Trustworthy User Interface Design:Dynamic Security Skins

Rachna Dhamija and J.D. TygarUniversity of California, Berkeley

TIPPI Workshop June 13, 2005

2

Security Properties for Usability

1. Limited human skills property

2. Unmotivated users property

3. General purpose graphics property

4. Golden arches property

5. Barn door property

3

Password Authenticated Key Agreement

A number of protocols exist:– EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc…

Advantages:– user doesn’t need a trusted device– secret stored in memory of the user– server doesn’t store password– no passwords sent over the network– user authentication & mutual authentication

BUT won’t stop phishing!

4

Our Solution: Usability Goals

User must be able to verify password prompt, before entering password

Rely on human skills– To login, recognize 1 image & recall 1 password– To verify server, compare 2 images

Hard to spoof security indicators

5

Trusted Password Window

Dedicated window Trusted path customization Random photo assigned or chosen Image stored in browser Image overlaid across window User recognizes image first

– then enters password Password not sent to server

6

Security Indicators

How can the user distinguish secure windows?– static indicators– user customization– automated customization

7

Firefox Browser - 4 SSL indicators

8

Firefox browser - No unsecure indicators

9

Customized Indicators: Petname Toolbar

10

Automated Indicators:Secure Random Dynamic Boundaries

11

Our Solution: Dynamic Security Skins

Automatically customize secure windows

Visual hashes– Random Art - visual hash algorithm – Generate unique abstract image for each authentication– Use the image to “skin” windows or web content– Browser generated or server generated

12

Browser Generated Images

Browser chooses random number and generates image

Can be used to modify border or web elements

13

Server Generated Images

Server & browser independently generate same image

Server can customize its own page

14

Conclusions

Benefits:– Achieves mutual authentication– Resistant to phishing and spoofing– Relies on human skills

Weaknesses:– Users must check images (easier than

checking a cert)– Local storage of personal image reduces

portability, requires security– Doesn’t address spyware, keyloggers

15

Status and Future Work

Iterative design & “lo-fi” testing of interface (Mozilla XUL and CSS)

Formal user study

DSS Mozilla extension

Published in SOUPS `05

16