Locked cookies: Web authentication security against phishing, pharming, and active attacks

Chris K. Karlof and Umesh Shankar and Doug Tygar and David Wagner

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2007-25

February 7, 2007

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-25.pdf

This paper proposes new methods for web authentication that are secure against phishing and pharming attacks. We explore the use of browser cookies as authenticators that cannot inadvertently be given away by users, and introduce locked cookies, which are cookies that are bound to the originating server's public key. Locked cookies defeat phishing, pharming, and network-controlling active attacks, since the user's browser can verify that the attacker's public key is different from that of the server that set the cookie in the first place, even though the domain names may be the same. Locked cookies are transparent to the user and do not require any server-side changes. We evaluate and compare authentication schemes based on conventional cookies, IP cookies, and locked cookies.

BibTeX citation:

@techreport{Karlof:EECS-2007-25,
    Author= {Karlof, Chris K. and Shankar, Umesh and Tygar, Doug and Wagner, David},
    Title= {Locked cookies: Web authentication security against phishing, pharming, and active attacks},
    Year= {2007},
    Month= {Feb},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-25.html},
    Number= {UCB/EECS-2007-25},
    Abstract= {This paper proposes new methods for web authentication that are secure against phishing and pharming attacks. We explore the use of browser cookies as authenticators that cannot inadvertently be given away by users, and introduce locked cookies, which are cookies that are bound to the originating server's public key. Locked cookies defeat phishing, pharming, and network-controlling active attacks, since the user's browser can verify that the attacker's public key is different from that of the server that set the cookie in the first place, even though the domain names may be the same. Locked cookies are transparent to the user and do not require any server-side changes. We evaluate and compare authentication schemes based on conventional cookies, IP cookies, and locked cookies.},
}

EndNote citation:

%0 Report
%A Karlof, Chris K. 
%A Shankar, Umesh 
%A Tygar, Doug 
%A Wagner, David 
%T Locked cookies: Web authentication security against phishing, pharming, and active attacks
%I EECS Department, University of California, Berkeley
%D 2007
%8 February 7
%@ UCB/EECS-2007-25
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2007/EECS-2007-25.html
%F Karlof:EECS-2007-25