Human Factors in Web Authentication
Chris K. Karlof
EECS Department, University of California, Berkeley
Technical Report No. UCB/EECS-2009-26
February 6, 2009
http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-26.pdf
This dissertation endeavors to improve the security of user authentication on the World Wide Web. One threat to Web authentication is phishing, a social engineering attack that solicits users' authentication credentials by spoofing the login page of a trusted Web site. We identify human psychological tendencies that make users susceptible to phishing attacks and apply these insights to develop design principles for conditioned-safe ceremonies. Conditioned-safe ceremonies are security protocols that deliberately condition users to reflexively act in ways that protect them from attacks. Our formulation of conditioned-safe ceremonies draws on several ideas and lessons learned from the human factors and human reliability community: forcing functions, defense in depth, and the use of human tendencies, such as rule-based decision making.
We apply these principles to develop a conditioned-safe ceremony based on email for initializing credentials in machine authentication schemes. We evaluated our email ceremony with a user study of 200 participants. We simulated attacks against the users and found that our email ceremony was significantly more secure than a comparable one based on challenge questions. We found evidence that conditioning helped the email users resist attacks, but contributed towards making challenge question users more vulnerable.
We also address stronger social engineering threats against Web authentication, e.g., pharming. We describe a new attack against Web authentication we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. To resist dynamic pharming attacks, we propose two locked same-origin policies for Web browsers. In contrast to the legacy same-origin policy, which enforces access control in browsers using domain names, the locked same-origin policies enforce access control using servers' X.509 certificates and public keys. We evaluate the security and deployability of our approaches and show how browsers can deploy these policies today to substantially increase their resistance to pharming attacks and provide a foundation for the development of pharming resistant authentication mechanisms.
Advisors: David Wagner and Doug Tygar
BibTeX citation:
@phdthesis{Karlof:EECS-2009-26, Author= {Karlof, Chris K.}, Title= {Human Factors in Web Authentication}, School= {EECS Department, University of California, Berkeley}, Year= {2009}, Month= {Feb}, Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-26.html}, Number= {UCB/EECS-2009-26}, Abstract= {This dissertation endeavors to improve the security of user authentication on the World Wide Web. One threat to Web authentication is phishing, a social engineering attack that solicits users' authentication credentials by spoofing the login page of a trusted Web site. We identify human psychological tendencies that make users susceptible to phishing attacks and apply these insights to develop design principles for conditioned-safe ceremonies. Conditioned-safe ceremonies are security protocols that deliberately condition users to reflexively act in ways that protect them from attacks. Our formulation of conditioned-safe ceremonies draws on several ideas and lessons learned from the human factors and human reliability community: forcing functions, defense in depth, and the use of human tendencies, such as rule-based decision making. We apply these principles to develop a conditioned-safe ceremony based on email for initializing credentials in machine authentication schemes. We evaluated our email ceremony with a user study of 200 participants. We simulated attacks against the users and found that our email ceremony was significantly more secure than a comparable one based on challenge questions. We found evidence that conditioning helped the email users resist attacks, but contributed towards making challenge question users more vulnerable. We also address stronger social engineering threats against Web authentication, e.g., pharming. We describe a new attack against Web authentication we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim's browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based same-origin policy to hijack a legitimate session after authentication has taken place. To resist dynamic pharming attacks, we propose two locked same-origin policies for Web browsers. In contrast to the legacy same-origin policy, which enforces access control in browsers using domain names, the locked same-origin policies enforce access control using servers' X.509 certificates and public keys. We evaluate the security and deployability of our approaches and show how browsers can deploy these policies today to substantially increase their resistance to pharming attacks and provide a foundation for the development of pharming resistant authentication mechanisms.}, }
EndNote citation:
%0 Thesis %A Karlof, Chris K. %T Human Factors in Web Authentication %I EECS Department, University of California, Berkeley %D 2009 %8 February 6 %@ UCB/EECS-2009-26 %U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-26.html %F Karlof:EECS-2009-26