Worksheet 04: Authentication | Computer Security (Fall 2024)
Reveal ALL Solution

Worksheet 04: Authentication

Worksheets are self-guided activities that reinforce lectures. They are not graded for accuracy, only for completion. Worksheets are due by the start of the next lecture via Blackboard link as a single PDF document. Be sure to properly label each question.

Questions

  1. What is the difference between authentication and identification? Provide an example to show the difference.

    Reveal Solution

  2. Instead of storing the plain-text password, servers store a cryptographic hash of the password. How is it the case that the server can still check a password without actually knowing which passwords each user has?

    Reveal Solution

  3. However, hashing may not be enough because of a pre-computed dictionary attack. To demonstrate this, below are three hashes of common (bad) passwords. Checkout the list of common passwords RockYou data set. Below, are three sha256 hashes of one of those common passwords. Use a pre-computed dictionary of hashes (namely the RockYou dataset) to determine which passwords are hashed here. Also, take note for how long it took to do the matching.

    c231726a6fdad30f6c67ba99bc2243c807e1a51b4327f7eacef27ca59ea2e64b
    8126bda31755b97d6bb694cccf2551c0a5d0fdcdeddb74ca2b82d1292dca8652
    e0979293ed2bc2d485aea84a955d3d982bc4ba60d8f4d8f4b363ec04abc7ae91
    

    Note 1: I computed these hashes using python’s hashlib with sha256 with the newline stripped away. The encoding is using digest().hexstring()

    Note 2: You should write a program to do this, but the routine is simple. Hash all the passwords and compare to the hashes above.

    Reveal Solution

  4. Let’s now consider salting passwords. This time, I’ve included three hashed passwords with random 5 letter salt. Can you crack these using the RockYou data set? How long did it take compared to the attack above?

    8c47d907a41c1ed2118c7e55eaec35c77f5c7e42f540fac48ffaae759e81d3b4:o|%Eg
    810225544dab8028701275a3c460d3782b49f1db761d4e5c825926af3ab93e7c:p}[eD
    34604383be265e3e74132ee54d406364e03cae9181b613683c220c96f4d76868:j&/|!
    

    Note: Anything following the : the salt. The colon is not included in the salt.

    Reveal Solution

  5. What is the difference between online and offline password guessing attack? Which are you doing above?

    Reveal Solution

  6. Provide three different techniques to mitigate an online guessing attacks, with a brief explanation.

    Reveal Solution

  7. Explain how using pepper can slow down an offline guessing attack?

    Reveal Solution

  8. Finally, can you crack the following passwords, with salt, and 5 iterations of sha256? How long did this take compared to the examples above?

    3d12b4e927a859255d952e9810c73c5e831dd926698c37756336765ba506423e:{d31"
    efea8db5e83417453447131337b2cbdc031a4125c5e35cb872bca04c3f94c431:{ahw)
    0bdf1284a4228fbe1b5747aea2a6fb7dbd651a7d8e60828aea6b54691fb37b09:"B}AV
    

    Reveal Solution

  9. Explain how 2FA relates to the following security principles:

    • Sufficient work-factor
    • Defense-in-depth
    • Independent confrrmation

    Reveal Solution

  10. Read the following wikipedia article about the Sarah Palin email hack. Provide a short summary of how question-based account recovery can be problematic based on the hack.

    Reveal Solution

  11. Read the following press releases from Lastpass of a recent security incident (and the follow up).

    • Write a brief summary of these incidents
    • Explain why/how master passwords were or were not compromised?

    Be sure to relate this discussion back to how password managers function. See Chapter 3.6 in the book.

    Reveal Solution

  12. Provide three threats that a CAPTCHA can help mitigate?

    Reveal Solution

  13. Read the following wikipedia article on reCAPTCHA v1 – explain why two English words were used in the test one a control and one a test? (Do no copy and paste, try explaining yourself.)

    Reveal Solution