REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Slides:

Advertisements

Similar presentations

Securing Passwords against Dictionary Attacks

Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Authentication and access control.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

1 Authentication CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 11, 2004.

Welcome to the Acceptance Test Presentation Mr. Jay Bebb & Mr. Brian Peppiatt.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

Authentication Approaches over Internet Jia Li

Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Enforcing Concurrent Logon Policies with UserLock.

Jason Polakis and Sotiris Ioannidis, FORTH-ICS, Greece; Marco Lancini, Federico Maggi, and Stefano Zanero, Politecnico di Milano, Italia; Georgios Kontaxis.

1 Authentication and access control overview. 2 Outline Definitions Authentication Factors Evaluation Examples  Focus on password problems and alternatives.

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

Getting Started with:. Registering for Pearson MasteringNutrition is easy! Go to the home page to get started

Process by which a system verifies the identity of a user wishes to access it. Authentication is essential for effective security.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.

“Stronger” Web Authentication: A Security Review Cory Scott.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.

Protecting Students on the School Computer Network Enfield High School.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Chapter 3: Authentication, Authorization, and Accounting

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

An analysis of Skype protocol Presented by: Abdul Haleem.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Wireless Authentication Using Remote Passwords Authors: Andrew Harding, Timothy W. van der Horst, and Kent E. Seamons Source: Proceedings of the first.

Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.

Typing Pattern Authentication Techniques 3 rd Quarter Luke Knepper.

Applicant sends request for username and password to; Applicant sends request for username and password.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Setting up an on-line account The Alberta Teachers’ Association.

SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.

PEMBINA TRAILS Portal System User Guide Prepared by: Jo-Anne Gibson Acadia Junior High Teacher-Librarian.

CSCE 201 Identification and Authentication Fall 2015.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

1 /6 Introducing TaxWise Online’s Administrator Functions © 2006, Universal Tax Systems, Inc. All Rights Reserved. Administrator Functions Objectives –In.

CAPTCHA AS GRAPHICAL PASSWORDS—A NEW SECURITY PRIMITIVE BASED ON HARD AI PROBLEMS ASHWINI B.

Usability of CAPTCHAs Or usability issues in CAPTCHA design Authors: Jeff Yan and Ahmad Salah El Ahmad Presented By: Kim Giglia CSC /19/2008.

SAP – our anti-hacking software. Banking customers can do most transactions, payments and transfer online, through very secure encrypted connections.

M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.

Munix for Education Content Filter, Bandwidth Control, Location Mapping, Movement Analysis, User Self Management Portal, Time Analysis, and much more ….

Secure Software Confidentiality Integrity Data Security Authentication

Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu

Introduction to Networking

De-anonymizing the Internet Using Unreliable IDs

Audit Findings: SQL Database

De-anonymizing the Internet Using Unreliable IDs By Yinglian Xie, Fang Yu, and Martín Abadi Presented by Peng Cheng 03/22/2017.

Fun gym Cambridge Nationals R001.

The Alberta Teachers’ Association

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Presentation transcript:

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot

CONTENTS  INTRODUCTION  PGRP  COOKIES Vs IP ADDRESS  COMPARISON WITH OTHER ATT BASED PROTOCOLS  LIMITATIONS  EMPIRICAL EVALUATION  CONCLUSION

INTRODUCTION  Online guessing attacks are commonly observed against web applications and SSH logins  Automated Turing Tests-Limits the number of guesses from a single machine.  Focus on reducing user annoyance by challenging users with fewer ATTs and subjecting bot logins to more ATTs.  Introduces a new protocol called password guessing resistant protocol.  PGRP make use of both cookies and IP address.

AUTOMATED TURING TEST

PASSWORD GUESSING RESISTANT PROTOCOL FLOWCHART START Un,pw,cookie,W,FT,FS A If F 1 B YES NO

AB If F2 If F3 If F4 If F5 Else FS[srcIP,un] =0 Add srcIP to W FS[srcIP,un]= 0 Add srcIP to W ATTchallenge incorrect FS[srcIP,un] =FS[srcIP,u n]+1 FT[un]=FT[ un]+1 ATT challenge is incorrect If f6 NO YES NO YES NO Un,pw is incorrect

F2—((Valid(cookie,un,k1,true)V((srcIP,un) c w))(FS[srcIP,un]<k1)) (FT[un]<k2) F3—(ATTChallenge()=pass) F4—((Valid(cookie,un,k1,false)V((srcIP,un) c w)) (FS[srcIP,un]<K1) F5—(validUsername(un)(FT[un]<k2) F6—(ATTChallenge()=pass) F1—LoginCorrect(un,pw)

COOKIES Vs IP ADDRESS Cookies require browser interface Same machine might be assigned different IP address Login will be difficult if user is using mulitiple browsers Group of machines may be represented by a single IP address Cookies may be deleted

 PGRP make use of both IP address and cookies to minimize user inconvenience during login process.  PGRP uses text based CAPTCHA.

DECISION FUNCTION FOR REQUESTING ATTs The decision to challenge the user with an ATT depends on two factors: 1) whether the user has authenticated successfully from the same machine previously. 2) The total number of failed login attempts for a specific user account. USERNAME PASSWORD PAIR IS VALID The user wont be asked to answer an ATT challenge if  valid cookie is received and FS[srcIP,un] is less than k1  IP address is in white list and FS[srcIP,un] is less than k1  FT[un]<k2

USERNAME PASSWORD IS INVALID User wont be asked to answer ATT challenge if  valid cookie is received and FS[srcIP,un] is less than k1  IP address is in white list and FS[srcIP,un] is less than k1  FT[un]<k2 OUTPUT MESSAGES PGRP shows messages in case of  incorrect {username,password} pair  incorrect answer to the ATT challenge.

WHY NOT TO BLACKLIST OFFENDING IP ADDRESSES?  List may consume considerable memory.  Legitimate users from blacklisted IP address could be blocked

COMPARISON WITH OTHER ATT BASED PROTOCOLS  SECURITY ANALYSIS SINGLE ACCOUNT ATTACKS Based on 4 questions: Q1. What is the expected number of passwords that an adversary can eliminate from the password space without answering any ATT challenge? Q2. What is the expected number of ATT challenges an adversary must answer to correctly guess a password? Q3. What is the probability of a confirmed correct guess for an adversary unwilling to answer any ATT? Q4. What is the probability of a confirmed correct guess for an adversary willing to answer c ATTs?

FINDINGS: PGRP provides improved security over PS and VS protocols. Identical security with Strawmann protocol.

MULTIACCOUNT ATTACKS Based on 2 questions Q1. What is the probability that an adversary knowing m usernames can correctly guess a password without answering any ATT challenge? Q2. What is the probability of a confirmed correct guess for an adversary knowing m usernames and willing to answer c ATTs?

USABILITY COMMENTS ON ATT CHALLENGES Different scenarios:  First time login from an unknown machine.  Subsequent login from a known machine  Valid password is provided  Invalid password  Invalid Username

SYSTEM RESOURCES  No list maintained in PS protocol  FT is maintained in VS protocol  Information of generated cookie is maintained in all three protocols  Most expensive operation is generating ATTs  PGRP maintains W,FS,FT

LIMITATIONS

EMPIRICAL EVALUATION  DATA SETS Analysis based on 2 datasets. SSH Server log Server log

ANALYSIS OF RESULT Done on different perspective.  The no of successful login attempts—Larger the ratio of successful login without answering ATT to total successful login,the more convenient is user experience.  The no of unique usernames in successful logins—Less no of valid users were asked to answer the ATT in PGRP  The no of failed login attempts with valid usernames—Less in PGRP  The no of unique valid usernames in failed logins–Large decrease in case of PGRP  The no of failed login attempts with invalid usernames—In PGRP,it triggers ATTs

CONCLUSION  PGRP is more restrictive against brute force and dictionary attacks  Provide more convenient login experience  Suitable for large and small no of organisations

REFERENCES [1] Amazon Mechanical Turk. June [2] S.M. Bellovin, “A Technique for Counting Natted Hosts,” Proc. ACM SIGCOMM Workshop Internet Measurement, pp , [3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C. Fabry, “How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation,” Proc. IEEE Symp. Security and Privacy, May 2010.

THANK YOU