Security breakthrough kills 'evil twins'

Two US academics have promised to dramatically boost wireless networking security using a revolutionary identity authentication system.

Unveiled at the annual meeting of the American Association for the Advancement of Science, the 'delayed password disclosure protocol' was created by Markus Jakobsson and Steve Myers of Indiana University.

The pair said that the system may have applications in any environment where "mutual identity authentication" is required.

The protocol is designed to prevent consumers from getting tricked into connecting to a fake wireless hub, a so-called evil twin, located by hackers in public spaces alongside legitimate access points.

According to the academics, the protocol could also be used to fight phishing by notifying surfers that links included in a legitimate-looking email actually point to a fake website set up to steal sensitive information.

This information could include passwords and Pins to bank accounts, credit card numbers and account numbers for online fund transfer services.

In one possible application, the security protocol could be used to verify that two wireless devices trying to connect to each other do not mistakenly connect to another device, Jakobsson and Myers explained.

"It is difficult to say exactly what tactics network attackers are using right now because many people do not know they are being attacked. Nonetheless, criminals who have no greater passion than money laundering are already thinking out these kinds of projects," said Jakobsson.

The delayed password disclosure protocol involves the remote user attempting to connect to the wireless network (or other resource protected by the protocol) refusing to send in a password straight away. Instead encrypted information is sent.

Using the system, the wireless network will only be able to decrypt this data if it knows the user's password. The legitimate wireless network is then able to decrypt the message and send the decrypted text back to the original user.

On seeing the message correctly decrypted, the user can be certain that the remote resource knows the password already. Only at this point is it safe for the user to log in using the password.

More details on the patent-pending protocol can be found in a technical document by Jakobsson here.

Jakobsson is hoping to have beta code for Windows and Mac computers in spring 2005, and code for common cellphone platforms later in the year.