Re: New Whitepaper: Anti Brute Force Resource Metering

[Paul Johnston <paul () westpoint ltd uk>]

Gunter,

Nice idea. People often suggest using a turing test to prevent brute 
force logins, but your suggestion avoids the hassle for legitimate users.

I had a quick look at implementing this in JavaScript using my hash 
libraries (http://pajhome.org.uk/crypt/md5). Unfortunately it seems 
JavaScript is not suitible for this purpose - finding a 12-bit collision 
takes around 3s on a 1ghz PC. In this time, Netscape pops up a message 
like "A script on this page is causing Mozilla to run slowly. Do you 
want to abort the script?". There may be potential for further 
optimization of my code.

The requirement to have efficient client-side scripting (probably Java) 
enabled is significant. Also, I think this scheme would not be possible 
for mobile users, as the calculation would take about 10x longer. On the 
other hand, an attacker with a bot net will not have too much trouble 
doing all the calculations. So, I think this approach has a similar 
number of drawbacks to IP based restrictions, but they are totally 
different drawbacks.

My position on brute force attacks is that the main defense is a strong 
password policy. If we all used high entropy (i.e. 6 bits per char) 8 
char passwords, that's 2^48 combinations. If you have 1000 computers, 
each checking 1000 passwords per second, it would take 10 years to try 
them all.

Best wishes,

Paul


PS. Hope you are doing ok. I met you at the ISC2 meeting in Leeds, a 
couple of months back.





Gunter Ollmann (NGS) wrote:

> Hi List,
>
> It's been a couple of months since my last whitepaper, so time for a new
> one.  This new whitepaper focuses upon a method known as "resource metering"
> to actively restrict (and possibly prevent) many brute force guessing attack
> vectors that target custom web authentication processes.
>
> The paper is now available from the NGS website:
> http://www.ngssoftware.com/papers/NISR-AntiBruteForceResourceMetering.pdf
>
> As always, I'm happy to discuss the topic further and would value
> discussions about the techniques talked about in the paper.
>
> Abstract:     
> "Web-based applications authentication processes are frequently vulnerable
> to automated brute force guessing attacks.  Whilst commonly proposed
> solutions make use of escalating time delays and minimum lockout threshold
> strategies, these tend to prove ineffectual in real attacks and may actually
> promote additional attack vectors.           
>
> Resource metering through client-side computationally intensive "electronic
> payments" can provide an alternative strategy in defending against brute
> force guessing attacks.  This whitepaper discusses how such a solution works
> and the security advantages it can bring."
>
>
> Cheers,
>
> Gunter Ollmann
>
> ------------------------------------------------------
> G u n t e r   O l l m a n n,            MSc(Hons), BSc
> Professional Services Director                        
>                                                      
> Next  Generation  Security  Software  Ltd.            
> First Floor, 52 Throwley Way  Tel: +44 (0)208 401 0089
> Sutton, Surrey, SM1 4BF, UK   Mob: +44 (0)7710 496 714
> http://www.nextgenss.com      Fax: +44 (0)208 401 0076
> ------------------------------------------------------ 
>
>
>
>  

--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk