REVISITING DEFENSES AGAINST LARGE
SCALE ONLINE PASSWORD GUESSING
ATTACKS
Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot
CONTENTS

INTRODUCTION

PGRP

COOKIES Vs IP ADDRESS

COMPARISON WITH OTHER ATT BASED PROTOCOLS

LIMITATIONS

EMPIRICAL EVALUATION

CONCLUSION
INTRODUCTION
Online guessing attacks are commonly observed against web
applications and SSH logins

Automated Turing Tests-Limits the number of guesses from a
single machine.

Focus on reducing user annoyance by challenging users with
fewer ATTs and subjecting bot logins to more ATTs.

Introduces a new protocol called password guessing resistant
protocol.

PGRP make use of both cookies and IP address.

AUTOMATED TURING TEST
PASSWORD GUESSING RESISTANT PROTOCOL
FLOWCHART
START
Un,pw,cookie,W
,FT,FS
B
NO
If
F1
YES
A
B
FS[srcIP,un]
=FS[srcIP,u
n]+1
YES
A
If
F4
NO
FT[un]=FT[
un]+1
YES
NO
If
F2
If
F5
YES
FS[srcIP,un]
=0
Add srcIP to
W
NO
If
F3
ATTchallenge
incorrect
YES
FS[srcIP,un]=
0
Add srcIP to
W
NO
If
f6
ATT
challenge
is
incorrect
Else
Un,pw is
incorrect
NO
F2—((Valid(cookie,un,k1,true)V((srcIP,un) c w))
(FS[srcIP,un]<k1))
(FT[un]<k2)
F3—(ATTChallenge()=pass)
F4—((Valid(cookie,un,k1,false)V((srcIP,un) c w))
F5—(validUsername(un)
F6—(ATTChallenge()=pass)
F1—LoginCorrect(un,pw)
(FT[un]<k2)
(FS[srcIP,un]<K1)
COOKIES Vs IP ADDRESS
Cookies require browser
interface
Same machine might be
assigned different IP
address
Login will be difficult if
user is using mulitiple
browsers
Group of machines may
be represented by a
single IP address
Cookies may be deleted
PGRP make use of both IP address and cookies to minimize user
inconvenience during login process.

PGRP uses text based CAPTCHA.

DECISION FUNCTION FOR REQUESTING ATTs
The decision to challenge the user with an ATT depends on two
factors:
1) whether the user has authenticated successfully from the same
machine previously.
2) The total number of failed login attempts for a specific user
account.
USERNAME PASSWORD PAIR IS VALID
The user wont be asked to answer an ATT challenge if

valid cookie is received and FS[srcIP,un] is less than k1

IP address is in white list and FS[srcIP,un] is less than k1

FT[un]<k2
USERNAME PASSWORD IS INVALID
User wont be asked to answer ATT challenge if



valid cookie is received and FS[srcIP,un] is less than k1
IP address is in white list and FS[srcIP,un] is less than k1
FT[un]<k2
OUTPUT MESSAGES
PGRP shows messages in case of

incorrect {username,password} pair

incorrect answer to the ATT challenge.
WHY NOT TO BLACKLIST OFFENDING IP ADDRESSES?

List may consume considerable memory.

Legitimate users from blacklisted IP address could be blocked
COMPARISON WITH OTHER ATT BASED PROTOCOLS


SECURITY ANALYSIS
SINGLE ACCOUNT ATTACKS
Based on 4 questions:
Q1. What is the expected number of passwords that an adversary can
eliminate from the password space without answering any ATT
challenge?
Q2. What is the expected number of ATT challenges an adversary
must answer to correctly guess a password?
Q3. What is the probability of a confirmed correct guess for an
adversary unwilling to answer any ATT?
Q4. What is the probability of a confirmed correct guess for an
adversary willing to answer c ATTs?
FINDINGS:
•
PGRP provides improved security over PS and VS protocols.
•
Identical security with Strawmann protocol.

MULTIACCOUNT ATTACKS
Based on 2 questions
Q1. What is the probability that an adversary knowing m usernames
can correctly guess a password without answering any ATT challenge?
Q2. What is the probability of a confirmed correct guess for an
adversary knowing m usernames and willing to answer c ATTs?
USABILITY COMMENTS ON ATT CHALLENGES
Different scenarios:

First time login from an unknown machine.

Subsequent login from a known machine

Valid password is provided
Invalid password


Invalid Username
SYSTEM RESOURCES

No list maintained in PS protocol

FT is maintained in VS protocol
Information of generated cookie is maintained in all three
protocols


Most expensive operation is generating ATTs

PGRP maintains W,FS,FT
LIMITATIONS
EMPIRICAL EVALUATION


DATA SETS
Analysis based on 2 datasets.
SSH Server log
EMAIL Server log

ANALYSIS OF RESULT
Done on different perspective.
The no of successful login attempts—Larger the ratio of successful
login without answering ATT to total successful login,the more
convenient is user experience.

The no of unique usernames in successful logins—Less no of valid
users were asked to answer the ATT in PGRP


The no of failed login attempts with valid usernames—Less in PGRP
The no of unique valid usernames in failed logins–Large decrease
in case of PGRP

The no of failed login attempts with invalid usernames—In PGRP,it
triggers ATTs

CONCLUSION
PGRP is more restrictive against brute force and dictionary
attacks


Provide more convenient login experience

Suitable for large and small no of organisations
REFERENCES
[1] Amazon Mechanical Turk.
https://www.mturk.com/mturk/,
June 2010.
[2] S.M. Bellovin, “A Technique for Counting Natted
Hosts,” Proc.
ACM SIGCOMM Workshop Internet Measurement, pp.
267-272,
2002.
[3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky,
and C.
Fabry, “How Good Are Humans at Solving CAPTCHAs? A
Large Scale Evaluation,” Proc. IEEE Symp. Security and
Privacy,
May 2010.
THANK YOU