Professional Documents
Culture Documents
CONTENTS
INTRODUCTION
PGRP
COOKIES Vs IP ADDRESS COMPARISON WITH OTHER ATT BASED PROTOCOLS LIMITATIONS EMPIRICAL EVALUATION CONCLUSION
INTRODUCTION
Online guessing attacks are commonly observed against web applications and SSH logins
Focus on reducing user annoyance by challenging users with fewer ATTs and subjecting bot logins to more ATTs.
Un,pw,cookie,W ,FT,FS
B NO
If F1 YES A
YES
If F4 NO
If F2
NO
If F3 YES
FS[srcIP,un]= 0 Add srcIP to W
NO
ATTchallenge incorrect
YES
FS[srcIP,un] =0 Add srcIP to W
FT[un]=FT[ un]+1
YES
If F5
NO
If f6
ATT challenge is incorrect
Un,pw is incorrect
Else
NO
(FS[srcIP,un]<k1))
(FS[srcIP,un]<K1)
F6(ATTChallenge()=pass)
F1LoginCorrect(un,pw)
COOKIES Vs IP ADDRESS
Cookies require browser interface Same machine might be assigned different IP address Group of machines may be represented by a single IP address
Login will be difficult if user is using mulitiple browsers Cookies may be deleted
PGRP make use of both IP address and cookies to minimize user inconvenience during login process.
DECISION FUNCTION FOR REQUESTING ATTs The decision to challenge the user with an ATT depends on two factors:
1) whether the user has authenticated successfully from the same machine previously.
2) The total number of failed login attempts for a specific user account. USERNAME PASSWORD PAIR IS VALID The user wont be asked to answer an ATT challenge if
valid cookie is received and FS[srcIP,un] is less than k1 IP address is in white list and FS[srcIP,un] is less than k1 FT[un]<k2
valid cookie is received and FS[srcIP,un] is less than k1 IP address is in white list and FS[srcIP,un] is less than k1 FT[un]<k2
List may consume considerable memory. Legitimate users from blacklisted IP address could be blocked
Q1. What is the expected number of passwords that an adversary can eliminate from the password space without answering any ATT challenge? Q2. What is the expected number of ATT challenges an adversary must answer to correctly guess a password?
Q3. What is the probability of a confirmed correct guess for an adversary unwilling to answer any ATT?
Q4. What is the probability of a confirmed correct guess for an adversary willing to answer c ATTs?
FINDINGS:
PGRP provides improved security over PS and VS protocols. Identical security with Strawmann protocol.
Q1. What is the probability that an adversary knowing m usernames can correctly guess a password without answering any ATT challenge?
Q2. What is the probability of a confirmed correct guess for an adversary knowing m usernames and willing to answer c ATTs?
SYSTEM RESOURCES
FT is maintained in VS protocol
LIMITATIONS
EMPIRICAL EVALUATION
ANALYSIS OF RESULT Done on different perspective. The no of successful login attemptsLarger the ratio of successful login without answering ATT to total successful login,the more convenient is user experience.
The no of unique usernames in successful loginsLess no of valid users were asked to answer the ATT in PGRP
The no of unique valid usernames in failed logins Large decrease in case of PGRP
The no of failed login attempts with invalid usernames In PGRP,it triggers ATTs
CONCLUSION
PGRP is more restrictive against brute force and dictionary attacks
Provide more convenient login experience Suitable for large and small no of organisations
REFERENCES
[1] Amazon Mechanical Turk. https://www.mturk.com/mturk/, June 2010. [2] S.M. Bellovin, A Technique for Counting Natted Hosts, Proc. ACM SIGCOMM Workshop Internet Measurement, pp. 267-272, 2002. [3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C. Fabry, How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation, Proc. IEEE Symp. Security and Privacy, May 2010.
THANK YOU