240 likes | 361 Views
SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld. Motivation. Phishing caused 3 Billion $ damages in 2007 alone Current solutions are not effective enough. What is Phishing?. Any attempt to masquerade as a legitimate server in order to obtain sensitive information
E N D
SAPHESecure Anti-Phishing EnvironmentPresented by Uri Sternfeld Saphe surfing!
Motivation • Phishing caused 3 Billion $ damages in 2007 alone • Current solutions are not effective enough Saphe surfing!
What is Phishing? • Any attempt to masquerade as a legitimate server in order to obtain sensitive information • Usually done by soliciting an unsuspecting user to follow a fraudulent link From: your bank To: unsuspecting user There are problems in your account. Please follow attached link to solve them. Saphe surfing!
Why Phishing works? • Users are naïve • Its hard to detect differences in URLs: http://www.myrealbankserver.co.il/login.asp http://www.myrea1bankserver.co.il/login.asp • Over-reliance on SSL security Did you notice the small lock icon in the corner? Saphe surfing!
Current solutions • Maintaining black lists (Firefox & IE7) • Phishing solicitations detection • Idiosyncratic characteristics That’s me! Saphe surfing!
A relevant warning • This was recently published in a major Israeli bank’s web site: click me Saphe surfing!
The Saphe Solution • Relies on a password known only to the user and the real server • Protects against: • Any impersonation of the real server • DNS poisoning • Man-in-the-Middle attacks Saphe surfing!
Security assumptions • AES is a strong encryption algorithm • SSLv3.0 is a secure protocol • Digital certificates positively identify the owner of a domain Saphe surfing!
The general idea • Use the password to authenticate the server to the user before using it to authenticate the user to the server • Encrypt information about the current session to detect any tampering Saphe surfing!
How it works • Client-side code (plugin) automatically guards the user • Server-side code creates data that authenticates the server to the plugin • All the user needs to do is notice the plugin dialog box (or the lack of it…) Saphe surfing!
How it really works • Plugin automatically started when relevant MIME-type is detected • The password is NOT sent until the server is authenticatedand the connection is proven to be tamper-free • All links MUST be secure (HTTPS) Saphe surfing!
How it really works (ctd) • Client-side and server-side random challenge buffers are used (to prevent replay attacks) • Encryption key is derived from the password and the challenges • Data integrity is guaranteed with HMAC Saphe surfing!
How it really works (ctd2) • Key derivation function is computationally demanding to slow offline enumeration • The server encrypts the following: • Connection source IP address • URL requested during the connection • Login URL Saphe surfing!
How it really works (ctd3) • User machine’s real IP address is retrieved from a secured (HTTPS) known server Saphe surfing!
Next:Thwarting Phishing attacks! Saphe surfing!
Phishing scenario #1 • Redirecting the user to a fraudulent domain • Forged web page similar to the real one • Passive Phishing • (Most common scenario) Saphe surfing!
Phishing scenario #2 • Active Phishing Saphe surfing!
Phishing scenario #3 • DNS poisoning Saphe surfing!
Phishing scenario #4 • Man-in-the-Middle Saphe surfing!
Implementation details • Firefox plugin written as a DLL in C++ • Server side code written in C++ • Test server written in Python • Tested on Windows XP with Firefox 1.5 Saphe surfing!
Future versions • Support more browsers and operating systems • Automatic installer • Allow HTML code in Saphe data • Support password hashes Saphe surfing!
How much is the phish? Questions? (How many fish are in this presentation?) Saphe surfing!
For more details: http://tau-itw.wikidot.com/project:safelogin mailto:saphesolution@yahoo.com Saphe surfing!