Speaker: Rachna Dhamija, U.C. Berkeley
Title: Trustworthy User Interface Design: Dynamic Security Skins
Abstract:
We propose a new scheme, Dynamic Security Skins, that allows a
remote web server to prove its identity in a way that is easy for a human
user to verify and hard for an attacker to spoof. We present two novel
interaction techniques to prevent spoofing. First, we provide a
trusted window in the web browser that is dedicated to username and password
entry. We use a photographic image to create a trusted path between the
user and this window to prevent spoofing of the window and of the text entry
fields. Second, our scheme allows the remote server to generate a
unique abstract image for each user and each transaction. This image
creates a ~Sskin~T that automatically customizes the browser window or
the user interface elements in the content of a remote web page. Our
extension allows the user~Rs browser to independently compute the image
that it expects to receive from the server. To authenticate content from
the server, the user can visually verify that the images match.
In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators.
Biography:
Rachna Dhamija is a Ph.D. candidate at the School of Information
Management and Systems at U.C. Berkeley. Her research spans the fields of
computer security and human computer interaction, and her dissertation
focuses on the design and evaluation of usable systems for user and server
authentication. Before coming to Berkeley, she worked on electronic
commerce privacy and security at CyberCash.