Berkeley Electrical Engineering and Computer Sciences

Most computer security research focuses on defending computer systems against clever attackers. Yet a system can fall victim not only to an attackerís cleverness but also to a user's naivetť.

UC Berkeley EECS Professor Doug Tygar. (Photo by Peg Skorpinski)

EECS Professor Doug Tygar (Photo by Peg Skorpinski)
In a classic 1999 study called "Why Johnny Canít Encrypt," Doug Tygar and his then-student, Alma Whitten, asked 12 intelligent, computer-savvy people to use a standard encryption program to send an encoded e-mail message. Surprisingly, most of the subjects were unable to do it. Some encrypted with incorrect keys, and three actually sent out the message unencrypted, a worst-case scenario. The moral was clear: security protocols are useless if only experts can use them. The study had an enormous impact on the computer security community and spawned a series of annual conferences called Symposia on Usable Privacy and Security.

Tygar's ongoing research continues to emphasize the issue of usability in computer security. In 2005, he and Rachna Dhamija, then his graduate student, devised a user-friendly browser add-on that protects users against "phishing."

Phishing is a social engineering scam in which an attacker sends an e-mail message designed to look as if it came from the recipient's bank or some other official site. The message often says that there is a security problem (an ironic touch) and directs the recipient to click on a link to an official-looking Web site and divulge sensitive account information. Many people will not notice a small error in the URL. For example, phishers have used "PayPai" instead of PayPal and "Bank of the VVest" instead of Bank of the West. By using these ruses and others, Tygar says, "the best phishing attacks fool essentially all users."

The challenge for researchers is to find a way to make it obvious to an inattentive and unskilled user that he is indeed connected to his bank, say, and not to a phisher's page. Tygar's "dynamic security skins" achieve this by "individualizing the browser in such a way that an attacker canít send a forged page," Tygar says.

The scheme has two parts: The first is a "trusted password window" protected by a static image chosen by the user: this window appears in the browser and provides a secure gateway to trusted sites. The second part is the dynamic security skin: a pattern integrated with a Web site's user interface elements that can be dynamically generated by the site for each user and each visit. The skin is also independently generated by the user's browser and displayed as a border to the trusted window.

To securely interact with any number of sites, the user need only recognize his trusted password window image, remember a single short password, and verify that the two dynamically generated patterns match. This picture-based scheme leverages the kind of task that the human brain is good at (recognizing images) while minimizing the type of task it is not so good at (remembering passwords), Tygar notes.

For the scheme to work at a particular Web site—say, a bank—the user must send a verifier (a hash of his password) just once, perhaps when registering. On subsequent visits, the user enters his password into the browser's secure password window after verifying his personal background image. (This static image protects against attackers who might spoof the window or the data entry fields.) Next, the browser and the bankís server go through a sequence of steps to check that they both know the same verifier without disclosing it. The bank and the browser then independently use this shared information and a random session key to generate a dynamic security skin, and the user checks that the two skins match. The user can easily recognize a spoofed Web site because the site will be unable to generate a security skin that matches the one displayed in his browser. The scammer cannot generate a matching skin because he does not know the verifier and cannot trick the user into revealing it.

Tygar's next step will be to collaborate with psychologists to perform formal usability studies comparing trusted password windows and dynamic security skins with ordinary SSL-equipped browsers. "We're treating security as an experimental science," Tygar says. "That gives us insights that a previous generation missed because they approached security only in a theoretical way."
Dana Mackenzie and Sara Robinson