Saphe surfing!

1

SAPHE

Secure Anti-Phishing Environment

Presented by Uri Sternfeld

Saphe surfing!

2

Motivation

• Phishing caused 3 Billion $ damages in 2007 alone

• Current solutions are not effective enough

Saphe surfing!

3

What is Phishing?

• Any attempt to masquerade as a legitimate server in order to obtain sensitive information

• Usually done by soliciting an unsuspecting user to follow a fraudulent link From: your bank

To: unsuspecting user

There are problems in your account. Please follow attached link to solve them.

Saphe surfing!

4

Why Phishing works?

• Users are naïve• Its hard to detect differences in URLs:

http://www.myrealbankserver.co.il/login.asp

http://www.myrea1bankserver.co.il/login.asp

• Over-reliance on SSL securityDid you

notice the small lock icon in the

corner?

Saphe surfing!

5

Current solutions

• Maintaining black lists (Firefox & IE7)• Phishing solicitations detection• Idiosyncratic characteristics

That’s me!

Saphe surfing!

6

A relevant warning

• This was recently published in a major Israeli bank’s web site:

click me

Saphe surfing!

7

The Saphe Solution

• Relies on a password known only to the user and the real server

• Protects against:– Any impersonation of the real server– DNS poisoning– Man-in-the-Middle attacks

Saphe surfing!

8

Security assumptions

• AES is a strong encryption algorithm• SSLv3.0 is a secure protocol• Digital certificates positively identify

the owner of a domain

Saphe surfing!

9

The general idea

• Use the password to authenticate the server to the user before using it to authenticate the user to the server

• Encrypt information about the current session to detect any tampering

Saphe surfing!

10

How it works

• Client-side code (plugin) automatically guards the user

• Server-side code creates data that authenticates the server to the plugin

• All the user needs to do is notice the plugin dialog box (or the lack of it…)

Saphe surfing!

11

Saphe surfing!

12

How it really works

• Plugin automatically started when relevant MIME-type is detected

• The password is NOT sent until the server is authenticated and the connection is proven to be tamper-free

• All links MUST be secure (HTTPS)

Saphe surfing!

13

How it really works (ctd)

• Client-side and server-side random challenge buffers are used (to prevent replay attacks)

• Encryption key is derived from the password and the challenges

• Data integrity is guaranteed with HMAC

Saphe surfing!

14

How it really works (ctd2)

• Key derivation function is computationally demanding to slow offline enumeration

• The server encrypts the following:– Connection source IP address– URL requested during the connection– Login URL

Saphe surfing!

15

How it really works (ctd3)

• User machine’s real IP address is retrieved from a secured (HTTPS) known server

Saphe surfing!

16

Next:Thwarting Phishing

attacks!

Saphe surfing!

17

Phishing scenario #1

• Redirecting the user to a fraudulent domain

• Forged web page similar to the real one

• Passive Phishing• (Most common scenario)

Saphe surfing!

18

Phishing scenario #2

• Active Phishing

Saphe surfing!

19

Phishing scenario #3

• DNS poisoning

Saphe surfing!

20

Phishing scenario #4

• Man-in-the-Middle

Saphe surfing!

21

Implementation details

• Firefox plugin written as a DLL in C++

• Server side code written in C++• Test server written in Python

• Tested on Windows XP with Firefox 1.5

Saphe surfing!

22

Future versions

• Support more browsers and operating systems

• Automatic installer• Allow HTML code in Saphe data• Support password hashes

Saphe surfing!

23

How much is the phish?

Questions?(How many fish are in this presentation?)

Saphe surfing!

24

For more details:

http://tau-itw.wikidot.com/project:safelogin

mailto:saphesolution@yahoo.com