Chris K. Karlof

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2009-26

February 6, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-26.pdf

This dissertation endeavors to improve the security of user authentication on the World Wide Web. One threat to Web authentication is phishing, a social engineering attack that solicits users' authentication credentials by spoofing the login page of a trusted Web site. We identify human psychological tendencies that make users susceptible to phishing attacks and apply these insights to develop design principles for conditioned-safe ceremonies. Conditioned-safe ceremonies are security protocols that deliberately condition users to reflexively act in ways that protect them from attacks. Our formulation of conditioned-safe ceremonies draws on several ideas and lessons learned from the human factors and human reliability community: forcing functions, defense in depth, and the use of human tendencies, such as rule-based decision making.

We apply these principles to develop a conditioned-safe ceremony based on email for initializing credentials in machine authentication schemes. We evaluated our email ceremony with a user study of 200 participants. We simulated attacks against the users and found that our email ceremony was significantly more secure than a comparable one based on challenge questions. We found evidence that conditioning helped the email users resist attacks, but contributed towards making challenge question users more vulnerable.

We also address stronger social engineering threats against Web authentication, e.g., pharming. We describe a new attack against Web authentication we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. To resist dynamic pharming attacks, we propose two locked same-origin policies for Web browsers. In contrast to the legacy same-origin policy, which enforces access control in browsers using domain names, the locked same-origin policies enforce access control using servers' X.509 certificates and public keys. We evaluate the security and deployability of our approaches and show how browsers can deploy these policies today to substantially increase their resistance to pharming attacks and provide a foundation for the development of pharming resistant authentication mechanisms.

Advisors: David Wagner and Doug Tygar

---

BibTeX citation:

@phdthesis{Karlof:EECS-2009-26,
    Author= {Karlof, Chris K.},
    Title= {Human Factors in Web Authentication},
    School= {EECS Department, University of California, Berkeley},
    Year= {2009},
    Month= {Feb},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-26.html},
    Number= {UCB/EECS-2009-26},
    Abstract= {This dissertation endeavors to improve the security of user
authentication on the World Wide Web. One threat to Web
authentication is phishing, a social engineering attack
that solicits users' authentication credentials by spoofing the
login page of a trusted Web site. We identify human psychological
tendencies that make users susceptible to phishing attacks and
apply these insights to develop design principles for
conditioned-safe ceremonies. Conditioned-safe ceremonies
are security protocols that deliberately condition users to
reflexively act in ways that protect them from attacks. Our
formulation of conditioned-safe ceremonies draws on several ideas
and lessons learned from the human factors and human reliability
community: forcing functions, defense in depth, and the use of
human tendencies, such as rule-based decision making.

We apply these principles to develop a conditioned-safe ceremony
based on email for initializing credentials in machine
authentication schemes.  We evaluated our email ceremony with a
user study of 200 participants. We simulated attacks against the
users and found that our email ceremony was significantly more
secure than a comparable one based on challenge questions. We
found evidence that conditioning helped the email users resist
attacks, but contributed towards making challenge question users
more vulnerable.

We also address stronger social engineering threats against Web
authentication, e.g., pharming. We describe a new attack against
Web authentication we call dynamic pharming.  Dynamic
pharming works by hijacking DNS and sending the victim's browser
malicious Javascript, which then exploits DNS rebinding
vulnerabilities and the name-based same-origin policy to hijack a
legitimate session after authentication has taken place.  To
resist dynamic pharming attacks, we propose two locked
same-origin policies for Web browsers. In contrast to the legacy
same-origin policy, which enforces access control in browsers
using domain names, the locked same-origin policies enforce
access control using servers' X.509 certificates and public
keys. We evaluate the security and deployability of our
approaches and show how browsers can deploy these policies today
to substantially increase their resistance to pharming attacks
and provide a foundation for the development of pharming
resistant authentication mechanisms.},
}

EndNote citation:

%0 Thesis
%A Karlof, Chris K. 
%T Human Factors in Web Authentication
%I EECS Department, University of California, Berkeley
%D 2009
%8 February 6
%@ UCB/EECS-2009-26
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-26.html
%F Karlof:EECS-2009-26