REVISITING DEFENSES AGAINST LARGE SCALE ONLINE

PASSWORD GUESSING ATTACKS

Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot

CONTENTS INTRODUCTION

PGRP

COOKIES Vs IP ADDRESS

COMPARISON WITH OTHER ATT BASED PROTOCOLS

LIMITATIONS

EMPIRICAL EVALUATION

CONCLUSION

INTRODUCTION

Online guessing attacks are commonly observed against web applications and SSH logins

Automated Turing Tests-Limits the number of guesses from a single machine.

Focus on reducing user annoyance by challenging users with fewer ATTs and subjecting bot logins to more ATTs.

Introduces a new protocol called password guessing resistant protocol.

PGRP make use of both cookies and IP address.

AUTOMATED TURING TEST

PASSWORD GUESSING RESISTANT PROTOCOL

FLOWCHART START

Un,pw,cookie,W,FT,FS

A

IfF 1B

YES

NO

AB

IfF2

IfF3If

F4

IfF5

Else

FS[srcIP,un]=0Add srcIP to W

FS[srcIP,un]=0Add srcIP to W

ATTchallenge incorrect

FS[srcIP,un]=FS[srcIP,un]+1

FT[un]=FT[un]+1

ATT challenge is incorrect

If f6

NO

YES YES

NOYES

YES

NO

NO

NO

Un,pw is incorrect

F2—((Valid(cookie,un,k1,true)V((srcIP,un) c w)) (FS[srcIP,un]<k1))

(FT[un]<k2)

F3—(ATTChallenge()=pass)

F4—((Valid(cookie,un,k1,false)V((srcIP,un) c w)) (FS[srcIP,un]<K1)

F5—(validUsername(un) (FT[un]<k2)

F6—(ATTChallenge()=pass)

F1—LoginCorrect(un,pw)

COOKIES Vs IP ADDRESS

Cookies require browser interface

Same machine might be assigned different IP address

Login will be difficult if user is using mulitiple browsers

Group of machines may be represented by a single IP address

Cookies may be deleted

PGRP make use of both IP address and cookies to minimize user inconvenience during login process.

PGRP uses text based CAPTCHA.

DECISION FUNCTION FOR REQUESTING ATTs

The decision to challenge the user with an ATT depends on two factors:

1) whether the user has authenticated successfully from the same machine previously.

2) The total number of failed login attempts for a specific user account.

USERNAME PASSWORD PAIR IS VALID

The user wont be asked to answer an ATT challenge if

valid cookie is received and FS[srcIP,un] is less than k1

IP address is in white list and FS[srcIP,un] is less than k1

FT[un]<k2

USERNAME PASSWORD IS INVALID

User wont be asked to answer ATT challenge if

valid cookie is received and FS[srcIP,un] is less than k1

IP address is in white list and FS[srcIP,un] is less than k1

FT[un]<k2

OUTPUT MESSAGES

PGRP shows messages in case of

incorrect {username,password} pair

incorrect answer to the ATT challenge.

WHY NOT TO BLACKLIST OFFENDING IP ADDRESSES?

List may consume considerable memory.

Legitimate users from blacklisted IP address could be blocked

COMPARISON WITH OTHER ATT BASED PROTOCOLS

SECURITY ANALYSIS

SINGLE ACCOUNT ATTACKS

Based on 4 questions:

Q1. What is the expected number of passwords that an adversary can eliminate from the password space without answering any ATT challenge?

Q2. What is the expected number of ATT challenges an adversary must answer to correctly guess a password? Q3. What is the probability of a confirmed correct guess for an adversary unwilling to answer any ATT? Q4. What is the probability of a confirmed correct guess for an adversary willing to answer c ATTs?

FINDINGS:

• PGRP provides improved security over PS and VS protocols.

• Identical security with Strawmann protocol.

MULTIACCOUNT ATTACKS

Based on 2 questions

Q1. What is the probability that an adversary knowing m usernames can correctly guess a password without answering any ATT challenge? Q2. What is the probability of a confirmed correct guess for an adversary knowing m usernames and willing to answer c ATTs?

USABILITY COMMENTS ON ATT CHALLENGES

Different scenarios:

First time login from an unknown machine.

Subsequent login from a known machine

Valid password is provided

Invalid password

Invalid Username

SYSTEM RESOURCES

No list maintained in PS protocol

FT is maintained in VS protocol

Information of generated cookie is maintained in all three protocols

Most expensive operation is generating ATTs

PGRP maintains W,FS,FT

LIMITATIONS

EMPIRICAL EVALUATION DATA SETS Analysis based on 2 datasets.

SSH Server log

EMAIL Server log

ANALYSIS OF RESULT

Done on different perspective.

The no of successful login attempts—Larger the ratio of successful login without answering ATT to total successful login,the more convenient is user experience.

The no of unique usernames in successful logins—Less no of valid users were asked to answer the ATT in PGRP

The no of failed login attempts with valid usernames—Less in PGRP

The no of unique valid usernames in failed logins–Large decrease in case of PGRP

The no of failed login attempts with invalid usernames—In PGRP,it triggers ATTs

CONCLUSION

PGRP is more restrictive against brute force and dictionary attacks

Provide more convenient login experience

Suitable for large and small no of organisations

REFERENCES

[1] Amazon Mechanical Turk. https://www.mturk.com/mturk/,June 2010.

[2] S.M. Bellovin, “A Technique for Counting Natted Hosts,” Proc.ACM SIGCOMM Workshop Internet Measurement, pp. 267-272,2002.

[3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C.Fabry, “How Good Are Humans at Solving CAPTCHAs? ALarge Scale Evaluation,” Proc. IEEE Symp. Security and Privacy,May 2010.

THANK YOU