TY - GEN
T1 - POSH
T2 - 1st ACM Workshop on AISec, AISec'08, Co-located with the 15th ACM Computer and Communications Security Conference, CCS'08
AU - Daher, Waseem
AU - Canetti, Ran
PY - 2008
Y1 - 2008
N2 - A puzzle only solvable by humans, or POSH, is a prompt or question with three important properties: it can be generated by a computer, it can be answered consistently by a human, and a human answer cannot be efficiently predicted by a computer. In fact, unlike a CAPTCHA, a POSHdoes not necessarily have to be verifiable by a computer at all. One application of POSHes is a scheme proposed by Canetti et al. that limits off-line dictionary attacks against password-protected local storage, without the use of any secure hardware or secret storage. We explore the area of POSHes, implement several candidate POSHes and have users solve them, to evaluate their effectiveness. Given these data, we then implement the above scheme as an extension to the Mozilla Firefox web browser, where it is used to protect user certificates and saved passwords. In the course of doing so, we also define certain aspects of the threat model for our implementation (and the scheme) more precisely.
AB - A puzzle only solvable by humans, or POSH, is a prompt or question with three important properties: it can be generated by a computer, it can be answered consistently by a human, and a human answer cannot be efficiently predicted by a computer. In fact, unlike a CAPTCHA, a POSHdoes not necessarily have to be verifiable by a computer at all. One application of POSHes is a scheme proposed by Canetti et al. that limits off-line dictionary attacks against password-protected local storage, without the use of any secure hardware or secret storage. We explore the area of POSHes, implement several candidate POSHes and have users solve them, to evaluate their effectiveness. Given these data, we then implement the above scheme as an extension to the Mozilla Firefox web browser, where it is used to protect user certificates and saved passwords. In the course of doing so, we also define certain aspects of the threat model for our implementation (and the scheme) more precisely.
UR - http://www.scopus.com/inward/record.url?scp=70349263319&partnerID=8YFLogxK
U2 - 10.1145/1456377.1456379
DO - 10.1145/1456377.1456379
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:70349263319
SN - 9781605582917
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 1
EP - 10
BT - Proceedings of the 1st ACM Workshop on AISec, AISec'08, Co-located with the 15th ACM Computer and Communications Security Conference, CCS'08
Y2 - 27 October 2008 through 31 October 2008
ER -