A Zero Knowledge Password Proof Mutual Authentication Technique Against Real-Time Phishing Attacks

Sharifi, Mohsen; Saberi, Alireza; Vahidi, Mojtaba; Zorufi, Mohammad

doi:10.1007/978-3-540-77086-2_20

Cited by 12 publications

(9 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main goal is to not submit the password in plaintext to an unauthenticated remote server but mutually authenticate client and server [16,42,47], utilize a zero-knowledge protocol to avoid transmitting confidential information [22], check for user-specific knowledge that changes over time [31], use trusted second devices to establish an authenticated session [34], generate site-specific passwords from a seed [39], or use bookmarks as a secure entry point [1].…”

Section: Sophisticated Authentication Protocolsmentioning

confidence: 99%

PhishSafe

Braun

Johns²,

Koestler

et al. 2014

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

The term "phishing" describes a class of social engineering attacks on authentication systems, that aim to steal the victim's authentication credential, e.g., the username and password. The severity of phishing is recognized since the mid-1990's and a considerable amount of attention has been devoted to the topic. However, currently deployed or proposed countermeasures are either incomplete, cumbersome for the user, or incompatible with standard browser technology. In this paper, we show how modern JavaScript API's can be utilized to build PhishSafe, a robust authentication scheme, that is immune against phishing attacks, easily deployable using the current browser generation, and requires little change in the end-user's interaction with the application. We evaluate the implementation and find that it is applicable to web applications with low efforts and causes no tangible overhead.

show abstract

Section: Sophisticated Authentication Protocolsmentioning

confidence: 99%

PhishSafe

Braun

Johns²,

Koestler

et al. 2014

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

show abstract

“…It performs a 2-way authentication and resists on-line and off-line dictionary attacks. SPEKE is used in APA with some modifications [14].…”

Section: E Communication Based Anti-phishing Techniquesmentioning

confidence: 99%

Anti Phishing for Mid-Range Mobile Phones

Memon¹,

Khan²

2013

IJCCE

View full text Add to dashboard Cite

Abstract-E-commerce has been the centre of attraction for millions of users, because people now want to perform important activities like buying and selling etc. over internet through personal computers or mobile phones. This has compelled service providers to devise reliable and secure ways for Ecommerce through which users can perform transactions without any risk.E-commerce trade has experienced the largest number of cyber crimes that includes various types of security attacks. Phishing attack is the one most common among these all, as the mobile banking is getting popular, hence protecting the mobile users from phishing attacks is very important; particularly mid-range mobile users, because these users are easy target of attackers as mid-range mobile phones do not support feature like anti-virus or anti-phishing tool.A mobile based anti phishing mechanism is proposed as shown in experiments, particularly for mid-range mobile phones that would protect users and their critical financial information from phishing attacks by generating three types of warnings such as vibration, flashing and text alert based warning, hence user would be restricted to visit any fake Webpage.Index Terms-Cyber crime, mobile banking security, phishing.

show abstract

“…Furthermore, several alternatives and enhancements in respect to the form-based communication of passwords have been made, such as [223], [228], [240], or [159]. Most of these techniques were designed to prevent phishing attacks in general and were not specifically targeted at XSS attacks.…”

Section: Countering Attacks In the Application Contextmentioning

confidence: 99%

Code-injection Vulnerabilities in Web Applications — Exemplified at Cross-site Scripting

Johns¹

2011

Itit

View full text Add to dashboard Cite

The majority of all security problems in today's Web applications is caused by stringbased code injection, with Cross-site Scripting (XSS) being the dominant representative of this vulnerability class. This thesis discusses XSS and suggests defense mechanisms. We do so in three stages:First, we conduct a thorough analysis of JavaScript's capabilities and explain how these capabilities are utilized in XSS attacks. We subsequently design a systematic, hierarchical classification of XSS payloads. In addition, we present a comprehensive survey of publicly documented XSS payloads which is structured according to our proposed classification scheme.Secondly, we explore defensive mechanisms which dynamically prevent the execution of some payload types without eliminating the actual vulnerability. More specifically, we discuss the design and implementation of countermeasures against the XSS payloads "Session Hijacking", "Cross-site Request Forgery", and attacks that target intranet resources. We build upon this and introduce a general methodology for developing such countermeasures: We determine a necessary set of basic capabilities an adversary needs for successfully executing an attack through an analysis of the targeted payload type. The resulting countermeasure relies on revoking one of these capabilities, which in turn renders the payload infeasible.Finally, we present two language-based approaches that prevent XSS and related vulnerabilities: We identify the implicit mixing of data and code during string-based syntax assembly as the root cause of string-based code injection attacks. Consequently, we explore data/code separation in web applications. For this purpose, we propose a novel methodology for token-level data/code partitioning of a computer language's syntactical elements. This forms the basis for our two distinct techniques: For one, we present an approach to detect data/code confusion on run-time and demonstrate how this can be used for attack prevention. Furthermore, we show how vulnerabilities can be avoided through altering the underlying programming language. We introduce a dedicated datatype for syntax assembly instead of using string datatypes themselves for this purpose. We develop a formal, type-theoretical model of the proposed datatype and proof that it provides reliable separation between data and code hence, preventing code injection vulnerabilities. We verify our approach's applicability utilizing a practical implementation for the J2EE application server.

show abstract

A Zero Knowledge Password Proof Mutual Authentication Technique Against Real-Time Phishing Attacks

Cited by 12 publications

References 5 publications

PhishSafe

PhishSafe

Anti Phishing for Mid-Range Mobile Phones

Code-injection Vulnerabilities in Web Applications — Exemplified at Cross-site Scripting

Contact Info

Product

Resources

About