Date:
Location:
CRCS Lunch Seminar
Date: Wednesday, February 24, 2010
Time: 11:45am – 1:15pm
Place: Maxwell Dworkin 2nd Floor Lounge Area
Speakers: Tal Moran, Harvard CRCS
Title: The Phish-Market Protocol: Secure Sharing Between Competitors
Abstract: A key way in which banks mitigate the effects of phishing is to remove fraudulent websites or suspend abusive domain names. This `take-down’ is often subcontracted to specialist companies. Prior work has shown that these take-down companies refuse to share their `feeds’ of phishing website URLs with each other, and consequently, many phishing websites are not removed because the company with the take-down contract remains unaware of their existence. The take-down companies are reticent to exchange their feeds with each other, fearing that competitors with less comprehensive feeds might `free-ride’ off their efforts and stop investing resources to find new websites, as well as use the feeds to poach clients.
To help solve this problem, we propose the Phish-Market protocol, which enables companies with less comprehensive feeds to learn about websites impersonating their own clients that are held by other firms. The protocol is designed so that the contributing firm is compensated only for those websites affecting its competitor’s clients and only those previously unknown to the receiving firm. Crucially, the protocol does not reveal to the contributing source which URLs are needed by the receiver, as this is viewed as sensitive information by take-down firms.
The main problem in designing this protocol is making it efficient enough to be used in practice (a naive approach using generic cryptographic techniques, would be completely infeasible). I’ll describe the ideas behind the cryptographic design and talk a little about our implementation
If time permits, I will also give a brief introduction to the Qilin project, an outgrowth of our implementation effort. Qilin is a Java SDK for rapid prototyping of cryptographic protocols. The purpose of the Qilin project is to make it easier to implement the new cryptographic protocol you just read (or wrote) about in a recent crypto paper. To this end, the API attempts to use the concepts and language from the theory of cryptography. The SDK is open-sourced and available on the web.
The talk will be self-contained; I will attempt to explain the concepts at an intuitive level without using any math. In particular, no previous knowledge of cryptography will be required to understand the talk.
Based on joint work with Tyler Moore.