Subir Saha

PhishGuard: A browser plug-in for protection from phishing

Phishing is an act of identity theft aimed at acquiring sensitive information such as usernames, passwords, credit card detail etc., by masquerading as a trustworthy entity in an electronic communication. Phishers use a number of different social engineering mechanism such as spoofed e-mail to try to trick their victims. Data suggests that some of the phishing attacks have convinced up to 5% of their recipients to provide sensitive information to spoofed websites resulting in a direct loss of multi Billion Dollars across the countries. Though there are many existing anti-phishing solutions, Phishers continue to succeed to lure victims. In this paper, we have proposed a novel algorithm which aims at identifying a forged website by submitting random credentials before the actual credentials in a login process of a website. We have also proposed a mechanism for analysing the responses from the server against the submissions of all those credentials to determine if the website is original or phished one. Though our idea is generic and would work in any authentication technologies which are based on exchange of any credentials, our current prototype is developed for sites supporting HTTP Digest Authentication and accepting userid and password pair as credential. Our algorithm is developed within a browser plug-in for Mozilla FireFox v3.0. and can detect phishing attack conclusively.

Mitigating man in the middle attack over secure sockets layer

Phishing is a social engineering mechanism to steal the users credentials which are then used for identity theft leading to financial benefit. Currently majority of Phishing attacks are very unsophisticated as they focus on collecting just the credentials and do not try to validate in real time whether the received credentials are correct. It is obvious that next generation Phishing attacks will, in real time, try to check the credentials and also try to exploit the same. It is easy for a Phisher to behave as a man-in-the middle (MITM) between the user and the targeted site which is being phished. The problem with MITM attack is all the heuristics like monitoring domain name for special characters, using blacklists, page analysis etc , fail to restrict the Phisher. One of the significant literature available in this area i.e., PwdHash, which is successful for attacks when the user is on a URL other than genuine website. In this paper, we have proposed and implemented a novel approach to solve MITM over SSL which uses the genuine website URL. To tackle such attacks we propose hashing the user password with the public key of the servers digital certificate. This approach beats the MITM, since the MITM receives the hash of the original password which cannot be reused. We prove our concept with a browser plugin.

Next steps for security assertion markup language (saml)

The Security Assertion Markup Language (SAML) has established itself as one of the most advanced and popular standards in the Identity Federation and Assertion management space. SAML 2.0 has proved to be an almost complete specification, without requiring any frequent updates to handle various existing Federation scenarios. This paper attempts to analyze and propose incremental enhancements to the SAML core specification, without breaking any of the existing functionality. The goal is to identify such generic extensions, which in turn can enable various other functional usages, inline with SAML.s design goals of Federation Enablement and Asserted Information exchange. The utility of the proposed extensions is proved, by showing how they enable various higher level concepts in SAML, which in turn can enable a richer suite of Federation and Assertion-based interactions. These extensions include Dependent Assertions, Action Assertions, Assertion Queries and Requests, with the final consolidation into a proposed extended SAML framework. This extended SAML framework is used to build a prototype implementation of a Mobile-Device based Web Services framework, for enabling Mobile-Messaging based Service invocations, within a Federation of the Mobile Service Provider and multiple Mobile Application Providers.

Evaluation of mobile handset recovery from radio link failure in a multi-RATS environment

Radio link failure (RLF) is a common phenomenon in all radio access technologies like GSM or UMTS or wireless-LAN etc., when the radio channel signal strength is weak to continue with the application. RLF is a local event detected by mobile handset (or user equipment-UE) immediately and network nodes come to know later. It is also difficult to recover for the UE due to low signal. Hence, RLF has to be dealt locally by the UE. In case of RLF, 3GPP specification indicates to release of dedicated data and signaling resources which leads to discontinuation of the application. In order to avoid discontinuation of application one of the solution proposed to use other available RAT (radio access technology) from multi-RATs in the UE. A few literatures present the possibility of single-RAT or multi-RATs RLF recovery [2-11]. However, to the best of authorspsila knowledge, none of these publications present any performance evaluation for selecting an available RAT from multi-RATs environment after a RLF. In this paper, the authors have investigated the impact of three key parameters namely, RSSI (received signal strength identifier), QoS (quality of service), connection re-establishment time for RLF recovery across all available RATs. The analytical studies show that, two times increase in radio resources along with three times increase in number of mobile handsets experiencing RLF, the probability of success of RLF recovery increases significantly. Furthermore, one of the studies reveals that, when mean utilization of resources in the cells increases by 50% and the number of mobile handsets suffering from RLF increase by two times, the probability of success of RLF recovery decreases by 15%.

User privacy-preserving identity data dependencies

Identity Federation technologies have enabled users to leverage their relationships with an Identity Provider (IdP) into a Service Providers (SP) domain. They allow user-initiated and IdP-controlled sharing of authentication information, attributes and authorization policies, allowing users to get benefits like Single Sign On (SSO) and attribute linking across the different domains. Federation-based Identity Services have enabled a standardized mechanism of sharing a particular type of user identity information with interested SPs. Yet, with increasing focus on composite as well as personalized user experiences, different types of User Identity Data need to be used together. In this paper, we argue that there is a lack of standardized mechanisms for resolution and ownership, when it comes to data associations across different Identity Providers. Additionally, users have different privacy requirements for these different kinds of interacting identity information and need mechanisms to enforce them. We propose a solution which allows users to define privacy-preserving data dependencies between their different Identity information. Thus, a query for a particular user information, would honor and traverse its associated data dependencies, possibly triggering user-defined policies, to come up with a resultant set of identity information.

Identity Federation for VoIP systems

Identity Federation enables Users to effectively manage their multiple Identities spread across different administrative domains. It leverages trust between the Identity Providers to allow Users to federate and share their Identity information to receive cross-domain Identity benefits. In this paper, we argue that with increasing number of VoIP providers as well as the ability for Users to host and self-manage their own VoIP Identities, an Identity Federation-based solution is required for VoIP as well. The paper analyzes differences for Identity Federation within VoIP scenarios, as compared to existing Web-based scenarios. We propose the VoIP Identity Federation Framework, enabling a User to establish Identity Federation as well as the assertion of any relevant Identity information from one VoIP context to another. The framework is designed using simple application-usage agnostic primitives viz. federate-out and federate-in, which can be applied within any VoIP Protocol scenario. One of the primary design goals has been to model these enablers as an independent protocol, so that they can be piggybacked on any of the existing VoIP protocol scenarios. As a result, Identity Federation benefits can be easily applied to any existing or future VoIP-based application usages. Another important aspect is to enable sufficient User control within the Identity Federation framework. We also present a set of exemplary yet novel use-cases enabled by the proposed framework.

Grading based identity negotiation in P2P Services

The increasing popularity of P2P IP Services introduces a new challenge with respect to the identity of users as the lack of incremental tariff on these services removes the incentive to properly identify users before allowing them to register. We analyze multiple scenarios in future networks to demonstrate problems arising out of self assigned user identities in P2P services, and in particular P2P VoIP services. Our analysis establishes the need for a simple mechanism of negotiating ‘grade of identity’ as an important tool for successful adoption of such services.

Zero-Cost Negative-Cost (ZCNC) mobile messaging

In this paper, we present a novel application for subsidizing the cost of SMS-based messaging, especially in mobile operator networks which have started showing the ldquointentional missed callrdquo phenomenon. The existing SMS infrastructure is augmented with an advertisement capability, borrowed from the Internet model to either subsidize the cost of or even provide a credit to the SMS originating User. In addition to user-to-user messaging, this application can also find acceptance in small and medium sized enterprises, which rely on SMS-messaging to reach their consumers. We describe an overall architecture for the proposed Zero-Cost Negative-Cost (ZCNC) mobile messaging, with related discussion on itpsilas different usage scenarios.

A Social Query Protocol for User-level Information Exchange

Social networking-based activities on the Internet are seeing huge popularity, riding on the strength of the standard- ized Really Simple Syndication (RSS) platform, which allows for a cross-domain sharing of content (user generated or otherwise). Though there has been an increase in the social network of an Internet User, it is primarily being used for sharing self- generated content (blogging, podcasting) or by the web-sites for generating advertisement revenues. There are no standardized means for a user, to leverage this social base for pulling out some information. Search mechanisms are limited to sifting through information which is pre-published by social peers, rather than asking for some specific information from a social network. In this paper, we argue that due to the lack of a standard cross- domain query mechanism, users are not able to able to take full advantage in the collective intelligence of their social community. We propose a generic social query protocol, which allows a user to propagate application-specific queries within their social network and receive appropriate answers.

A Social Query Framework

In recent times, there has been a huge increase in Social-networking based activities on the Internet. Users have started using the Internet, not only for collaborating with each other but also taken on a new role of being Information prosumers (producers + consumers). The standardization of the really simple syndication (RSS) platform, which allows for a cross-domain sharing of content (user generated or otherwise) has helped by making information access easier, giving rise to online phenomena such as Blogging, Vlogging and Podcasting. Users have increased their reach into the world of Internet users, leading to a huge growth in their (mostly online) Social Network. Yet, such a network is being primarily used for sharing user-generated content or by the web-sites for generating advertisement revenues. More ever, existing technologies only facilitate a User to consume that, which is pushed by others. There are no easy or standardized mechanisms for a user, to leverage this social base for pulling out specific information from their social network. In this paper, we argue that due to the lack of a standard cross-domain query mechanisms, users are not able to take full advantage in the collective intelligence of their social community. We propose a generic Social Query Framework, which allows a user to propagate application-specific queries within their social network and receive appropriate answers.