Infineon Security Platform Solution |
Dictionary Attack Defense Measures
Notes:
|
Security Platform Solution repels dictionary attacks using the following measures:
- If there has been multiple failed authentication attempts, the Security Platform is temporarily disabled until the next system restart. This way the Security Platform Owner can take additional measures against the attack before he enables the Security Platform again.
- Additionally a lock-out time is in effect: Further authentication attempts are rejected for a certain time. With each further failed authentication attempt the defense level is incremented which means that the lock-out time is doubled.
- If there are no further failed authentication attempts within a certain time the defense level decreases again.
- The Security Platform Owner can reset the defense level.
The following figures depict these measures.
Defense level increase with repeated failed authentication attempts
This figure shows how failed authentication attempts would cause the increase of defense level and lock-out time, if the Security Platform would not be temporarily disabled.
|
In this example the defense threshold is the fifth authentication attempt. The attacker continuously tries to authenticate. I.e. the defense level rises as soon as the current state's lock-out time is over.
Avoiding the defense level increase by temporarily disabling the Security Platform
To block further attacks in an early phase and to avoid long lock-out time periods, the Security Platform is temporarily disabled as soon as the defense threshold is exceeded.
|
In this example the Security Platform cannot be attacked any more, even if the lock-out time is over. The Security Platform will be enabled only after the next system restart.
Defense level auto-decrease
This figure shows that the defense level decreases again after a certain time, if there are no further failed authentication attempts.
|
In this example you can see the defense level increase and the lock-out time (red) caused by a failed authentication attempt. It is assumed that the system is restarted after a short time (grey). When the auto-decrease time has elapsed, the defense level decreases automatically. Note that for low defense levels the auto-decrease time is much higher than the lock-out time.
Notes:
|
Defense level reset
This figure shows the defense-level reset accomplished by the Security Platform Owner.
|
Similar to the preceding figure, you can see defense level increase, lock-out time (red) and the system being temporarily disabled until the next reboot (grey). Here it is assumed that the Security Platform Owner resets the defense level since he does not want to wait for incremental defense level auto-decrease.
Typical dictionary attack defense parameters
The following table shows some dictionary attack defense parameters typical for the Infineon Trusted Platform Module. The listed values might differ for your Trusted Platform Module.
Allowed attempts for Key authentication (e.g. used for Security Platform User authentication) |
5 | After 5 failed attempts within 6 hours dictionary attack defense measures are taken (see policy Configure dictionary attack threshold and Configure Dictionary Attack Defense Settings). |
Allowed attempts for Security Platform Owner authentication |
3 | After 3 failed attempts within 6 hours dictionary attack defense measures are taken (see policy Configure dictionary attack threshold and Configure Dictionary Attack Defense Settings). |
Allowed attempts for Data authentication (e.g. used by Windows BitLocker in combination with PIN) |
10 | After 10 failed attempts within 6 hours dictionary attack defense measures are taken (see policy Configure dictionary attack threshold and Configure Dictionary Attack Defense Settings). |
Minimum lock-out time |
~10 s | The initial lock-out time after the threshold has been exceeded is 10 seconds. |
Maximum lock-out time |
~24 h | The maximum lock-out time is 24 hours. This limit is reached with less than 15 failed authentication attempts after the threshold has been exceeded. |
Defense level auto-decrease time |
~6 h | About 6 hours after reaching a certain defense level the defense level will be automatically decreased by
1. Note that this applies only if there is no further failed authentication attempt within 6 hours. This would lead to an increase of the defense level by 1. |
These settings result in a high security level in case of a real dictionary attack. On the other hand accidental wrong password entries are handled in a user-friendly and flexible way.
Lock-out time and defense level auto-decrease time elapse only on running systems. |
©Infineon Technologies AG