Trustworthy User Interface Design: Dynamic Security Skins

1
Trustworthy User Interface DesignDynamic
Security Skins

• Rachna Dhamija and J.D. Tygar
• University of California, Berkeley
• TIPPI Workshop
• June 13, 2005

2
Security Properties for Usability

• Limited human skills property
• Unmotivated users property
• General purpose graphics property
• Golden arches property
• Barn door property

3
Password Authenticated Key Agreement

• A number of protocols exist
• EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc
• Advantages
• user doesnt need a trusted device
• secret stored in memory of the user
• server doesnt store password
• no passwords sent over the network
• user authentication mutual authentication
• BUT wont stop phishing!

4
Our Solution Usability Goals

• User must be able to verify password prompt,
  before entering password
• Rely on human skills
• To login, recognize 1 image recall 1 password
• To verify server, compare 2 images
• Hard to spoof security indicators

5
Trusted Password Window

• Dedicated window
• Trusted path ? customization
• Random photo assigned or chosen
• Image stored in browser
• Image overlaid across window
• User recognizes image first
• then enters password
• Password not sent to server

6
Security Indicators

• How can the user distinguish secure windows?
• static indicators
• user customization
• automated customization

7
Firefox Browser - 4 SSL indicators
8
Firefox browser - No unsecure indicators
9
Customized Indicators Petname Toolbar
10
Automated IndicatorsSecure Random Dynamic
Boundaries
11
Our Solution Dynamic Security Skins

• Automatically customize secure windows
• Visual hashes
• Random Art - visual hash algorithm
• Generate unique abstract image for each
  authentication
• Use the image to skin windows or web content
• Browser generated or server generated

12
Browser Generated Images

• Browser chooses random number and generates
  image
• Can be used to modify border or web elements

13
Server Generated Images

• Server browser independently generate same
  image
• Server can customize its own page

14
Conclusions

• Benefits
• Achieves mutual authentication
• Resistant to phishing and spoofing
• Relies on human skills
• Weaknesses
• Users must check images (easier than checking a
  cert)
• Local storage of personal image reduces
  portability, requires security
• Doesnt address spyware, keyloggers

15
Status and Future Work

• Iterative design lo-fi testing of interface
  (Mozilla XUL and CSS)
• Formal user study
• DSS Mozilla extension
• Published in SOUPS 05

16
(No Transcript)