Software Requirements Specification
advertisement
HASTAC Website Protection System HASTAC Website Protection System …because "Humans are smarter than any computer" Software Requirements Specification Academic Supervisor: Dr. Ron Rymon Presented By: Ronen Mendezitsky Alon Weiss |P age 1 HASTAC Website Protection System Table of contents Contents HASTAC ......................................................................................................................... 1 Software Requirements Specification ........................................................................... 1 Table of contents ............................................................................................................ 2 Overview ........................................................................................................................ 3 Motivation ...............................................................................................................3 The Product ..............................................................................................................3 General Goals ...........................................................................................................3 The Problem ................................................................................................................... 4 The Target Audience – User Characteristics ................................................................. 5 Alternative Solutions to the Problem ............................................................................. 6 Direct:......................................................................................................................6 Indirect ....................................................................................................................8 The Proposed Solution ................................................................................................... 9 The Users .................................................................................................................9 The Environment .................................................................................................... 11 Hardware ............................................................................................................... 11 The Process ............................................................................................................ 11 Use cases ...................................................................................................................... 12 Requirements ............................................................................................................... 16 Domain Definitions.................................................................................................. 18 HASTAC Website Protection System - Installation Procedure ........................................ 18 HASTAC Website Protection System - System Configurations ....................................... 19 HASTAC Website Protection System - Functionality and Operation ............................... 23 The Challenges............................................................................................................. 24 Criteria for Success ...................................................................................................... 24 Initial Plan .................................................................................................................... 24 References .................................................................................................................... 25 |P age 2 HASTAC Website Protection System Overview Motivation Decreasing the amount of network traffic caused by brute force hacking attempts into password protected websites and substantially reducing the amount of hacked accounts caused by these brute force attacks. The Product An online security system that will be displayed at the login page of any password protected website as an extra security measure. The system will add another input field where the user will have to answer a question embedded in a picture that asks random questions about that image. A generated image will contain a large amount of details including randomly generated images and words. General Goals Decrease the amount of brute force hacking attempts by relating more human thought into the login procedure. Allow easy integration to existing systems, and use as little resources as possible. Allow future upgrades to the system with plug-ins. |P age 3 HASTAC Website Protection System The Problem With increasing activity on the web, the quick and comfortable way of purchasing products, services and information online, more and more websites are being created to provide online paid services. This sort of development has caused the rapid increase of attempts to hack into these services providing websites. Websites owners are not only affected by the hacking of accounts, but more so by the hacking attempts, and more specifically brute force hacking attempts which increase the bandwidth load on web servers and can cause reduction in the speed and performance of the website, and could go as far as causing a DoS (Denial of Service) on the website, which can cause site owners to create a significant loss of activity on their website. One of the main reasons for that increased malicious activity is the development of automated brute forcing programs that use various techniques to find a valid username and password pairs of active accounts, by using readymade or auto generated wordlists with a fixed design of "username: password" structure which is commonly used by most password protected website today, be it a form or a regular pop up login page. These simple to operate programs allow people without any experience or knowledge in network and website security to hack into password protected websites with a push of a button. These attempts cause a very high network activity on the website, which raises the costs of webmasters even if an account has not been actually hacked. In addition to these automated brute force programs, many internet surfers can today find their way into one of the many communities, whose sole purpose is website hacking. This brings the "art" of brute forcing into the hands of any capable person, thus posing a problem for webmasters all over the world at a day to day basis. |P age 4 HASTAC Website Protection System The Target Audience – User Characteristics Since the World Wide Web consists of a vast amount of password protected websites (both internet and intranet), with new websites providing online paid services launching each and every day, all of them could end up being potential victims of brute force attack attempts. Our proposed solution offers them an easy to integrate solution that will decrease the amount of attempts for brute forcing. |P age 5 HASTAC Website Protection System Alternative Solutions to the Problem Over the years, there have been many attempts to solve the problems of website brute forcing attempts. Although that conceptually the ability of creating a new type of security always means that the same security measure can be cracked eventually, even already existing solutions are being periodically updated in order to fight brute forcing and other measures of attacks. In this section, we will review several of these security measures, both in a direct way and the indirect way. Direct: Product: Vendor: Link: Price: Strongbox Ray Morris ( bettercgi.com ) http://www.bettercgi.com/strongbox/ 150$ per site (one-time) Strongbox is one of many products that make the use of a 5 letter image-based code protection. "A CAPTCHATM is a program that can generate and grade tests that most humans can pass, but current computer programs can't pass." It also features antislurp mechanism, to disable website leeching. Product: Vendor: Link: Price: T4wsentry.pl Fisher Technologies, Inc. http://www.tools4webmasters.com/t4wsentry.htm 65$ per site (one-time) T4wsentry.pl is a Perl script that requires the user to log-in from a specific page, in order to access the restricted area of the website. The login page features a username, password, CAPTCHA image fields. The server-side script also monitors simultaneous access by more than one surfer under the same username. Once logged in, the user receives a cookie with a unique identifier, so the rest of the communication can be over regular HTTP. The script operates on the UNIX platform and is widely used in conjunction with the Apache web server. |P age 6 HASTAC Website Protection System Product: Vendor: Link: Price: Pennywize Zarvon P/L http://www.pennywize.com/ 30$-170$ (monthly rate) Pennywize monitors each and every hit on the "members only" pages and tests if a single account has had too many hits from different IP addresses. Once it finds such an account, it will be automatically disabled for a predefined period of time. It also detects IP addresses that have made many failed attempts to access a single account, or multiple accounts in a predefined time interval. In the latest version (currently 3.0) Pennywize also handles proxy based attacks. Product: Vendor: Link: Price: BotDetect LANAP software http://www.lanapsoft.com 60$-100$ per site (one-time) BotDetect is a CAPTCHA solution which supports up to 50 different CAPTCHA algorithms at variable length and image size, producing different file formats (jpeg, gif, png and others). It is a windows-based solution that supports ASP/ASP.NET alone, using IIS servers. |P age 7 HASTAC Website Protection System Indirect Community portals and services Community portals and services band together a large group of sites and provide a readymade protection for all of them. One example for this type of protection is Microsoft's Passport service which provides access to many services using a single ID and Password. This is also referred to as "Single-Sign-In". Another example is the Adult Verification Systems (or AVS) that group together a large amount of websites under a single username and password. Digital Rights Management (DRM) With the advent and popularity of Peer-to-Peer networks and Micro-Payments technologies, some copyright holders publish their content in a non-secured website or P2P network. These files cannot be played without purchasing a special license that can be acquired at the vendor's website. This renders brute-force attacks on the website useless, and the hackers try to 'crack' the protected files instead. |P age 8 HASTAC Website Protection System The Proposed Solution The Users The target audience for using "HASTAC" (Humans Are Smarter Than Any Computer) is the webmaster community of ASP.NET-based websites. (31% of the web servers worldwide, as shown below) Basic skills are required to deploy the system (usually a single click for autodeployment). Once installed, the system will be fully automated in such a manner that it will allow any user to use it in order to access the website through a verified authentication operation, and will not require any maintenance. We have created a prototype and managed to generate over 100 Challenge & Response pairs per second, with minor CPU usage level (around 12%). This means that the production system should be scalable to even the busiest of websites. Our market research showed that there is only one competing production-level product for the ASP.Net platform, and it provides solution of lesser quality. Apache Microsoft Sun NCSA Other Source: http://news.netcraft.com/archives/web_server_survey.html |P age 9 HASTAC Website Protection System Scenario #1 A webmaster of a single website that has no protection and a lot to secure requires authentication to his sensitive content. Regular solution: Dividing several web pages into a "secured zone" and an "unsecured zone". Our solution: Adding another field of authentication to the login page, in order to ensure no bots try to hack their way in using brute force attacks. Scenario #2 A group of webmasters wish to create a single sign-in solution for their websites. Regular solution: Use existing Active Directory or similar methods. All servers connect to a centralized account server. Our solution: Adding another field of authentication to the login page, in order to ensure no bots try to hack their way in using brute force attacks. The centralized account server is not accessed until the challenge has been answered correctly, thus saving precious resources. Scenario #3 A specific service requires high-fidelity human authentication, such as e-voting systems, polls, forms filling (registration, 'contact us', questionnaires etc.), public & free e-mail services, all to avoid mass junk data from being stored or sent using the service. Regular solution: Use standard CAPTCHA mechanism Our solution: Tighten the security with a better performing CAPTCHA, which is virtually unbreakable by standard OCR tools. | P a g e 10 HASTAC Website Protection System The Environment The product is designed for web servers (both corporate intra-nets and Internet): That run Microsoft Windows Server operating system That use SQL Server for the user base That have the .NET Framework 2.0 installed and running That have IIS 5.0 or 6.0 Installed and configured Hardware In our preliminary test, we have succeeded to generate over 100 challenge images per second on an average home PC with an average CPU load of 12% (This means there are 100 people trying to log in to the site). The minimum requirements for our system are imposed by the software that runs on the server. Naturally, these requirements vary, and depend on the amount of users, memory, CPU and storage space available. The Process When installed, the CAPTCHA module is integrated within the login mechanism and adds the extra authentication step in order to verify that a human is on the other end. When a user logs in to the system, the additional CAPTCHA image will be displayed and it will require solving the challenge before any further verification that require database. | P a g e 11 HASTAC Website Protection System Use cases General Flow: Start User freely browses unsecured zone Wishes to browse secured zone Yes – Log in No Existing user? Yes No- Register Log-in completed Failed User is rejected Registration completed Succeeded User Accepted User is rejected User logged in successfully Check system policy User has registered, account is automatically activated User has registered, account requires activation User freely browses secured zone | P a g e 12 HASTAC Website Protection System User Registration and Activation: User registration User Activation Display Registration form User receives activation link Show Challenge Follows link Activate account Verify Response Failed Complete registration Succeeded Check System policy Send activation link Complete registration | P a g e 13 HASTAC Website Protection System Log-in Flow: User wishes to log-in Enters log-in page Show Challenge. Request user name and password Cookie exists? Exists Fill username & password fields Failed Verify Response Successful Complete log-in process | P a g e 14 HASTAC Website Protection System Challenge and Response generation: Challenge & Response generation User wishes to register or log-in Exists Check DB if pregenerated C&R exists Load C&R from Database Doesn't Exist Create C&R On-thefly According to system policy, start background C&R generation Send challenge to user Challenge & Response verification Verify user response against database Remove record from database Return verification result | P a g e 15 HASTAC Website Protection System Requirements Ability to Pre-generate challenge & response pairs, in order to ease the load on the server on high-traffic periods (such as the holiday's season). The pre-generation can be either done on another computer or on idle CPU cycles. Importance: Critical Variable Complexity – Be able to change the complexity of the generated image: Parameter Value Range Number of shapes 3-10 Number of colors 3-10 Background patterns Selection from a list Optical distortions 0%-100% Word length 3-20 Salting/Graining 0%-100% Importance: Critical Use many types of fonts, shapes, colors and backgrounds to make it harder for off-the-shelf brute-force CAPTCHA solvers to penetrate the website. Importance: Critical Fast response to ill-formatted inputs (short passwords, no usernames, bad answers etc.) – Employ some form of heuristics on the client page before sending potentially bad data. Importance: Critical Plug-in architecture to allow future development of new types of Challenges and Response types. Importance: Critical Larger Challenge & Response Space than current solutions – Provide a larger C&R space than the existing solutions. Importance: Critical | P a g e 16 HASTAC Website Protection System Copyright notice – Embed copyright signature on each generated image in order to discourage surfers from solving CAPTCHAS harvested from the original site to aid in auto filling forms. Importance: Medium Statistics – Be able to provide meaningful statistics on the performance of the system such as the graph shown below. Importance: Medium 10% 5% First attempt Second attempt 25% 60% Third attempt Failed attempts Successful login attempts between 31/12/2005-31/12/2006 Provide Back-Office / web service for configuration and/or XML configuration file. The system should be highly configurable, while still being simple to operate. Importance: Medium Extensibility to other platforms and generators – The solution should be modular and enable future enhancements (both hardware and software), and also operate on the popular apache/PHP environments. Importance: Low | P a g e 17 HASTAC Website Protection System Domain Definitions a) Secured zone: A set of web pages and content whose access is limited only to registered members of the website. b) Unsecured zone: A set of web pages and content that is available to the general public. c) User: A person who wishes to enter the secured zone of a website. When a user wants to access the website he can either: a. Access the unsecured zone. b. Authenticate himself and access the secured zone. (This procedure is referred to as "Login Transaction"). The authentication consists of entering an account name and password, and additionally answering a computer generated challenge. d) Administrator: Typically the owner of the website. Manages the rules of the login process to the secured zones of the website and additionally integrates the "HASTAC website security" software component into the website. e) Challenge generation process: A process in which the software generates an number of challenge and response pairs and stores it in the database. HASTAC Website Protection System - Installation Procedure This process consists of four stages: a) Setting up the database. This is done by "attaching" an existing, blank database and creating administrative accounts. | P a g e 18 HASTAC Website Protection System b) Copying the binary file (HASTAC.DLL), the back-office software to the website server. c) Integrating the HASTAC component in the login page/component. d) Configuring the system. (Explained in the next section) HASTAC Website Protection System - System Configurations HASTAC is controlled from a back-office system that will include 5 tabs: a) Main b) Configuration c) Tools d) Statistics e) About Main The 'Main' section shows general information about the system: a) System status b) System time c) Number of login transactions d) Number of pre-generated challenge and response pairs In addition, it allows changing the system status, reset login transaction counters and a shortcut to generate more challenge and response pairs. | P a g e 19 HASTAC Website Protection System Configuration The 'Configuration' section allows the administrator to define different aspects of the challenge and response generation process. Number of login attempts Same difficulty for all attempts Number of shapes Number of colors Background patterns Optical distortion Word length Salting Image file formats Copyright notice Number of allowed login attempts before a redirection to an "Access Forbidden" page occurs. When checked, this option allows to apply the same difficulty level to all login attempts. Otherwise, every login attempt will be configurable. Average number of shapes shown in each generated picture. Average number of colors shown in each generated picture. A variety of background patterns available for each generated picture. Distort the generated image to harden the readability of words in order to prevent OCR mechanisms from cracking the words inside the generated image. Varied length of words generated on the images. Additional image processing that adds salt (noise to the picture in order to make OCR technology difficult to use). Select from a variation of image file formats. A fixed string that will be shown on each generated picture on a random edge | P a g e 20 HASTAC Website Protection System Tools The 'Tools' section allows the administrator to pre-generate challenge & response pairs in off-peak hours, to ease the CPU in peak hours. It also allows changing the 'pre-generated images' cache size. Clicking on the "Pre-generate Challenge & Responses Now" button starts a background process at the server, which generates Challenge & Response pairs. The timetable allows scheduling the generation process automatically for each day of the week and each hour of day. On websites with high traffic this will alleviate the CPU usage during the 'rush hours'. A red box signifies that the generation process will take place A clear box signifies that the generation process will take place only when the Challenge and Response pair cache is empty. Websites with a limited storage, light traffic and/or low CPU usage may want to leave the boxes unchecked. The "Generate up to # Challenge & Response pairs" field specifies the maximum number of Challenge and Response pair to pre-generate. Taking into account that an average file is 4Kb big, 1 Mb of storage space is equivalent to 256 Challenge and Response pairs. | P a g e 21 HASTAC Website Protection System Statistics The 'Statistics' section displays meaningful information about the successful login attempts, login traffic, daily login statistics. The "Successful login attempts" displays statistics about the percentage of successful login attempts to the site for each attempt. The shown statistics, for example, shows that 60% of the users manage to login on their first attempt. 25% of the users manage to login on their second attempt, 10% on their third attempt, and the rest 5% fail to login successfully. The "Image Traffic So Far" field displays the amount of traffic utilized by the HASTAC Protection system. The Day login statistics shows the number of login attempt for every day in the current month. The Most active accounts shows the top 10 most active accounts. | P a g e 22 HASTAC Website Protection System HASTAC Website Protection System - Functionality and Operation When a user tries to access to protected website area, a challenge and response image is displayed. The user has to input his account name, password and an additional answer to the challenge field. (See also flow charts in pages 11,12). | P a g e 23 HASTAC Website Protection System The Challenges There are several challenges facing the development of the HASTAC Website Protection System. 1. The suggested algorithm has no parallel in the website protection field and has to be written from scratch. 2. Making Question and Answer space be as large as possible. 3. The system has to consume as little bandwidth as possible (preferably less than 5 Kilobytes for each Challenge Image) 4. The CPU utilization should be minimal, even during the generation process 5. SQL Database access and HDD I/O should be minimal. 6. Image manipulation algorithms should be developed to render OCR useless. 7. The system has to be user friendly, both to the user and to the website administrator. 8. The system should be upgradable with plug-ins. Criteria for Success Success: Meeting all the requirements described above. Failure: Poor integration, Challenge & Response quality, and resource usage. Bad plug-in support. Initial Plan The plan for HASTAC Website Protection System Top Level Design will be as follows: 1. Research and Development of the HASTAC algorithm 2. Research brute-force techniques of CAPTCHA-protected websites. 3. Investigate integration methods with current ASP.NET websites. 4. Build administration interface ("Back-Office") for the system | P a g e 24 HASTAC Website Protection System 5. Define the main software modules and their integration 6. Perform stress-testing on the algorithm References 1. http://www.bettercgi.com/strongbox/ (StrongBox) 2. http://www.tools4webmasters.com/t4wsentry.htm (T4WSentry) 3. http://www.lanapsoft.com (BotDetect) 4. http://www.pennywize.com (PennyWize) 5. http://www.captcha.net/ (The CAPTCHA Project) 6. http://www.firepages.com.au/captcha.htm (A different approach for CAPTCHA, based on image recognition and counting) 7. http://news.netcraft.com/archives/web_server_survey.html (Web-server platform statistics) 8. http://video.google.com/videoplay?docid=-8246463980976635143 (Dr. Luis von Ahn from Carnegie Mellon University talking about current CAPTCHA technology and its disadvantages) | P a g e 25
