A Zero Knowledge Password Proof Mutual Authentication Technique Against Real-Time Phishing Attacks

  • Mohsen Sharifi
  • Alireza Saberi
  • Mojtaba Vahidi
  • Mohammad Zorufi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4812)

Abstract

Phishing attack is a kind of identity theft trying to steal confidential data. Existing approaches against phishing attacks cannot prevent real-time phishing attacks. This paper proposes an Anti-Phishing Authentication (APA) technique to detect and prevent real-time phishing attacks. It uses 2-way authentication and zero-knowledge password proof. Users are recommended to customize their user interfaces and thus defend themselves against spoofing. The proposed technique assumes the preexistence of a shared secret key between any two communicating partners, and ignores the existence of any malware at client sides.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-Side Defense against Web-Based Identity Theft. In: 11th Annual Network and Distributed System Security Symposium, San Diego, USA (February 2004)Google Scholar
  2. 2.
    Dhamija, R., Tygar, J.D., Hearst, M.: Why Phishing Works. In: CHI Conference on Human Factors in Computing Systems, Montreal, Canada (2006)Google Scholar
  3. 3.
    Kirda, E., Kruegel, C.: Protecting Users against Phishing Attacks with AntiPhish. In: 29th IEEE Annual International Computer Software and Applications Conference, UK (2005)Google Scholar
  4. 4.
    Anti-Phishing Working Group: Phishing Activity Trends Report (2005), http://antiphishing.org/reports/APWG_Phishing_Activity_Report_May_2005.pdf
  5. 5.
    Anti-Phishing Working Group: Phishing Activity Trends Report (2006), http://antiphishing.org/reports/apwg_report_May2006.pdf
  6. 6.
    Herzberg, A., Gbara, A.: TrustBar: Protecting Web Users from Spoofing and Phishing Attacks. Cryptology ePrint Archive, Report 2004/155 (2004), http://www.cs.biu.ac.il/~herzbea/TrustBar/
  7. 7.
    Yee, K., Sitaker, K.: Passpet: Convenient Password Management and Phishing Protection. In: Second symposium on Usable privacy and security, Pittsburgh, Pennsylvania, USA (2006)Google Scholar
  8. 8.
    Jablon, D.: Strong Password-Only Authenticated Key Exchange Computer Communication Rev. ACM SIGCOMM 26, 5–26 (1996)CrossRefGoogle Scholar
  9. 9.
    Zhang, M.: Analysis of the SPEKE Password-Authenticated Key Exchange Protocol. Communications Letters 8(1), 63–65 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Mohsen Sharifi
    • 1
  • Alireza Saberi
    • 1
  • Mojtaba Vahidi
    • 1
  • Mohammad Zorufi
    • 1
  1. 1.Computer Engineering Department, Iran University of Science and Technology 

Personalised recommendations