Denial of password guessing attack using turing test
-
Upload
vikram-verma -
Category
Education
-
view
342 -
download
2
Transcript of Denial of password guessing attack using turing test
![Page 1: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/1.jpg)
Denial of Password Guessing Attack using Turing Test
Under the Supervision of ByShilpi Sharma Vikram Verma(Assistant Professor) Mtech CS&E
(A2300912017)
![Page 2: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/2.jpg)
Outline of presentation
•OBJECTIVE
•REVIEW OF EXISTING TECHNIQUES
• PROPOSED SYSTEM
•Algorithm
•SYSTEM MODULES
•SYSTEM UML DIAGRAMS
•ADVANTAGES OF PROPOSED SYSTEM
•FUTURE SCOPE
![Page 3: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/3.jpg)
Objective:
Implement a system to deface automated password guessing
attacks using Turing tests
![Page 4: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/4.jpg)
Existing Techniques
• Pinkas and Sander’s ATT approach
• Modified Pinkas and Sander’s ATT approach
• Van Oorschot and Stubblebine’s ATT approach
![Page 5: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/5.jpg)
Pinkas and Sander’s ATT approach
• Introduced login protocol which uses Turing Test as the
main basis to authenticate user.
• This approach made answering of Turing Test as first
step after the user id is provided.
• This causes even legitimate users to answer Turing Test
unnecessarily.
![Page 6: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/6.jpg)
Modified Pinkas and Sander’s ATT approach
• Introduced reduction in ATT attempt for legitimate users.
• Web browser cookies were used to identify previous
successful login.
• The risk of cookie steeling attack persists.
• Stolen cookies can be used by hackers to act as legitimate
user and perform password guessing attacks.
![Page 7: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/7.jpg)
Van Oorschot and Stubblebine’s ATT approach
• This restricts cookie theft by automatic deletion of cookies.
• This approach is based on checking number of login
attempts.
• Once the login attempt exceeds threshold value then even
the legitimate user needs to go through Turing Test to make
successful login.
• The biggest dis-advantage:
Once a legitimate user’s account exceeds threshold of
unsuccessful login attempts then the user needs to go
through Turing Test for login on every login after that.
![Page 8: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/8.jpg)
Proposed System
• The proposed system works on ATT based on System on the
whole rather than cookies to identify the legitimate user’s
system.
• The system IP and MAC are used to verify trusted system.
• Unlimited login attempts are provided to legitimate user by
verifying his registered system.
• Limits the use of untrusted system to 3 attempts and imposes
Turing Test for logging in.
![Page 9: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/9.jpg)
Algorithm
Algorithm for base application• Create login form for validation of user.• Using socket programming credentials needs to be passed to the server.
Algorithm for verifying system• Using java.net package we extract information about the system MAC
and IP address.• Using MD5 encryption we encrypt and transfer login credentials and
system details to server.• The server would then identify untrusted system based on its values
from database and then generate truring test which then needs to be verified by again using MD5 encryption.
![Page 10: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/10.jpg)
Proposed System Modules
• Login Module:– It performs verification of user id and password using MD5 encryption.
• Verify Module:– It checks for the system IP and MAC address to identify if system is registered or not.
– It is invoked in both successful and unsuccessful login attempt.
![Page 11: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/11.jpg)
• Add System– This module works for adding new system when a successful login is made from an unregistered system.
• Turing Test– This is where the Turing Test is conducted.– It is invoked when unsuccessful login attempt from unregistered system exceeds 3 attempts.
![Page 12: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/12.jpg)
Use Case Diagram
![Page 13: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/13.jpg)
Activity Diagram
![Page 14: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/14.jpg)
Advantages of proposed system
• Cookie steeling attack gets defaced• Use of IP address in registering system helps
users to use a number of devices accessing authentication system using a common access point.
• It doesn’t effect legitimate user in case hacker tries to hack his account.
![Page 15: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/15.jpg)
Screen Shots
Login Screen Registration Screen
![Page 16: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/16.jpg)
Unsuccessful login
Unsuccessful Turing Test
![Page 17: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/17.jpg)
Successful Turing Test
![Page 18: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/18.jpg)
Future scope
• This system would fail if the password is stolen using online keylogers or Remote administration Trojans
• Thus an approach to prevent Keyloggers and Trojans from creating logs for leaking password information must be developed.
![Page 19: Denial of password guessing attack using turing test](https://reader036.fdocuments.in/reader036/viewer/2022062514/558bb764d8b42a89628b45b2/html5/thumbnails/19.jpg)
Thank you!!