Countermeasures

$-$In general, protection against attacks on authentication systems

consists of:

Hiding information related to $a,c,$ or $f.$

Preventing access to the authentication functions linL.

$-$In particular, protection against dictionary attacks consist of

maximizing the time needed to guess the password.

$-$The probability that a dictionary attack succeeds in a specified time period is

expressed as:

$P\frac{TG}{N}$

Where:

$-$P is the probability that the attack succeeds

$-T$ is the time period during which the attack takes place

$-N$ is the total number of possible passwords

$-G$ is the number of guesses that can be tested in one time unit

Assignment

Marks: $10$

Description: A bank requires for their customers to access their online banking accounts to provide as User Id $($or username$)$ the last $8$ digits of their bank card number, and a password with a length between $8$ and $12$ ASCII characters, including the following restrictions:

Password must:

Have at least $8$ characters

Have at least $1$ letter $($a$,$ b$,$ c$...)$

Have at least $1$ number $(1,2,3...)$

Include both Upper case and Lower case characters

Password must NOT:

Contain only one character $(11111111$ or aaaaaaa$)$

Contain only consecutive characters $(12345678$ or abcdefgh$)$

The bank also requires that each password be changed at least once every five years.

Assume that by conducting the attack using an average modern GPU $15\mathrm{.}61010$ passwords can be tested per second, calculate the probability that a hacker can guess a password in the timeframe between two consecutive changes.

A hacker controls a network of compromised machines $($botnet$)$ that can be used to launch the attack. The network consists of $1$ million compromised machines $($bots$)$ located in different countries around the globe. Assume that the machines have approximately the same computing capability. The hacker uses a simple strategy consisting of slicing the username space in subsets of equal size, and assigning a subset to each of the bots to conduct the attack in parallel. Calculate the probability that a successful password guess can be obtained in the timeframe between two consecutive changes. Briefly comment the results.