$24
Part One: Short answer questions: 4 Marks
1. Determine the entropy associated with the following method of generating a password. 1 Mark
Choose, and place in this order, one lower case letter, following by one upper case letter, followed by two digits, followed by @, followed by two letters, each upper or lower case, and then followed by three symbols drawn from the set f$,9,5,v,w,Jg. Finally, apply the hash function Tiger to give an output string in hex which will be used as a password.
Assume random choices are made with equal likelihood of each symbol from the space being chosen from. So for a random digit there are 10 possibilities, each chosen with probability 1/10.
Generate a BLP lattice{structured system where the objects and subjects are appropriately levelled to give access consistent with the access control matrix below. You need to describe the process by which you obtain your lattice. R and W correspond, respectively, to read and append. You are to
use only the mandatory BLP rules, and a default allow in place of the discretionary rule. Be sure to
add a level as necssary to ensure this is a lattice.
1 Mark
O1
O2
O3
O4
O5
O6
S1
R
R
R
R
R
RW
S2
R
W
W
W
S3
R
RW
RW
W
W
S4
R
R
W
S5
R
S6
R
R
R
R
Describe a one{time password system where the user has a hardware token which has no connectivity with the server. The token should somehow be generating pins speci c to the user and the system
they are connecting too, and checkable by the server. 1 Mark
1
4. For the following collection of statements, describe the sets of actions, objects, and subjects; and
draw an access control matrix to represent the scenario. 1 Mark
Alice can climb trees and eat apples.
Bob can climb fences, eat apples, and wave flags.
Trees can hurt apples.
Carol can jump waves and wave flags.
Part Two: Implementing a rainbow table 6 Marks
You are to write a program, in C/C++ or Java, that compiles on Banshee with an instruction you provide in a le readme.txt. Your program should run on Banshee using the following instruction:
$ ./Rainbow Passwords.txt
where the le Passwords.txt contains a list of possible passwords. The password le contains a password per line, as in /usr/dict/words and consists of strings of printable characters. Any password used must be taken from this le, so the only stored hash information needs to relate to those entries in the le.
The program is used to nd pre{images for given hash values. Rainbow tables can be used to solve pre{image problems for hash functions. At the simplest level they can simply be a list of hash values and the corresponding pre-images, often from some dictionary. This can be expensive in terms of storage space however, and a more e cient way of identifying pre-images involves the use of the hash function and reduction functions.
Your program will do some initial computations to generate the rainbow table. The process is as follows:
Read in the list of possible passwords. Report on the number of words read in.
For each previously unused word W , rst mark it as used and then carry out the following process:
Apply the hash function H to the word W to produce a hash value H(W ), which we refer to as the current hash.
Apply the reduction function R to the current hash, which will give a di erent possible password which should be marked as used and then hashed. The resulting hash value is recorded as the current hash.
Repeat the previous step four times. You can deal with collisions if you like but are not required to.
Store the original word W and the nal current hash as an entry in your rainbow table.
To assist with the later identi cation of the pre{images you should sort the rainbow table based on the hash values.
Output the list of words and corresponding " nal current hashes" to a text le Rainbow.txt. Report to standard out the number of lines in your rainbow table.
2
You are now ready to carry out the second part of the exercise, nding pre{images. Request a hash value from the user. There should be appropriate error checking as to the length of the input string etc. The process of identifying the pre{image for the provided hash value is sketched as follows:
Check if the hash value is in the rainbow table.
If the hash value isn’t in the rainbow table you reduce and hash until you get a hash value that is in the rainbow table, or until you have done the reduce and hash enough times that it’s clear from the way the rainbow table is generated that something is wrong. Display an appropriate message if this happens.
Once you have identi ed the relevant hash value in the table you take the corresponding password and hash it. If that is your hash value you have your pre{image. If it isn’t, then reduce and hash again, until the reduced word hashes to the hash value being searched for.
Output the releative reduced word, that is your pre{image.
A reduction function is designed to take a valid hash value and return a valid password, in this case a valid word from Passwords.txt. The reduction function to be used should be based on the number of words in the Passwords.txt le, and since that isn’t a xed length le your method needs to be dynamic. You should nd a way to convert a hash value to an integer that identi es one of the passwords. You should describe how your reduction function works in readme.txt.
You should use MD5 as the hash function. There are implementations of MD5 on Banshee. One is incorrect. Check agianst standards to make sure your hashing is working correctly.
Submission is via Moodle.
Your program will be compiled and tested on Banshee. if it doesn’t compile you will likely receive 0 for the coding part of the assignment.
Include the compilation instructions with your submission in a le readme.txt. That le should also contain a description of how you do the reduction.
Late submissions will be marked with a 25% deduction for each day, including days over the weekend.
Submissions more than three days late will not be marked, unless an extension has been granted.
If you need an extension apply through SOLS, if possible before the assignment deadline.
Plagiarism is treated seriously. Students involved will receive zero.
c Luke McAven & Guomin Yang, SCIT, University of Wollongong, 2018.
3