W3C home > Mailing lists > Public > www-jigsaw@w3.org > May to June 1999

Re: How secure is jigsaw ?

From: Christopher William Turner <cwturner@cycom.co.uk>
Date: Tue, 15 Jun 1999 07:15:10 -0400 (EDT)
Message-ID: <37663409.804E10D1@cycom.co.uk>
To: Roland Mainz <Roland.Mainz@informatik.med.uni-giessen.de>
CC: W3 Jigsaw Mailinglist <www-jigsaw@w3.org>
I have some servlets that use 7 digit numeric codes and an email address as the
security key.
This is vulnerable to an online brute force guessing attack, particularly
if your servlets are as fast as mine ;-)

For each failed attempt, at first I added an exponentially increasing penalty delay
to the failed
request but I realized that the attacker could use the delay to assume failure and
mount the next
attempt concurrently on a different connection (thus defeating the delay).

The solution was to use the failed attempt to set a global flag which causes the
*next* attempt to suffer
a delay *prior* to evaluating the correctness of the key. Thus the delay gives the
attacker no
information on whether his guess is correct or not and so he must wait for
Although this means that an innocent user might suffer the delay penalty, the
attacker will suffer most because
during a computer attack he will almost always be the next user making a request.
Denial of service is all the attacker can acheive. A long duration low frequency
attack is possible but this should
be detectable in time since I log the statistics of ratio of good to failed

The good things about this system is
1) It operates without human intervention
2) It degrades the system gradually. System is never completely shutdown.
3) Exponential increases in delay ensure it is not possible to test a significant
 of the key space.

The class that implements this is attached.
A servlet using this security is live at:-
See the speed statistics of this servlet at:-

Roland Mainz wrote:

> Hi !
> ----
> Some security related questions on jigsaw:
> - How secure is jigsaw under Unix and under WinNT ?
> - Any known successfull/failed break-in attempts ?
> - Any "common problems" in jigsaw security ?
> - How to detect break-in attempts ?
> ----
> Bye,
> Roland
> --
>   __ .  . __
>  (o.\ \/ /.o)  Roland Mainz                               C programmer
>   \__\/\/__/   Roland.Mainz@informatik.med.uni-giessen.de MPEG specialist
>   /O /==\ O\   gisburn@w-specht.rhein-ruhr.de             Sun&&Amiga programmer
>  (;O/ \/ \O;)  TEL +49 (0) 2426901568  FAX +49 (0) 2426901569

Chris Turner, http://www.cycom.co.uk/

Received on Tuesday, 15 June 1999 07:46:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:34 UTC