UCF

PwdIP-Hash

Description

Problems caused by Phishing and Pharming. Phishing and Pharming, the leading threats to identity theft, result in losses of millions of dollars each year. Many solutions have been proposed to guard against these attacks. Among them, password-based solutions may require additional hardware and are still vulnerable to man-in-the-middle attack; multi-challenge/response based solutions are mostly complicated and may also be susceptible to denial-of-service attacks; and detection-based solutions are ineffective if users dismiss warnings generated by these solutions.

A Novel lightweight Solution. We present a novel lightweight password-based solution that safeguards users from Phishing and Pharming attacks. The proposed authentication relies on a hashed password, which is the hash value of the user-typed password and the authentication server’s IP address. If a user is unknowingly directed to a malicious server by a phishing or pharming attack, the password obtained by the malicious server will be tied to the malicious server’s IP address and will not be usable by the attacker at the real server, and hence, the phishing/pharming attack will be defeated. The proposed solution does not increase the number of authentication messages exchanged, nor requires addition hardware tokens. The solution is also safe against denial-of-service attacks since no state is maintained on server side during the authentication process. The solution is not affected if a server has multiple IP addresses and conducts load balancing as long as the authentication process is proceeded with one single IP address. We have prototyped our design both as a web browser’s plug-in and as a standalone application. A comprehensive user study was conducted, and the results show that the design is easy to use and users have shown willingness to use the application to protect their passwords.

Here is the technical paper describing this research.

Download

Please note: These prototypes are intended for demonstration purposes only. It may have security vulnerabilities and programming bugs. As for the browser plugin prototype, we built it based on PwdHash model developed by Ross et al.. We reused their basic key-hook framework (that means the usages are the same), and replaced some functions according to our own needs. Details of useage please see User Manual.

Plugin

Version 1.0 for Internet Explorer 7 & 8: Installer (377KB); You may also need to install some prerequisites (e.g. DotNet framework...):

Version 1.0 for Internet Explorer 7 & 8: Source code (250KB)

Standalone

Version 1.0 of standalone program (Windows only): Executable (246KB)

Version 1.0 of standalone program (Windows only): Source code (160KB)

Usability Study

A comprehensive user study was carried out to check the usability of the proposed solutions.

Study Design Considerations and Settings. Users were briefed at the beginning to ensure that all users get the same information. The briefing covered basic purpose of our application, the components of the user study and how to use the application. Each user was also given a brief manual which contained the stages of study and usage of the application as a ready reference. All tests were conducted in a single location on the same computer; this was especially done to control the computer performance and the environment variation. Further, all users were asked to perform the tests on our own developed web server. This ensured that all users were presented with the same interface. Care was taken, so that the login page does not resemble any of the famous login pages such as email or social networking sites, since this similarity may produce bias in results between users who are familiar with the websites and those who are not familiar.
Stages. The user study was divided into four stages: pre-trial questionnaire, short Internet/computer security tutorial, application trial and post-trial questionnaire.
Participant Recruitment and Demographics. The study was advertised via flyers posted in different departments of our university. The participants were required to be familiar with computer/Internet usage and login-based accounts such as web emails etc. Interested participants were given the consent form, and those who agreed were recruited for the study.

Project Staff:

Baber Aslam

Lei Wu

Cliff C. Zou

UCF Network Security Lab