Presentation is loading. Please wait.

Presentation is loading. Please wait.

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Published byAmos Ward Modified over 5 years ago

Similar presentations

Presentation on theme: "REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot."— Presentation transcript:

1 REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS
Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot

2

3 CONTENTS INTRODUCTION PGRP COOKIES Vs IP ADDRESS
COMPARISON WITH OTHER ATT BASED PROTOCOLS LIMITATIONS EMPIRICAL EVALUATION CONCLUSION

4 INTRODUCTION Online guessing attacks are commonly observed against web applications and SSH logins Automated Turing Tests-Limits the number of guesses from a single machine. Focus on reducing user annoyance by challenging users with fewer ATTs and subjecting bot logins to more ATTs. Introduces a new protocol called password guessing resistant protocol. PGRP make use of both cookies and IP address.

5 AUTOMATED TURING TEST

6 PASSWORD GUESSING RESISTANT PROTOCOL
FLOWCHART START Un,pw,cookie,W,FT,FS If F 1 B NO YES A

7 B A NO NO If F2 If F3 YES If F4 YES YES NO YES If F5 NO If f6 NO Else
FS[srcIP,un]=FS[srcIP,un]+1 YES ATTchallenge incorrect If F4 YES YES NO FS[srcIP,un]=0 Add srcIP to W FS[srcIP,un]=0 Add srcIP to W YES FT[un]=FT[un]+1 If F5 NO If f6 Un,pw is incorrect ATT challenge is incorrect NO Else

8 F2—((Valid(cookie,un,k1,true)V((srcIP,un) c w))
(FS[srcIP,un]<k1)) (FT[un]<k2) F3—(ATTChallenge()=pass) F4—((Valid(cookie,un,k1,false)V((srcIP,un) c w)) (FS[srcIP,un]<K1) F5—(validUsername(un) (FT[un]<k2) F6—(ATTChallenge()=pass) F1—LoginCorrect(un,pw)

9 COOKIES Vs IP ADDRESS 9 Cookies require browser interface
Same machine might be assigned different IP address Login will be difficult if user is using mulitiple browsers Group of machines may be represented by a single IP address Cookies may be deleted

10 PGRP make use of both IP address and cookies to minimize user inconvenience during login process.
PGRP uses text based CAPTCHA.

11 DECISION FUNCTION FOR REQUESTING ATTs
The decision to challenge the user with an ATT depends on two factors: 1) whether the user has authenticated successfully from the same machine previously. 2) The total number of failed login attempts for a specific user account. USERNAME PASSWORD PAIR IS VALID The user wont be asked to answer an ATT challenge if valid cookie is received and FS[srcIP,un] is less than k1 IP address is in white list and FS[srcIP,un] is less than k1 FT[un]<k2

12 USERNAME PASSWORD IS INVALID
User wont be asked to answer ATT challenge if valid cookie is received and FS[srcIP,un] is less than k1 IP address is in white list and FS[srcIP,un] is less than k1 FT[un]<k2 OUTPUT MESSAGES PGRP shows messages in case of incorrect {username,password} pair incorrect answer to the ATT challenge.

13 WHY NOT TO BLACKLIST OFFENDING IP ADDRESSES?
List may consume considerable memory. Legitimate users from blacklisted IP address could be blocked

14 COMPARISON WITH OTHER ATT BASED PROTOCOLS
SECURITY ANALYSIS SINGLE ACCOUNT ATTACKS Based on 4 questions: Q1. What is the expected number of passwords that an adversary can eliminate from the password space without answering any ATT challenge? Q2. What is the expected number of ATT challenges an adversary must answer to correctly guess a password? Q3. What is the probability of a confirmed correct guess for an adversary unwilling to answer any ATT? Q4. What is the probability of a confirmed correct guess for an adversary willing to answer c ATTs?

15 FINDINGS: PGRP provides improved security over PS and VS protocols. Identical security with Strawmann protocol.

16 MULTIACCOUNT ATTACKS Based on 2 questions Q1. What is the probability that an adversary knowing m usernames can correctly guess a password without answering any ATT challenge? Q2. What is the probability of a confirmed correct guess for an adversary knowing m usernames and willing to answer c ATTs?

17 USABILITY COMMENTS ON ATT CHALLENGES
Different scenarios: First time login from an unknown machine. Subsequent login from a known machine Valid password is provided Invalid password Invalid Username

18 SYSTEM RESOURCES No list maintained in PS protocol
FT is maintained in VS protocol Information of generated cookie is maintained in all three protocols Most expensive operation is generating ATTs PGRP maintains W,FS,FT

19 LIMITATIONS

20 EMPIRICAL EVALUATION DATA SETS Analysis based on 2 datasets.
SSH Server log Server log

21 ANALYSIS OF RESULT Done on different perspective. The no of successful login attempts—Larger the ratio of successful login without answering ATT to total successful login,the more convenient is user experience. The no of unique usernames in successful logins—Less no of valid users were asked to answer the ATT in PGRP The no of failed login attempts with valid usernames—Less in PGRP The no of unique valid usernames in failed logins–Large decrease in case of PGRP The no of failed login attempts with invalid usernames—In PGRP,it triggers ATTs

22 CONCLUSION PGRP is more restrictive against brute force and dictionary attacks Provide more convenient login experience Suitable for large and small no of organisations

23 REFERENCES [1] Amazon Mechanical Turk. https://www.mturk.com/mturk/,
June 2010. [2] S.M. Bellovin, “A Technique for Counting Natted Hosts,” Proc. ACM SIGCOMM Workshop Internet Measurement, pp , 2002. [3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C. Fabry, “How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation,” Proc. IEEE Symp. Security and Privacy, May 2010.

24 THANK YOU

Download ppt "REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot."

Similar presentations

Securing Passwords against Dictionary Attacks

Securing Passwords against Dictionary Attacks
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.
Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.

Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.

1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.
Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.
An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

Similar presentations

Ads by Google