Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Three cryptographers at Stanford University recently came up with a clever solution to the persistent problem of identity theft on the Internet. Wily hackers in Russia, China, and other countries send out piles of e-mail messages looking like they came from some financial institution such as Citibank or Paypal. Millions of consumers get these messages, which have embedded HTML links in them that take the unsuspecting recipient to look-alike websites run in faraway places. You’re prompted to enter a username and password and thenwhamthe hacker has the keys to your bank account.

But good usernames and passwords typed at bad websites isnt the only such threat that consumers face. A potentially larger problem is that many people use the same username and password combination at multiple sites. This makes memorization easier, but it means that an unscrupulous website operator can take a list of usernames and passwords from, say, an Internet sweepstakes site and use it to try to break into online bank accounts.

So Stanford cryptographers Blake Ross, Dan Boneh, and John Mitchell have designed a clever plug-in for Internet Explorer that solves this problem by scrambling what you type into the password field so every website sees a different passworda password thats based both on what you type and on the domain of the website itself.

Now, lots of people use some variant on this strategy. Their Hotmail password might be nosmis-hotmail while their Yahoo! Personals password is nosmis-Yahoo! But any strategy like this is pretty simple to decipher. The password scrambling method that the Stanford trio has devised is based on a mathematical function called a cryptographic hasha kind of one-way function that transforms what the user types into a jumble of numbers and letters in a way that cannot be reversed. Because the Stanford system calculates the cryptographic hash of both the websites domain and the users password, the hacker gets different passwords than the legitimate ones. (Click here to find details about this clever solution.)

One company thats using cryptographic hashes in a very public way is Yahoo! Last year, Yahoo! redesigned the login process to its website to make it sniff-proof. The standard way to do this is to use encryption. But encryption can be slowespecially when you are running one of the most popular sites on the Internet.

So what Yahoo! did instead was to modify its login page to use a so-called challenge-response system based on a cryptographic hash. When you try to log in, Yahoo!s server downloads to your browser a cryptographic hash function written in JavaScript. Along with this function is a “challenge”a short sequence of letters and numbers. When you type your password into the login screen, your browser takes your password, appends these characters provided by Yahoo!, and calculates the cryptographic hash of the resulting string. The browser then sends the resulting value back to Yahoo!, no encryption needed. Even if you are at a cybercafe having your Web traffic sniffed by Belgium hackers, theres no way for the bad guys to take the resulting hash value and derive your original password.

This clever “challenge-response” system is also at the base of the Mobil Speedpass system: its what makes the Speedpass radio frequency identification (RFID) tag so difficult to clone. Other RFID systems dont use challenge-response, which makes attacking them comparatively easy.

But what is this cryptographic hash function, anyway?


2 comments. Share your thoughts »

Tagged: Computing

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me