Speaker: Steven Myers, School of Informatics, Indiana University at Bloomington
Title: Delayed Password Disclosure
Abstract:
In order to reduce the ability of phishers to launch
successful attacks, we suggest that users request authentication from
their service providers. In other words, we suggest that the client
and service provider engage in mutual authentication. Such
authentication is known to be achievable with techniques from
public-key cryptography, but the traditional solutions are not
appealing due to the historical difficulty users have had in
understanding related concepts such as certificates and the notions
of public and private keys. Further, when accessed through the
web-browser, there ability of the user to trust the supposedly secure
interface is severely limited.
We will discuss a protocol for mutual authentication that relies solely on a client being able to remember a password to authenticate him or herself to the service provider, and the ability to recognize ---and not recall, as in the case of a password--- a unique series of images and/or sound corresponding to the appropriate service provider. If the user recognizes the correct sequence of pictures and sounds, then he or she can have considerable trust that they are talking to the correct server, and interfacing with the appropriate authentication software. Alternatively, if the user does not recognize the presented sequence of images or sounds, then the user is likely to be interacting with an inappropriate server.
Biography:
Steven Myers is an Assistant Professor at the School of
Informatics, Indiana University at Bloomington and Adjunct Assistant
Professor for the Department of Computer Science at Indiana
University at Bloomington. He is also an affiliate of the Centre for
Applied Cybersecurity at Indiana University. In industry, he has
interned at the Mathematical Research Division of Telcordia
Technologies and developed and implemented cryptographic technology
for Echoworx Corp., a company that has developed easy to use SMIME
compliant e-mail products. He also has two patents pending, and is
in the process of filing for a third.