Automated Protocol to Restrict Password Guessing Attacks

D.Ganesh

Dr.V.V.RamaPrasad   We Write Essays for Students Tell us about your assignment and we will find the best writer for your paper Get Help Now!

ABSTRACT– Password login services are now widespread and ever increasing. Attacks that take place on password-only remote login services are brute force and dictionary attack. Providing convenient login for legitimate user.In the proposed system we use Password Guessing Resistant Protocol (PGRP) which improves more security by restricting the number of attempts. PGRP allows a high number of failed attempts from known machines. PGRP uses either cookies or IP addresses, or both for tracking legitimate users. Tracking users through their IP addresses also allows PGRP to increase the number of ATTs for password guessing attacks and meanwhile to decrease the number of ATTs for legitimate login attempts.

Key Words – Online password guessing attacks, brute force attacks, password dictionary, ATTs.

1. INTRODUCTION:

Online password guessing attacks are the most commonly observed against web applications & SSH logins. SANS report observed that password guessing attack is the top cyber security risk. SSH servers that doesn’t allow some standard password authentication suffer the guessing attacks. Online attacks have some disadvantages compared to offline attacks i.e., the attacking machines must use an effective & interactive protocol which allows a easier detection of malicious attacks.Malicious attackers try only limited no. of password guesses from a single machine being that account is being locked or before being challenged to answer an ATT. An attacker will employ a large number of machines to avoid locking out. Generally users choose weak passwords. As malicious attackers control large bot nets online attacks became much easier.Restricting the no. of failed trails without ATT’s to a very small number is the effective defense system that can be used against automated online password guessing attacks. Also limiting automated programs(or bots) used by attackers for password guesses for a targeted account, even many different machine from a bot net are used. This method inconveniences & offers a legitimate user to answer an ATT on next login attempt after the malicious attackers guesses.

Other techniques deployed in practice includes:

Even though from a given machine when a certain number of failed attempts occur,it allows login attempts without ATTs from a different machine. After a certain time-out period, it allows more attempts without ATTs and also time-limited account lockinMany existing techniques & proposals involve ATT’s, assuming that the challenges provided by the ATTs are difficult for bots&easy for people(legitimate users). Users are increasing disliking ATTs and feels it as an unnecessary extra step. Successful attacks are being made which break ATTs without human solvers. ATTs that are to be more difficult.As a consequence, present-day ATTs are becoming more difficult for human users. Therefore, we focus more on reducing user inconvenience by challenging users with fewer ATTs and at the same time subjecting bot logins to more ATT’s, to drive up economic cost to attackers.Two well-known proposals using ATTs to limit online guessing attacks are Pinkas and Sander (PS protocol) and Van Oorschot and Stubblebine (VS protocol). The PS proposal reduces the ATTs. The VS proposal reduces this but a significant cost to usability.. The PGRP is being developed by using both PS & VS proposals.

On the other side, PGRP allows high number of failed attempts from known machines without answering any ATTs. Known machines are defined as those from which successful login has occurred over a fixed time period. These known machines are identified by their IP addresses which are saved on the login server as white list or else in the cookies stored on client. Both the white listed IP address and client cookie expire after a time-period.

In both graphical user interface(e.g., browser-based logins) & character-based interface(e.g.,SSH logins) PGRP can be accommodated). Both PS and VS proposals, requires the use of browser cookies. PGRP uses either cookies or IP address or both for tracking legitimate users. PGRP increases the number of ATTs for password guessing by tracking users through their IP address & also to decrease the number of ATTs for legitimate login attempts.In recent years, the trend of logging in to online account through multiple personal devices (e.g., PC, laptop’s,smartphones ) is growing. When used from home environment, these devices often share a single IP address which makes IP-based history tracking more user friendly than cookies.

2. Related work:

From the early days of the internet the online password guessing attacks have been known to everyone. Account locking is a mechanism which prevents a malicious attacker from multiple passwords particular username.

Although account locking is temporary remedy, an attacker can mount a DOS (denial of service) in some amount of time for a particular username can be done by delaying server response after receiving user credentials, whether the password is correct or incorrect.

However, for an attacker with access to a botnet, this above mechanism is ineffective. Prevention techniques that depend on requesting the user machine to perform extra computations before replying to the entered credentials are not effective with such adversaries.

To prevent the automated programs (brute force & dictionary attacks) ATT challenges are used in some protocols.PS presented a login protocol which challenges ATTs to protect against online password guessing attacks. PS protocol reduces the number of ATTs that authorized users must correctly answer, so that a user with a valid browser cookie will be rarely asked to answer an ATT.

A deterministic function AskATT() of the entered user credentials is used to decide whether to ask the user an ATT or not. To improve the security features of the PS protocol, Van Oorschot & stubblebine defined a modified protocol in which ATTs are always required, once the no. of failed login attempts for a particular username exceeds a threshold.

For both PS and VS protocols, the function AskATT() requires a careful design, because the ‘known function attack’ of poor design of this function AskATT() makes the login protocol vulnerable to attacks and also ‘change password attack’.

Because of these attacks, the authors proposed a secure non-deterministic keyed hash function as AskATT() so that each username is associated with one key that changes whenever the corresponding password is changed. This proposed function requires extra server-side storage per username & atleast one cryptographic hash operation per login attempt.

2.2 Functions

PGRP uses the following functions. They are

1.Read Credential.

It shows a login prompt to the user and it returns the entered user name and password and also the cookie received from the user’s browser.

2. Login Correct

If the provided user name-password is valid, the function return true otherwise it returns false.

3. Grant Access

This function sends the cookies to the user’s browser and then gives the permission to access the specified user account.

4. Message

It displays the text message.

5. ATT Challenge

This function challenges the user with an ATT. If the answer is correct, it returns “pass” otherwise, it returns “fails”