Team for Research in
Ubiquitous Secure Technology

Locked cookies: Web authentication security against phishing, pharming, and active attacks
Chris Karlof, Umesh Shankar, Barbara Goto, David Wagner

Citation
Chris Karlof, Umesh Shankar, Barbara Goto, David Wagner. "Locked cookies: Web authentication security against phishing, pharming, and active attacks". Technical report, University of California at Berkeley, UCB/EECS-2007-25, February, 2007.

Abstract
This paper proposes new methods for web authentication that are secure against phishing and pharming attacks. We explore the use of browser cookies as authenticators that cannot inadvertently be given away by users, and introduce locked cookies, which are cookies that are bound to the originating server’s public key. Locked cookies defeat phishing, pharming, and network-controlling active attacks, since the user’s browser can verify that the attacker’s public key is different from that of the server that set the cookie in the first place, even though the domain names may be the same. Locked cookies are transparent to the user and do not require any server-side changes. We evaluate and compare authentication schemes based on conventional cookies, IP cookies, and locked cookies.

Electronic downloads

Citation formats  
  • HTML
    Chris Karlof, Umesh Shankar, Barbara Goto, David Wagner.
    <a href="http://www.truststc.org/pubs/190.html"
    ><i>Locked cookies: Web authentication security
    against phishing, pharming, and active
    attacks</i></a>, Technical report,  University
    of California at Berkeley, UCB/EECS-2007-25, February, 2007.
  • Plain text
    Chris Karlof, Umesh Shankar, Barbara Goto, David Wagner.
    "Locked cookies: Web authentication security against
    phishing, pharming, and active attacks". Technical
    report,  University of California at Berkeley,
    UCB/EECS-2007-25, February, 2007.
  • BibTeX
    @techreport{KarlofShankarGotoWagner07_LockedCookiesWebAuthenticationSecurityAgainstPhishing,
        author = {Chris Karlof and Umesh Shankar and Barbara Goto
                  and David Wagner},
        title = {Locked cookies: Web authentication security
                  against phishing, pharming, and active attacks},
        institution = {University of California at Berkeley},
        number = {UCB/EECS-2007-25},
        month = {February},
        year = {2007},
        abstract = {This paper proposes new methods for web
                  authentication that are secure against phishing
                  and pharming attacks. We explore the use of
                  browser cookies as authenticators that cannot
                  inadvertently be given away by users, and
                  introduce locked cookies, which are cookies that
                  are bound to the originating server’s public
                  key. Locked cookies defeat phishing, pharming, and
                  network-controlling active attacks, since the
                  user’s browser can verify that the attacker’s
                  public key is different from that of the server
                  that set the cookie in the first place, even
                  though the domain names may be the same. Locked
                  cookies are transparent to the user and do not
                  require any server-side changes. We evaluate and
                  compare authentication schemes based on
                  conventional cookies, IP cookies, and locked
                  cookies.},
        URL = {http://www.truststc.org/pubs/190.html}
    }
    

Posted by Chris Karlof on 5 Mar 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.