WebApp Sec mailing list archives
Re: New Whitepaper: Anti Brute Force Resource Metering
From: Paul Johnston <paul () westpoint ltd uk>
Date: Wed, 30 Mar 2005 10:24:31 +0100
Gunter,Nice idea. People often suggest using a turing test to prevent brute force logins, but your suggestion avoids the hassle for legitimate users.
I had a quick look at implementing this in JavaScript using my hash libraries (http://pajhome.org.uk/crypt/md5). Unfortunately it seems JavaScript is not suitible for this purpose - finding a 12-bit collision takes around 3s on a 1ghz PC. In this time, Netscape pops up a message like "A script on this page is causing Mozilla to run slowly. Do you want to abort the script?". There may be potential for further optimization of my code.
The requirement to have efficient client-side scripting (probably Java) enabled is significant. Also, I think this scheme would not be possible for mobile users, as the calculation would take about 10x longer. On the other hand, an attacker with a bot net will not have too much trouble doing all the calculations. So, I think this approach has a similar number of drawbacks to IP based restrictions, but they are totally different drawbacks.
My position on brute force attacks is that the main defense is a strong password policy. If we all used high entropy (i.e. 6 bits per char) 8 char passwords, that's 2^48 combinations. If you have 1000 computers, each checking 1000 passwords per second, it would take 10 years to try them all.
Best wishes, PaulPS. Hope you are doing ok. I met you at the ISC2 meeting in Leeds, a couple of months back.
Gunter Ollmann (NGS) wrote:
Hi List, It's been a couple of months since my last whitepaper, so time for a new one. This new whitepaper focuses upon a method known as "resource metering" to actively restrict (and possibly prevent) many brute force guessing attack vectors that target custom web authentication processes. The paper is now available from the NGS website: http://www.ngssoftware.com/papers/NISR-AntiBruteForceResourceMetering.pdf As always, I'm happy to discuss the topic further and would value discussions about the techniques talked about in the paper.Abstract: "Web-based applications authentication processes are frequently vulnerableto automated brute force guessing attacks. Whilst commonly proposed solutions make use of escalating time delays and minimum lockout threshold strategies, these tend to prove ineffectual in real attacks and may actuallypromote additional attack vectors.Resource metering through client-side computationally intensive "electronic payments" can provide an alternative strategy in defending against brute force guessing attacks. This whitepaper discusses how such a solution works and the security advantages it can bring." Cheers, Gunter Ollmann ------------------------------------------------------ G u n t e r O l l m a n n, MSc(Hons), BScProfessional Services Director Next Generation Security Software Ltd. First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089Sutton, Surrey, SM1 4BF, UK Mob: +44 (0)7710 496 714 http://www.nextgenss.com Fax: +44 (0)208 401 0076------------------------------------------------------
-- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Re: New Whitepaper: Anti Brute Force Resource Metering Paul Johnston (Mar 30)