Starting from:
$30

$24

CSC4222/6222: Assignment 2 Solved

Part I: Questions


    1. Assume that passwords are selected from four-character combinations of 26 alphabetic characters. Assume that an adversary is able to attempt passwords at a rate of one per second.

            a) Assuming no feedback to the adversary until each attempt has been completed, what is the expected time to discover the correct password?

            b) Assuming feedback to the adversary flagging an error as each incorrect character is entered, what is the expected time to discover the correct password?
    2. It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. Therefore, those two characters are known to the attacker and need not be guessed. Why is it asserted that the salt increases security?

    3. a) In the context of access control, what is the difference between a subject and an object?

        b) What is the difference between an access control list and a capability ticket?

    4. UNIX treats file directories in the same fashion as files; that is, both are defined by the same type of data structure, called an inode. As with files, directories include a nine-bit protection string. If care is not taken, this can create access control problems. For example, consider a file with protection mode 644 (octal) contained in a directory with protection mode 730. How might the file be compromised in this case?

    5. Please describe the concept of the following methods of Threats & Attacks and give a countermeasure method.

A.  Denial-of-Service

B. Correlation and Traceback C. ARP Spoofing

D.  IP Spoofing

    6. Can you “decrypt” a hash of a message to get the original message? Explain your answer. What potential threats exist when you find out that, for every String A, you can find a String B such that H(A) = H(B)?

    7. Please use a diagram to show how the process for the following scenario:

Alice wants to send a file M to Bob. She wants to guarantee the confidentiality and integrity during the transmission. Besides, Alice also wants to demonstrate that this message is sent from Alice.

Please help Alice to design an Encryption System with diagrams.

    8. Explain how signatures can be used for malware countermeasure. Give an example to support your explanation.

    9. Assume passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 10 characters in length. Assume a password cracker with an encryption rate of 6.4 million encryptions per second. How long will it take to test exhaustively all possible passwords on a Unix system?

    10. In the context of biometric user authentication, explain the terms: enrollment, verification, and identification.

    11. In the traditional UNIX file access model, UNIX systems provide a default setting for newly created files and directories, which the owner may later change. The default is typically full access for the owner combined with one of the following: no access for group and other, read/execute access for group and none for other, or read/execute access for both group and other. Explain the advantages and disadvantages of each of theses cases, including an example of a type of organization where each would be appropriate.

    12. Name the five layers in TCP/IP Internet protocol stack. Briefly explain the main functionalities of each layer; identify the address mechanisms of each layer if any.


Part II: Wireshark & Programming


    13. Use Wireshark to monitor the TCP to capture packets showing the TCP shaking hands process.

Step1: Download wireshark at https://www.wireshark.org/.

Step2: For example, use capture function to capture packets that specify the hand shaking process.





















Requirements:

    a. Student firstly needs to figure out the IP address of the csds.gsu.edu.

Then, students are required to use wireshark to capture the TCP shake hands process packets as aforementioned.

    b. Instead of the screenshot, student needs to upload xxxx.pcapng file (.pcapng file can be acquired from wireshark).

    c. Specifically, students with same IP address will be regarded as copied work and get 0 as grade.



    14. Password Salt System Implementation and Brutal Force Cracker

A. Implementation of the Password Salt System

In this section, students are required to implement a password salt verification system. A salt is stored in the database and added to the hashing process to force the uniqueness of the password, which is easy to verify and can increase the complexity without increasing user requirements. The salt does not need to be kept secret and the extra security which comes in with the salt is that it even maps same passwords to different hashes depending on the salt. This renders the dictionary attacks useless which are otherwise very effective in password cracking.

With the given UID.txt (UID stands for “Unique Identifier”) and Hash.txt files, students need to implement the verification system, such that the given example of the password and salt can match with the hash value in the Hash.txt file. For example, in your UID.txt file, the first UID is 001, and in your Password.txt file, the password is 0599, and in your Salt.txt file, the salt associated with the first UID is 054. When applying the MD5 Hash Function with the encode format as ‘utf-8’ as shown in the figure, the expected output should be 4a1d6f102cd95fac33853e4d72fe1dc5 (See the first line of your hash.txt file). It is worth to mention that, the concatenation between password and salt needs to be in the format of (password||salt). For example, with the aforementioned input, the concatenation result will be 0599054. Note that, 0 should not be omitted.


Requirement for the designed system:













        1) The designed verification system should be able to correctly verify the example shown above. When the input is correct, the system will output a String “The input password and salt matches the hash value in the database”. Otherwise, the output should be “The input password and salt does not match the hash value in the database”.

        2) Password_Salt_Helper.pdf gives a java template of the verification system. It is your choice to use the template and the programming languages (e.g., Java, Python).


    B. Implementation of the Cracker System

To reduce the complexity for cracking the password and salt, the passwords are randomly set in the range of [0000, 1000], while the salt is randomly set in the range of [000,100] for each UID. One easy idea to implement a cracker system is to brute-forcely try all possible combinations of password and salt for one UID. As the Hash.txt and UID.txt files are given, students are requested to implement a cracker system which could find the correct password and salt for a specific UID.


Requirement for the designed system:

    1) For a specific UID, the cracker system can output the correct password and salt value. For example, when input the UID as 001, the output should be “password: 0599; salt: 054”.

    2) Password_Salt_Helper.pdf gives a java template of the cracker system. It is your choice to use the template and the programming languages (e.g., Java, Python).

Submission Requirements:

    1) The report should firstly describe how these two systems are designed; secondly, the report should include the set of passwords and salts for ten different UIDs. Source code and screenshot are required.

        2) For undergraduate students, the verification and cracker systems can be designed separately. For graduate students, the cracker system should include the function of verification system.

More products