Gunter,
Nice idea. People often suggest using a turing test to prevent brute
force logins, but your suggestion avoids the hassle for legitimate users.
I had a quick look at implementing this in JavaScript using my hash
libraries (http://pajhome.org.uk/crypt/md5). Unfortunately it seems
JavaScript is not suitible for this purpose - finding a 12-bit collision
takes around 3s on a 1ghz PC. In this time, Netscape pops up a message
like "A script on this page is causing Mozilla to run slowly. Do you
want to abort the script?". There may be potential for further
optimization of my code.
The requirement to have efficient client-side scripting (probably Java)
enabled is significant. Also, I think this scheme would not be possible
for mobile users, as the calculation would take about 10x longer. On the
other hand, an attacker with a bot net will not have too much trouble
doing all the calculations. So, I think this approach has a similar
number of drawbacks to IP based restrictions, but they are totally
different drawbacks.
My position on brute force attacks is that the main defense is a strong
password policy. If we all used high entropy (i.e. 6 bits per char) 8
char passwords, that's 2^48 combinations. If you have 1000 computers,
each checking 1000 passwords per second, it would take 10 years to try
them all.
Best wishes,
Paul
PS. Hope you are doing ok. I met you at the ISC2 meeting in Leeds, a
couple of months back.
Gunter Ollmann (NGS) wrote:
Hi List,
It's been a couple of months since my last whitepaper, so time for a new
one. This new whitepaper focuses upon a method known as "resource metering"
to actively restrict (and possibly prevent) many brute force guessing attack
vectors that target custom web authentication processes.
The paper is now available from the NGS website:
http://www.ngssoftware.com/papers/NISR-AntiBruteForceResourceMetering.pdf
As always, I'm happy to discuss the topic further and would value
discussions about the techniques talked about in the paper.
Abstract:
"Web-based applications authentication processes are frequently vulnerable
to automated brute force guessing attacks. Whilst commonly proposed
solutions make use of escalating time delays and minimum lockout threshold
strategies, these tend to prove ineffectual in real attacks and may actually
promote additional attack vectors.
Resource metering through client-side computationally intensive "electronic
payments" can provide an alternative strategy in defending against brute
force guessing attacks. This whitepaper discusses how such a solution works
and the security advantages it can bring."
Cheers,
Gunter Ollmann
------------------------------------------------------
G u n t e r O l l m a n n, MSc(Hons), BSc
Professional Services Director
Next Generation Security Software Ltd.
First Floor, 52 Throwley Way Tel: +44 (0)208 401 0089
Sutton, Surrey, SM1 4BF, UK Mob: +44 (0)7710 496 714
http://www.nextgenss.com Fax: +44 (0)208 401 0076
------------------------------------------------------
--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk
