denial of password guessing attack using turing test
TRANSCRIPT
Denial of Password Guessing Attack using Turing Test
Under the Supervision of ByShilpi Sharma Vikram Verma(Assistant Professor) Mtech CS&E
(A2300912017)
Outline of presentation
•OBJECTIVE
•REVIEW OF EXISTING TECHNIQUES
• PROPOSED SYSTEM
•Algorithm
•SYSTEM MODULES
•SYSTEM UML DIAGRAMS
•ADVANTAGES OF PROPOSED SYSTEM
•FUTURE SCOPE
Objective:
Implement a system to deface automated password guessing
attacks using Turing tests
Existing Techniques
• Pinkas and Sander’s ATT approach
• Modified Pinkas and Sander’s ATT approach
• Van Oorschot and Stubblebine’s ATT approach
Pinkas and Sander’s ATT approach
• Introduced login protocol which uses Turing Test as the
main basis to authenticate user.
• This approach made answering of Turing Test as first
step after the user id is provided.
• This causes even legitimate users to answer Turing Test
unnecessarily.
Modified Pinkas and Sander’s ATT approach
• Introduced reduction in ATT attempt for legitimate users.
• Web browser cookies were used to identify previous
successful login.
• The risk of cookie steeling attack persists.
• Stolen cookies can be used by hackers to act as legitimate
user and perform password guessing attacks.
Van Oorschot and Stubblebine’s ATT approach
• This restricts cookie theft by automatic deletion of cookies.
• This approach is based on checking number of login
attempts.
• Once the login attempt exceeds threshold value then even
the legitimate user needs to go through Turing Test to make
successful login.
• The biggest dis-advantage:
Once a legitimate user’s account exceeds threshold of
unsuccessful login attempts then the user needs to go
through Turing Test for login on every login after that.
Proposed System
• The proposed system works on ATT based on System on the
whole rather than cookies to identify the legitimate user’s
system.
• The system IP and MAC are used to verify trusted system.
• Unlimited login attempts are provided to legitimate user by
verifying his registered system.
• Limits the use of untrusted system to 3 attempts and imposes
Turing Test for logging in.
Algorithm
Algorithm for base application• Create login form for validation of user.• Using socket programming credentials needs to be passed to the server.
Algorithm for verifying system• Using java.net package we extract information about the system MAC
and IP address.• Using MD5 encryption we encrypt and transfer login credentials and
system details to server.• The server would then identify untrusted system based on its values
from database and then generate truring test which then needs to be verified by again using MD5 encryption.
Proposed System Modules
• Login Module:– It performs verification of user id and password using MD5 encryption.
• Verify Module:– It checks for the system IP and MAC address to identify if system is registered or not.
– It is invoked in both successful and unsuccessful login attempt.
• Add System– This module works for adding new system when a successful login is made from an unregistered system.
• Turing Test– This is where the Turing Test is conducted.– It is invoked when unsuccessful login attempt from unregistered system exceeds 3 attempts.
Use Case Diagram
Activity Diagram
Advantages of proposed system
• Cookie steeling attack gets defaced• Use of IP address in registering system helps
users to use a number of devices accessing authentication system using a common access point.
• It doesn’t effect legitimate user in case hacker tries to hack his account.
Screen Shots
Login Screen Registration Screen
Unsuccessful login
Unsuccessful Turing Test
Successful Turing Test
Future scope
• This system would fail if the password is stolen using online keylogers or Remote administration Trojans
• Thus an approach to prevent Keyloggers and Trojans from creating logs for leaking password information must be developed.
Thank you!!