350 rub
Journal Highly available systems №1 for 2022 г.
Article in number:
On the issue of recognizing fraudulent Websites
Type of article: scientific article
DOI: https://doi.org/10.18127/j20729472-202201-02
UDC: 681.3
Keywords: World Wide Web public key infrastructure public key certificate verification centre validation authority electronic service provider identification authentication identity identity management system subjective logic
Authors:

D.A. Melnikov

Federal Research Center «Computer Science and Control» of the Russian Academy of Sciences (Moscow, Russia)
National Research Nuclear University «MEPhI», Financial University under the Government of the Russian Federation

Abstract:

The article is devoted to the problem of electronic service provider (Web sites owners) identification and authentication, which is practically not solved, and requires its prompt and reliable solution, in particular, when providing services using World Wide Web and when managing the security of the information and telecommunications infrastructure of the Russian digital economy.

One of the fundamental concepts used in authentication systems is identity. The ability to display and recognize objects in computer networks is of fundamental importance for electronic interaction and cooperation systems, and is the functional foundation of almost all information security management systems. Thus, the transition of the Russian economy to the «digital rails» will require a unified system for identifying subjects and objects that are part of the digital economy information technology infrastructure, as well as a reliable system for their authentication.

The recognition of fake (fraudulent) Web sites is based on a method that implements verification and confirmation of the provider public key certificate authenticity by the user. This method provides for the use by the user of specialized software installed in his computer or smartphone, i.e. that software carries out, at the user's command, procedures for verifying and confirming the authenticity of the provider public key certificate. The paper proposes two options for detecting fraudulent Web sites, which are determined by which provider public key certificate the attacker uses, or a stolen public key certificate belonging to a legitimate electronic service provider, the Web site of which is imitated by the attacker, or his own public key certificate obtained electronically from a foreign certification authority.

Pages: 16-25
For citation

Melnikov D.A. On the issue of recognizing fraudulent Websites. Highly Available Systems. 2022. V. 18. № 1. P. 16−25. DOI: https://doi.org/ 10.18127/j20729472-202201-02 (in Russian)

References
  1. IETF. «Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing», RFC 7230, June 2014, URI: http://www.rfc-editor.org/info/rfc7230; «Hypertext Transfer Protocol Version 2 (HTTP/2)», RFC 7540, May 2015, URI: http://www.rfc-editor.org/info/ rfc7540
  2. Gladkih A. Rossiyan predupredili o moshennicheskih sajtah po prodazhe aviabiletov. LIFE, 2020. URI: https://life.ru/p/1340555/
  3. Homyakova D. Ekspert rasskazal, kak moshenniki obmanyvayut lyubitelej piccy i sushi. LIFE, 2020. URI: https://life.ru/p/1340542/
  4. YUrkova A. Otbit' ataku v odin klik. Rossijskaya gazeta, 06.07.2021. URI: https://rg.ru/ 2021/07/06/reg-ufo/v-rossii-chislo-kiberprestuplenij-vyroslo-na-70-procentov.html
  5. Solov'yova O. Dolya cifrovogo kriminala v Rossii prevysila 25%. Kibervymogatelej lovit' vsyo slozhnee. Nezavisimaya gazeta, 3 avgusta 2021 goda. URI: https://www.ng.ru/economics/2021-08-03/1_8215_economics2.html
  6. Fomichyov V.M., Mel'nikov D.A. Kriptograficheskie metody zashchity informacii: Uchebnik (v 2-h chastyah). M.: YUrajt. 2016. ISBN 978-5-534-01741-0, ISBN 978-5-534-01740-3
  7. Mel'nikov D.A., Releev Yu.F., Kvarackheliya L.D. Model' doveriya dlya cifrovoj ekonomiki Rossijskoj Federacii. Bezopasnost' informacionnyh tekhnologij. 2020. T. 27 № 2. S. 47–64. URI: http://dx.doi.org/10.26583/ bit.2020.2.04
  8. Jøsang A. The right type of trust for distributed systems. In C. Meadows, editor, Proc. Of the 1996 New Security Paradigms Workshop. ACM, New York, 1996.
  9. IETF. «The Transport Layer Security (TLS) Protocol Version 1.3», RFC 8446, August 2018. URI: https://www.rfc-editor.org /rfc/rfc8446.txt
  10. Kumar R., et al. Service Provider Authentication Assurance. 10th Annual Conference on Privacy, Security and Trust (PST 2012). Paris, July 2012.
  11. ITU-T. Recommendation X.810, Information Technology – Open Systems Interconnection – Security Frameworks for Open Systems: Overview (ISO/IEC 10181-1: 1996), 1995.
  12. Mel'nikov D.A. Informacionnaya bezopasnost' otkrytyh sistem: Uchebnik. M.: FLINTA. Nauka, 2013. 448 s. ISBN 978-5-9765-1613-7
  13. ITU-T. Recommendation X.811, Information Technology – Open Systems Interconnection – Security Frameworks for Open Systems: Authentication Framework (ISO/IEC 10181-2: 1996), 1995.
  14. International Organization for Standardization and International Electrotechnical Commission. Information technology – Security techniques – Entity authentication – General. ISO/IEC 9798-1: 2010 (third edition).
  15. Josang A. Subjective Logic. A Formalism for Reasoning Under Uncertainty. Springer International Publishing, Switzerland, 2016. 337 p. ISBN 978-3-319-42335-7(1). DOI 10.1007/978-3319-42337-1
Date of receipt: 24.01.2022
Approved after review: 03.02.2022
Accepted for publication: 28.02.2022