Prototyping a Lightweight Trust Architecture to Fight Phishing - - PowerPoint PPT Presentation

prototyping a lightweight trust architecture to fight
SMART_READER_LITE
LIVE PREVIEW

Prototyping a Lightweight Trust Architecture to Fight Phishing - - PowerPoint PPT Presentation

Dec 24, 2022 167 likes •426 views

Prototyping a Lightweight Trust Architecture to Fight Phishing David Chau 6 October 2005 Prototyping a Lightweight Trust Architecture to Fight Phishing David Chau 6 October 2005 6.UAP LTA Presentation Thanks to my collaborators Ben

slide-1
SLIDE 1

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Prototyping a Lightweight Trust Architecture to Fight Phishing

David Chau 6 October 2005

slide-2
SLIDE 2

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Thanks to my collaborators …

Ben Adida Susan Hohenberger Ron Rivest

slide-3
SLIDE 3

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Outline

The phishing problem Existing solutions SIBR and LTA The prototype

DNS, key server, e-mail client Message processing, cryptographic primitives

Future work

slide-4
SLIDE 4

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

A Phishy E-mail

From: Support PayPal <do-not-reply@paypal.com> Reply-To: do-not-reply@paypal.com To: ddcc@mit.edu Subject: Please Restore Your Account Access Date: Sun, 3 Apr 2005 15:57:28 -0400 Dear PayPal Member, Recently there have been a large number of identity theft attempts targeting PayPal

  • customers. In order to safeguard your account,

we require that you confirm your PayPal details (Credit Card information and login/password for PayPal login , if you have). This process is mandatory , and if not completed Within the nearest time your account may be subject to temporary suspension. To securely confirm you PayPal details please follow the link below :

https://www.paypal.com/cgi-bin/webscr?request=Reactivate

Thank you for prompt attention to this matter and thank you for using PayPal ! PayPal - Fraud Center 1-800-PayPal. fraud_prevention@PayPal.com Do not reply to this e-mail as it is an unmonitored alias

slide-5
SLIDE 5

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

The problem: E-mail messages aren’t authenticated

slide-6
SLIDE 6

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Existing solutions SPF/SenderID

$ dig -t txt mit.edu ;; ANSWER SECTION: mit.edu. 60 IN TXT "v=spf1 ip4:18.7.7.0/24 ip4:18.7.21.0/24 ip4:18.72.0.0/16 ~all"

slide-7
SLIDE 7

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Existing solutions DomainKeys

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received: Date:From:Subject:To:Cc:MIME-Version:Content- Type:Content-Transfer-Encoding; b=kt0N/9igWyJYRe8v5XDaQZuvvdJRHh9pXHPVHbZ1XzKaA7M 6lD7LgrmpFAukvGgWJ3P2LRGNTpYT37mMYPdWx3fJd4qWFXpP ZQtIRa+WVGD5RhjI6YdPwnPoSg6CY9GieFL8EmuyQW0ElLg2f pX4YgcyZU+pkub+ZSUhv7BiJ40= ;

slide-8
SLIDE 8

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Existing solutions

PGP X.509 … and more ...

slide-9
SLIDE 9

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

SIBR:

Separable … identity-based … ring signatures

slide-10
SLIDE 10

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Identity-based:

Your name (or e-mail address) is your public key

slide-11
SLIDE 11

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Separable

Different users can use different parameters

slide-12
SLIDE 12

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Ring signatures

One of us signed it, but you can’t prove it was me Repudiable signatures!

slide-13
SLIDE 13

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

LTA

Lightweight Trust Architecture

Master public key on DNS server Secret keys e-mailed to users Sign with sender’s secret key and recipient’s public key Just secure enough for e-mail

slide-14
SLIDE 14

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

The components

Things we had to build

slide-15
SLIDE 15

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

The DNS server

Master public key in DNS

Generated by administrator of a domain Stored as TXT record in _lta subdomain

slide-16
SLIDE 16

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

The key server

user’s e-mail address expiration date

{ }

master secret key user’s secret key

(identity-based public key)

slide-17
SLIDE 17

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

The key server

Web-based interface Secret key sent to user’s e-mail account Selectable expiration date critical for repudiability Prototype implemented in Python

slide-18
SLIDE 18

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

E-mail client integration

Easy to sign and verify messages Key management Prototype with Rmail (Emacs mail client)

slide-19
SLIDE 19

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Message processing

Message canonicalization Signature covers message body and key headers Signature inserted as header For the future: more sophisticated handling, MIME

slide-20
SLIDE 20

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Cryptography

Many ways to implement identity-based signature schemes

Bohen-Franklin keys

Bilinear maps Unfortunately, patented

Guillou-Quisquater signatures

Based on RSA

slide-21
SLIDE 21

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Cryptography

We implemented both Signing and verification reasonably fast Keys are short enough to fit inside 512-byte DNS reply

slide-22
SLIDE 22

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

What we accomplished

Demonstrated complete prototype of an LTA system: DNS server that servers master public keys Web-based key server that sends secret keys to users

  • n demand

E-mail client that can sign and verify messages

Performs DNS key lookups on the fly Imports and uses secret keys from the key server

slide-23
SLIDE 23

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Where to go from here …

Deployment issues

LTA is easier than traditional public-key infrastructure

More complex usage scenarios

For example: repudiable messages to mailing lists

Implementation improvements

slide-24
SLIDE 24

David Chau 6.UAP LTA Presentation Prototyping a Lightweight Trust Architecture to Fight Phishing 6 October 2005

Thank you!