Sebastian Gajek scite author profile

Abstract. The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. We tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). We prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation.

show abstract

Universally Composable Security Analysis of TLS

Gajek¹,

Manulis²,

Pereira³

et al. 2008

View full text Add to dashboard Cite

Analysis of Signature Wrapping Attacks and Countermeasures

Gajek

Jensen

Liao

et al. 2009

View full text Add to dashboard Cite

In recent research it turned out that Boolean verification of digital signatures in the context of WSSecurity is likely to fail: If parts of a SOAP message are signed and the signature verification applied to the whole document returns true, then nevertheless the document may have been significantly altered.In this paper, we provide a detailed analysis on the possible scenarios that enable these signature wrapping attacks. Derived from this analysis, we propose a new solution that uses a subset of XPath instead of ID attributes to point to the signed subtree, and show that this solution is both efficient and secure.

show abstract

Breaking and fixing the inline approach

Gajek

Liao

Schwenk

2007

View full text Add to dashboard Cite

Phishing Phishers - Observing and Tracing Organized Cybercrime

Birk

Gajek

Gröbert

et al. 2007

View full text Add to dashboard Cite

Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing

Gajek

Sadeghi

Stüble

et al. 2007

View full text Add to dashboard Cite

Identity theft through phishing attacks has become a major concern for Internet users. Typically, phishing attacks aim at luring the user to a faked web site to disclose personal information. Existing solutions proposed against this kind of attack can, however, hardly counter the new generation of sophisticated malware phishing attacks, e.g., pharming Trojans, designed to target certain services. This paper aims at making the first steps towards the design and implementation of a security architecture that prevents both classical and malware phishing attacks. Our approach is based on the ideas of compartmentalization for isolating applications of different trust level, and a trusted wallet for storing credentials and authenticating sensitive services. Once the wallet has been setup in an initial step, our solution requires no special care from users for identifying the right web sites while the disclosure of credentials is strictly controlled. Moreover, a prototype of the basic platform exists and we briefly describe its implementation.

show abstract

Effective Protection Against Phishing and Web Spoofing

Oppliger¹,

Gajek

2005

View full text Add to dashboard Cite

Phishing and Web spoofing have proliferated and become a major nuisance on the Internet. The attacks are difficult to protect against, mainly because they target non-cryptographic components, such as the user or the user-browser interface. This means that cryptographic security protocols, such as the SSL/TLS protocol, do not provide a complete solution to tackle the attacks and must be complemented by additional protection mechanisms. In this paper, we summarize, discuss, and evaluate the effectiveness of such mechanisms against (large-scale) phishing and Web spoofing attacks.

show abstract

12 3 4

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Sebastian Gajek

Visual Spoofing of SSL Protected Web Sites and Effective Countermeasures

Provably secure browser-based user-aware mutual authentication over TLS

Universally Composable Security Analysis of TLS

Analysis of Signature Wrapping Attacks and Countermeasures

Breaking and fixing the inline approach

Phishing Phishers - Observing and Tracing Organized Cybercrime

Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing

Effective Protection Against Phishing and Web Spoofing

Contact Info

Product

Resources

About