Hello, I am working on a project for TSA (cyber security if anyone wants to check), and i need to make a program that will resist brute force attacks. I have built a rough program, and now i need a brute force program. I was just wondering what the best method for a brute force program would be.
Requirements:
needs to remember tried codes
needs to try passwords from 1 digit to 10 digits
needs to send attempts through serial communication
I was thinking of using a string of possible characters then remembering the numbers in a string. Is there a more streamlined version i could try? I also did read other articles about this before anyone asks. Any and all help is greatly appreciated!
for how long and is there a number limit? Why remember if you never review them?
2, what will tell you the start and end of a particular password sequence?
I am sorry for the confusion, it is a school club. the technology student association, not the government agency. I am building this code, to unlock different functions of a device. I am tying 2 projects together.
I mean using serial communications for the password, how will you determine when a new attempt is being sent and how will you determine when the last digit of the attempt has been read?
I will try to send a code every half second, and i will program in a delay whenever the system does a delay lock (where after 4 attempts wait a minute).
Sarcasm follows
Yeah, an Arduino or the alike sure have massive processing power - excellent for brute force attacks.
MCU
Limited storage / ram.
Try passwords that consists of digits no problem. However, how many passwords is made up purely by digits nowadays?
Skip the MCU and do internal logging from process to disk.
Reason to go with a normal CPU system - The necessary power for brute attacks, there is already lots of code to use, and skip the serial link by using a local process.
Update to your update:
Even if the requirements are lower, it's still easier to simulate two devices in a computer by two processes, a lot faster to code and test code etc.
I do not feel like this is a complex problem. You need the Arduino to send a code, memorize it, and if the code does not work, send another, delete the old code and memorize the next code, etc. It will only remember one code at a time, and i need it to communicate these codes to another Arduino. This seems like the best way to do it.
Brute force generally just iterates through every possible code combination, unless you have a non sequential method of doing that, it should be fairly simple.
The system being attacked really should have a progressively longer wait time for every failed attempt, to prevent a successful attack in any reasonable amount of time.
Give up now.
Every possible combination of numbers up through 10 digits is 10 billion possibilities,
At one attempt every half second, with no other waits for failed attempts, you will need about 158 years to try every possibility.
You will need something bigger than a 4-byte unsigned int.
Seriously, you can write the program you want to test, but cannot write the code that simply tries every number sequentially?
Resisting brute force attacks should be easy. After a few attempts (3 or 4 at the most), start adding delays before the next attempt is allowed, with the delay increasing exponentially. Alternatively, just lock out any further attempts after a specified number of failed attempts have been made.
So you have
10 1-digit passwords to try, plus
100 2-digit passwords to try, plus
1000 3-digit passwords to try, plus
10000 4-digit passwords to try, plus
:
:
1010 ten-digit passwords to try,
So that's going to take nearly an hour and a half just to do all the possible 4-digit passwords.
Over 1500 years to do all the 10-digit ones.
Clearly, this is not a practical approach!
EDIT
I seem to be out by an order of magnitude - but it's still over 150 years.