denial of password guessing attack using turing test

Denial of Password Guessing Attack using Turing Test

 Under the Supervision of ByShilpi Sharma Vikram Verma(Assistant Professor) Mtech CS&E

(A2300912017)

Outline of presentation

•OBJECTIVE

•REVIEW OF EXISTING TECHNIQUES

• PROPOSED SYSTEM

•Algorithm

•SYSTEM MODULES

•SYSTEM UML DIAGRAMS

•ADVANTAGES OF PROPOSED SYSTEM

•FUTURE SCOPE

Objective:

Implement a system to deface automated password guessing

attacks using Turing tests

Existing Techniques

• Pinkas and Sander’s ATT approach

• Modified Pinkas and Sander’s ATT approach

• Van Oorschot and Stubblebine’s ATT approach 

Pinkas and Sander’s ATT approach

• Introduced login protocol which uses Turing Test as the

main basis to authenticate user.

• This approach made answering of Turing Test as first

step after the user id is provided.

• This causes even legitimate users to answer Turing Test

unnecessarily.

Modified Pinkas and Sander’s ATT approach

• Introduced reduction in ATT attempt for legitimate users.

• Web browser cookies were used to identify previous

successful login.

• The risk of cookie steeling attack persists.

• Stolen cookies can be used by hackers to act as legitimate

user and perform password guessing attacks.

Van Oorschot and Stubblebine’s ATT approach 

• This restricts cookie theft by automatic deletion of cookies.

• This approach is based on checking number of login

attempts.

• Once the login attempt exceeds threshold value then even

the legitimate user needs to go through Turing Test to make

successful login.

• The biggest dis-advantage:

Once a legitimate user’s account exceeds threshold of

unsuccessful login attempts then the user needs to go

through Turing Test for login on every login after that.

Proposed System

• The proposed system works on ATT based on System on the

whole rather than cookies to identify the legitimate user’s

system.

• The system IP and MAC are used to verify trusted system.

• Unlimited login attempts are provided to legitimate user by

verifying his registered system.

• Limits the use of untrusted system to 3 attempts and imposes

Turing Test for logging in.

Algorithm

 Algorithm for base application• Create login form for validation of user.• Using socket programming credentials needs to be passed to the server.

Algorithm for verifying system• Using java.net package we extract information about the system MAC 

and IP address.• Using MD5 encryption we encrypt and transfer login credentials and 

system details to server.• The server would then identify untrusted system based on its values 

from database and then generate truring test which then needs to be verified by again using MD5 encryption.  

Proposed System Modules

• Login Module:– It performs verification of user id and password using MD5 encryption.

• Verify Module:– It checks for the system IP and MAC address to identify if system is registered or  not.

– It is invoked in both successful and unsuccessful login attempt.

• Add System– This module works for adding new system when a successful login is made from an unregistered system.

• Turing Test– This is where the Turing Test is conducted.– It is invoked when unsuccessful login attempt from unregistered system exceeds 3 attempts.

Use Case Diagram

Activity Diagram

Advantages of proposed system

• Cookie steeling attack gets defaced• Use of IP address in registering system helps

users to use a number of devices accessing authentication system using a common access point.

• It doesn’t effect legitimate user in case hacker tries to hack his account.

Screen Shots

Login Screen Registration Screen

Unsuccessful login

Unsuccessful Turing Test

Successful Turing Test

Future scope

• This system would fail if the password is stolen using online keylogers or Remote administration Trojans 

• Thus an approach to prevent Keyloggers and Trojans from creating logs for leaking password information must be developed.

Thank you!!