-fi” testing of interface (Mozilla XUL and CSS)  Formal user study  DSS Mozilla extension  Published in SOUPS `05

16 16

Download ppt "Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Learning the Basics – Lesson 1

Learning the Basics – Lesson 1
Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.

Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Chapter 1 Creating a Flyer

Chapter 1 Creating a Flyer
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology

Providing Trusted Paths Using Untrusted Components Andre L. M. dos Santos Georgia Institute of Technology
Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management.

Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

Similar presentations

Ads by Google