Saphe Solution Overview

Prior knowledge

The Saphe solution documentation assumes that the reader has some understanding of how the Internet works (for example: IP addresses and routing, HTTP, etc.) and a basic understanding of cryptographic concepts (AES, SHA-1, HMAC, SSL, etc.).

Overview

The purpose of Saphe is to prevent the user's password from ever being sent unencrypted or to the wrong server. It does not matter if the user was somehow solicited to connect to a malicious server; unless the server can authenticate itself to the to user - his personal information is saphe!

It is assumed that any web-site or web-based service that is valuable enough to be Phished requires a password to identify its users, and that the objective of any Phishing attack is first and foremost to obtain this password.

Therefore, the Saphe solution relies on the fact that both the user and the real server have knowledge of this password and that any would-be attacker does not (or else there is no point to conduct a Phishing attack in the first place) in order to identify the server to the user. After the server was successfully – and automatically – identified as the real server, a secure (SSL) connection is established between the client and the server, through which the password can be sent to the server in order to identify the user to the server. After that the login process continues normally.

However, proving that the server at the other end of the line is in fact the real server is not enough - we also need to ensure that there is no Man-in-the-Middle of any type. To solve this problem, the Saphe solution uses the user password to encrypt data which can prove to the user that the connection is indeed tamper-free.

Note that any denial-of-service attack is acceptable, as long as the user's private information has not been compromised. This solution does not include any protection from DoS attacks.

The solution is presented in detail in a following section. But before that, a few basic security-related assumptions are listed.

Back to main Saphe project page

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License