Infineon Security Platform Solution

Dictionary Attack Defense Measures

Notes: This topic is only relevant for Security Platforms with a Trusted Platform Module 1.2. The details of the Security Platform dictionary attack defense mechanism are only valid for Security Platforms with an Infineon Trusted Platform Module 1.2. This topic is mainly targeted at the Security Platform Owner.

Security Platform Solution repels dictionary attacks using the following measures:

• If there has been multiple failed authentication attempts, the Security Platform is temporarily disabled until the next system restart. This way the Security Platform Owner can take additional measures against the attack before he enables the Security Platform again.
• Additionally a lock-out time is in effect: Further authentication attempts are rejected for a certain time. With each further failed authentication attempt the defense level is incremented which means that the lock-out time is doubled.
• If there are no further failed authentication attempts within a certain time the defense level decreases again.
• The Security Platform Owner can reset the defense level.

The following figures depict these measures.

Defense level increase with repeated failed authentication attempts

This figure shows how failed authentication attempts would cause the increase of defense level and lock-out time, if the Security Platform would not be temporarily disabled.

defense level   lock-out time   time                 authentication attempts

In this example the defense threshold is the fifth authentication attempt. The attacker continuously tries to authenticate. I.e. the defense level rises as soon as the current state's lock-out time is over.

Avoiding the defense level increase by temporarily disabling the Security Platform

To block further attacks in an early phase and to avoid long lock-out time periods, the Security Platform is temporarily disabled as soon as the defense threshold is exceeded.

defense level       locked-out    temporarily disabled   time                 authentication attempts

In this example the Security Platform cannot be attacked any more, even if the lock-out time is over. The Security Platform will be enabled only after the next system restart.

Defense level auto-decrease

This figure shows that the defense level decreases again after a certain time, if there are no further failed authentication attempts.

defense level auto-decrease time       time   authentication attempt auto-decrease

In this example you can see the defense level increase and the lock-out time (red) caused by a failed authentication attempt. It is assumed that the system is restarted after a short time (grey). When the auto-decrease time has elapsed, the defense level decreases automatically. Note that for low defense levels the auto-decrease time is much higher than the lock-out time.

Notes: The auto-decrease time is independent of lock-out time and system restart. The auto-decrease does not require a system restart. For low defense levels the auto-decrease time is much higher than the lock-out time.

Defense level reset

This figure shows the defense-level reset accomplished by the Security Platform Owner.

defense level         time authentication attempt reset

Similar to the preceding figure, you can see defense level increase, lock-out time (red) and the system being temporarily disabled until the next reboot (grey). Here it is assumed that the Security Platform Owner resets the defense level since he does not want to wait for incremental defense level auto-decrease.

Typical dictionary attack defense parameters

The following table shows some dictionary attack defense parameters typical for the Infineon Trusted Platform Module. The listed values might differ for your Trusted Platform Module.

Allowed attempts for Key authentication (e.g. used for Security Platform User authentication)	5	After 5 failed attempts within 6 hours dictionary attack defense measures are taken (see policy Configure dictionary attack threshold and Configure Dictionary Attack Defense Settings).
Allowed attempts for Security Platform Owner authentication	3	After 3 failed attempts within 6 hours dictionary attack defense measures are taken (see policy Configure dictionary attack threshold and Configure Dictionary Attack Defense Settings).
Allowed attempts for Data authentication (e.g. used by Windows BitLocker in combination with PIN)	10	After 10 failed attempts within 6 hours dictionary attack defense measures are taken (see policy Configure dictionary attack threshold and Configure Dictionary Attack Defense Settings).
Minimum lock-out time	~10 s	The initial lock-out time after the threshold has been exceeded is 10 seconds.
Maximum lock-out time	~24 h	The maximum lock-out time is 24 hours. This limit is reached with less than 15 failed authentication attempts after the threshold has been exceeded.
Defense level auto-decrease time	~6 h	About 6 hours after reaching a certain defense level the defense level will be automatically decreased by 1. Note that this applies only if there is no further failed authentication attempt within 6 hours. This would lead to an increase of the defense level by 1.

These settings result in a high security level in case of a real dictionary attack. On the other hand accidental wrong password entries are handled in a user-friendly and flexible way.

Lock-out time and defense level auto-decrease time elapse only on running systems.

©Infineon Technologies AG