Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » eft review  

Subscribe to Galexia news and announcements.
More information »

Privacy Management Strategy (PMS): Galexia's methodologies are used to develop and implement a risk management strategy and practical action plan. Find out more »

[Privacy Impact Assessment (PIA) for Cooperative Intelligent Transport System (C-ITS) data messages]

Austroads publishes the first Privacy Impact Assessment (PIA) on data messages for connected cars in Australia (March 2017)
Find out more »

Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

[« previous] [next »] [up] [title page] [full contents]

Delayed Password Disclosure

One of the vulnerabilities of the Secure Remote Password protocol discussed previously is that in many cases the password-entry interfaces provided to end-users by SRP compatible software agents can be spoofed by fraudulent parties.[47]

Delayed Password Disclosure (DPD) technology works to overcome this key vulnerability. In DPD, user passwords are supplemented by a sequence of images specific to each user, web server, and password. At the establishment of a relationship between a user and web server, the server provides the user with a sequence of images that corresponds to their password. Then, whenever the user wishes to log-in, they enter the first character of their password into a DPD compatible software agent. The web server uses its knowledge of what image should be presented to the user to send back specific data (for example, a sequence of binary digits). The software agent on the user’s machine uses that data in combination with a previously agreed upon method of manipulating it (for example, an algorithm known only to the web server and end-user) to determine what image should be displayed to the user for the particular password character that was entered. If the correct image is displayed to the end-user, they know that in all probability they are communicating with the correct server, and so enter the next character of their password. The process of displaying an image then repeats, until all characters are entered. If at any stage an incorrect image is displayed, the user can terminate the communications session before they have disclosed any sensitive data. If the correct sequence of images is displayed, the user knows they are communicating with the server they intend to.

A fraudulent party attempting to impersonate the web server will have great difficulty in determining what sequence of images should be displayed to the end-user, because the images are never transmitted across the network and hence cannot be intercepted. Rather, the end-user’s machine simply uses data provided by the server to compute what image should be displayed to the user. Secondly, even if the fraudulent party is able to guess what image should be displayed, that does not mean they learn the user’s password. It simply means that the user will enter the next character in their password, and the fraudulent party will then have to re-guess what image should be displayed to the user. Particularly if the pool of images which displayable to the user is large, it is unlikely that the fraudulent party will be able to successfully guess the image that is to be displayed for each password character.

[47] Jakobsson G M and Myers S, Stealth Attacks and Delayed Password Disclosure, AI3, 2006, <https://www.a-i3.org/content/view/69/104/>.

[« previous] [next »] [up] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]