REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS
Download
1 / 24

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS - PowerPoint PPT Presentation


  • 214 Views
  • Uploaded on

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS. Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot . CONTENTS INTRODUCTION PGRP COOKIES Vs IP ADDRESS COMPARISON WITH OTHER ATT BASED PROTOCOLS LIMITATIONS EMPIRICAL EVALUATION CONCLUSION.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS' - jubal


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Revisiting defenses against large scale online password guessing attacks

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS

Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot


Revisiting defenses against large scale online password guessing attacks

  • CONTENTS GUESSING ATTACKS

  • INTRODUCTION

  • PGRP

  • COOKIES Vs IP ADDRESS

  • COMPARISON WITH OTHER ATT BASED PROTOCOLS

  • LIMITATIONS

  • EMPIRICAL EVALUATION

  • CONCLUSION


Revisiting defenses against large scale online password guessing attacks

  • INTRODUCTION GUESSING ATTACKS

  • Online guessing attacks are commonly observed against web applications and SSH logins

  • Automated Turing Tests-Limits the number of guesses from a single machine.

  • Focus on reducing user annoyance by challenging users with fewer ATTs and subjecting bot logins to more ATTs.

  • Introduces a new protocol called password guessing resistant protocol.

  • PGRP make use of both cookies and IP address.


Revisiting defenses against large scale online password guessing attacks

AUTOMATED TURING TEST GUESSING ATTACKS


Revisiting defenses against large scale online password guessing attacks

PASSWORD GUESSING RESISTANT PROTOCOL GUESSING ATTACKS

FLOWCHART

START

Un,pw,cookie,W,FT,FS

If

F 1

B

NO

YES

A


Revisiting defenses against large scale online password guessing attacks

B GUESSING ATTACKS

A

NO

NO

If

F2

If

F3

FS[srcIP,un]=FS[srcIP,un]+1

YES

ATTchallenge incorrect

If

F4

YES

YES

NO

FS[srcIP,un]=0

Add srcIP to W

FS[srcIP,un]=0

Add srcIP to W

YES

FT[un]=FT[un]+1

If

F5

NO

If

f6

Un,pw is incorrect

ATT challenge is incorrect

NO

Else


Revisiting defenses against large scale online password guessing attacks

F2—((Valid(cookie,un,k1,true)V((srcIP,un) c w)) GUESSING ATTACKS

(FS[srcIP,un]<k1))

(FT[un]<k2)

F3—(ATTChallenge()=pass)

F4—((Valid(cookie,un,k1,false)V((srcIP,un) c w))

(FS[srcIP,un]<K1)

F5—(validUsername(un)

(FT[un]<k2)

F6—(ATTChallenge()=pass)

F1—LoginCorrect(un,pw)


Revisiting defenses against large scale online password guessing attacks

COOKIES Vs IP ADDRESS GUESSING ATTACKS


Revisiting defenses against large scale online password guessing attacks


Revisiting defenses against large scale online password guessing attacks

  • DECISION FUNCTION FOR REQUESTING ATTs user inconvenience during login process.

  • The decision to challenge the user with an ATT depends on two factors:

  • 1) whether the user has authenticated successfully from the same machine previously.

  • 2) The total number of failed login attempts for a specific user account.

  • USERNAME PASSWORD PAIR IS VALID

  • The user wont be asked to answer an ATT challenge if

  • valid cookie is received and FS[srcIP,un] is less than k1

  • IP address is in white list and FS[srcIP,un] is less than k1

  • FT[un]<k2


Revisiting defenses against large scale online password guessing attacks

  • USERNAME PASSWORD IS INVALID user inconvenience during login process.

  • User wont be asked to answer ATT challenge if

  • valid cookie is received and FS[srcIP,un] is less than k1

  • IP address is in white list and FS[srcIP,un] is less than k1

  • FT[un]<k2

    OUTPUT MESSAGES

    PGRP shows messages in case of

  • incorrect {username,password} pair

  • incorrect answer to the ATT challenge.


Revisiting defenses against large scale online password guessing attacks


Revisiting defenses against large scale online password guessing attacks

  • COMPARISON WITH OTHER ATT BASED PROTOCOLS user inconvenience during login process.

  • SECURITY ANALYSIS

  • SINGLE ACCOUNT ATTACKS

    Based on 4 questions:

    Q1. What is the expected number of passwords that an adversary can eliminate from the password space without answering any ATT challenge?

    Q2. What is the expected number of ATT challenges an adversary must answer to correctly guess a password?

    Q3. What is the probability of a confirmed correct guess for an adversary unwilling to answer any ATT?

    Q4. What is the probability of a confirmed correct guess for an adversary willing to answer c ATTs?


Revisiting defenses against large scale online password guessing attacks

  • FINDINGS: user inconvenience during login process.

  • PGRP provides improved security over PS and VS protocols.

  • Identical security with Strawmann protocol.


Revisiting defenses against large scale online password guessing attacks

  • MULTIACCOUNT ATTACKS user inconvenience during login process.

    Based on 2 questions

    Q1. What is the probability that an adversary knowing m usernames can correctly guess a password without answering any ATT challenge?

    Q2. What is the probability of a confirmed correct guess for an adversary knowing m usernames and willing to answer c ATTs?


Revisiting defenses against large scale online password guessing attacks

  • USABILITY COMMENTS ON ATT CHALLENGES user inconvenience during login process.

  • Different scenarios:

  • First time login from an unknown machine.

  • Subsequent login from a known machine

  • Valid password is provided

  • Invalid password

  • Invalid Username


Revisiting defenses against large scale online password guessing attacks

  • SYSTEM RESOURCES user inconvenience during login process.

  • No list maintained in PS protocol

  • FT is maintained in VS protocol

  • Information of generated cookie is maintained in all three protocols

  • Most expensive operation is generating ATTs

  • PGRP maintains W,FS,FT


Revisiting defenses against large scale online password guessing attacks

LIMITATIONS user inconvenience during login process.


Revisiting defenses against large scale online password guessing attacks

  • EMPIRICAL EVALUATION user inconvenience during login process.

  • DATA SETS

    Analysis based on 2 datasets.

  • SSH Server log

  • EMAIL Server log


Revisiting defenses against large scale online password guessing attacks

  • ANALYSIS OF RESULT user inconvenience during login process.

  • Done on different perspective.

  • The no of successful login attempts—Larger the ratio of successful login without answering ATT to total successful login,the more convenient is user experience.

  • The no of unique usernames in successful logins—Less no of valid users were asked to answer the ATT in PGRP

  • The no of failed login attempts with valid usernames—Less in PGRP

  • The no of unique valid usernames in failed logins–Large decrease in case of PGRP

  • The no of failed login attempts with invalid usernames—In PGRP,it triggers ATTs


Revisiting defenses against large scale online password guessing attacks

  • CONCLUSION user inconvenience during login process.

  • PGRP is more restrictive against brute force and dictionary attacks

  • Provide more convenient login experience

  • Suitable for large and small no of organisations


Revisiting defenses against large scale online password guessing attacks

REFERENCES user inconvenience during login process.

[1] Amazon Mechanical Turk. https://www.mturk.com/mturk/,

June 2010.

[2] S.M. Bellovin, “A Technique for Counting Natted Hosts,” Proc.

ACM SIGCOMM Workshop Internet Measurement, pp. 267-272,

2002.

[3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C.

Fabry, “How Good Are Humans at Solving CAPTCHAs? A

Large Scale Evaluation,” Proc. IEEE Symp. Security and Privacy,

May 2010.


Revisiting defenses against large scale online password guessing attacks

THANK YOU