Re: How secure is jigsaw ? from Christopher William Turner on 1999-06-15 (www-jigsaw@w3.org from May to June 1999)

From: Christopher William Turner <cwturner@cycom.co.uk>
Date: Tue, 15 Jun 1999 07:15:10 -0400 (EDT)
To: Roland Mainz <Roland.Mainz@informatik.med.uni-giessen.de>
CC: W3 Jigsaw Mailinglist <www-jigsaw@w3.org>
Message-ID: <37663409.804E10D1@cycom.co.uk>

I have some servlets that use 7 digit numeric codes and an email address as the
security key.
This is vulnerable to an online brute force guessing attack, particularly
if your servlets are as fast as mine ;-)

For each failed attempt, at first I added an exponentially increasing penalty delay
to the failed
request but I realized that the attacker could use the delay to assume failure and
mount the next
attempt concurrently on a different connection (thus defeating the delay).

The solution was to use the failed attempt to set a global flag which causes the
*next* attempt to suffer
a delay *prior* to evaluating the correctness of the key. Thus the delay gives the
attacker no
information on whether his guess is correct or not and so he must wait for
completion.
Although this means that an innocent user might suffer the delay penalty, the
attacker will suffer most because
during a computer attack he will almost always be the next user making a request.
Denial of service is all the attacker can acheive. A long duration low frequency
attack is possible but this should
be detectable in time since I log the statistics of ratio of good to failed
attempts.

The good things about this system is
1) It operates without human intervention
2) It degrades the system gradually. System is never completely shutdown.
3) Exponential increases in delay ensure it is not possible to test a significant
proportion
 of the key space.

The class that implements this is attached.
A servlet using this security is live at:-
http://www.trade-submit.com:8001/s/t/53730690010.html
See the speed statistics of this servlet at:-
http://www.trade-submit.com:8001/s/t?stats

Roland Mainz wrote:

> Hi !
>
> ----
>
> Some security related questions on jigsaw:
>
> - How secure is jigsaw under Unix and under WinNT ?
> - Any known successfull/failed break-in attempts ?
> - Any "common problems" in jigsaw security ?
> - How to detect break-in attempts ?
>
> ----
>
> Bye,
> Roland
>
> --
>   __ .  . __
>  (o.\ \/ /.o)  Roland Mainz                               C programmer
>   \__\/\/__/   Roland.Mainz@informatik.med.uni-giessen.de MPEG specialist
>   /O /==\ O\   gisburn@w-specht.rhein-ruhr.de             Sun&&Amiga programmer
>  (;O/ \/ \O;)  TEL +49 (0) 2426901568  FAX +49 (0) 2426901569

--
Chris Turner, http://www.cycom.co.uk/

Attachments

application/x-unknown-content-type-java_auto_file attachment: Audit.java

Received on Tuesday, 15 June 1999 07:46:45 UTC