1. Denial of Password Guessing
Attack using Turing Test
Under the Supervision of By
Shilpi Sharma Vikram Verma
(Assistant Professor) Mtech CS&E
(A2300912017)

2. Outline of presentation
•OBJECTIVE
•REVIEW OF EXISTING TECHNIQUES
• PROPOSED SYSTEM
•Algorithm
•SYSTEM MODULES
•SYSTEM UML DIAGRAMS
•ADVANTAGES OF PROPOSED SYSTEM
•FUTURE SCOPE

3. Objective:
Implement a system to deface automated password guessing
attacks using Turing tests

4. Existing Techniques
• Pinkas and Sander’s ATT approach
• Modified Pinkas and Sander’s ATT approach
• Van Oorschot and Stubblebine’s ATT approach

5. Pinkas and Sander’s ATT approach
• Introduced login protocol which uses Turing Test as the
main basis to authenticate user.
• This approach made answering of Turing Test as first
step after the user id is provided.
• This causes even legitimate users to answer Turing Test
unnecessarily.

6. Modified Pinkas and Sander’s ATT
approach
• Introduced reduction in ATT attempt for legitimate users.
• Web browser cookies were used to identify previous
successful login.
• The risk of cookie steeling attack persists.
• Stolen cookies can be used by hackers to act as legitimate
user and perform password guessing attacks.

7. Van Oorschot and Stubblebine’s ATT
approach
• This restricts cookie theft by automatic deletion of cookies.
• This approach is based on checking number of login
attempts.
• Once the login attempt exceeds threshold value then even
the legitimate user needs to go through Turing Test to make
successful login.
• The biggest dis-advantage:
Once a legitimate user’s account exceeds threshold of
unsuccessful login attempts then the user needs to go
through Turing Test for login on every login after that.

8. Proposed System
• The proposed system works on ATT based on System on the
whole rather than cookies to identify the legitimate user’s
system.
• The system IP and MAC are used to verify trusted system.
• Unlimited login attempts are provided to legitimate user by
verifying his registered system.
• Limits the use of untrusted system to 3 attempts and imposes
Turing Test for logging in.

9. Algorithm
Algorithm for base application
• Create login form for validation of user.
• Using socket programming credentials needs to be passed to the
server.
Algorithm for verifying system
• Using java.net package we extract information about the system
MAC and IP address.
• Using MD5 encryption we encrypt and transfer login credentials
and system details to server.
• The server would then identify untrusted system based on its values
from database and then generate truring test which then needs to
be verified by again using MD5 encryption.

10. Proposed
System Modules
• Login Module:
– It performs verification of user id and password
using MD5 encryption.
• Verify Module:
– It checks for the system IP and MAC address to
identify if system is registered or not.
– It is invoked in both successful and unsuccessful
login attempt.

11. • Add System
– This module works for adding new system when a
successful login is made from an unregistered
system.
• Turing Test
– This is where the Turing Test is conducted.
– It is invoked when unsuccessful login attempt
from unregistered system exceeds 3 attempts.

12. Use Case Diagram

13. Activity Diagram

14. Advantages of proposed system
• Cookie steeling attack gets defaced
• Use of IP address in registering system helps
users to use a number of devices accessing
authentication system using a common access
point.
• It doesn’t effect legitimate user in case hacker
tries to hack his account.

15. Screen Shots
Login Screen Registration Screen

16. Unsuccessful login
Unsuccessful Turing Test

17. Successful Turing Test

18. Future scope
• This system would fail if the password is stolen
using online keylogers or Remote
administration Trojans
• Thus an approach to prevent Keyloggers and
Trojans from creating logs for leaking
password information must be developed.

19. Thank you!!
