Reveal ALL Solution

Worksheet 04: Authentication

Worksheets are self-guided activities that reinforce lectures. They are not graded for accuracy, only for completion. Worksheets are due by the start of the next lecture via Blackboard link as a single PDF document. Be sure to properly label each question.

Questions

1. What is the difference between authentication and identification? Provide an example to show the difference.

   Reveal Solution

   Authentication is the process of corroborating someone’s identity based on supported evidence, while identification is the process of asserting someone’s identify from supported evidence. An example difference would be authenticating someone based on their username password compared to identifying someone based on their fingerprint from a large database of fingerpints.

2. Instead of storing the plain-text password, servers store a cryptographic hash of the password. How is it the case that the server can still check a password without actually knowing which passwords each user has?

   Reveal Solution

   Since a cryptographic hash function cannot be easily reserved, the server cannot easily read any hash and learn what the password is. However, given a password, it is trivial to compute the hash and match it to the stored one. As cryptographic hash functions are both second-preimage resistant it is non-trivial (infeasible) for the server, or an attacker, to find a different, invalid password that hash to the same value of the hash that is stored.

3. However, hashing may not be enough because of a pre-computed dictionary attack. To demonstrate this, below are three hashes of common (bad) passwords. Checkout the list of common passwords RockYou data set. Below, are three sha256 hashes of one of those common passwords. Use a pre-computed dictionary of hashes (namely the RockYou dataset) to determine which passwords are hashed here. Also, take note for how long it took to do the matching.

   c231726a6fdad30f6c67ba99bc2243c807e1a51b4327f7eacef27ca59ea2e64b
   8126bda31755b97d6bb694cccf2551c0a5d0fdcdeddb74ca2b82d1292dca8652
   e0979293ed2bc2d485aea84a955d3d982bc4ba60d8f4d8f4b363ec04abc7ae91
   

   Note 1: I computed these hashes using python’s hashlib with sha256 with the newline stripped away. The encoding is using digest().hexstring()

   Note 2: You should write a program to do this, but the routine is simple. Hash all the passwords and compare to the hashes above.

   Reveal Solution

   franciska:e0979293ed2bc2d485aea84a955d3d982bc4ba60d8f4d8f4b363ec04abc7ae91
   demetriusc:8126bda31755b97d6bb694cccf2551c0a5d0fdcdeddb74ca2b82d1292dca8652
   Persian23:c231726a6fdad30f6c67ba99bc2243c807e1a51b4327f7eacef27ca59ea2e64b
   

4. Let’s now consider salting passwords. This time, I’ve included three hashed passwords with random 5 letter salt. Can you crack these using the RockYou data set? How long did it take compared to the attack above?

   8c47d907a41c1ed2118c7e55eaec35c77f5c7e42f540fac48ffaae759e81d3b4:o|%Eg
   810225544dab8028701275a3c460d3782b49f1db761d4e5c825926af3ab93e7c:p}[eD
   34604383be265e3e74132ee54d406364e03cae9181b613683c220c96f4d76868:j&/|!
   

   Note: Anything following the : the salt. The colon is not included in the salt.

   Reveal Solution

   pickles1701:8c47d907a41c1ed2118c7e55eaec35c77f5c7e42f540fac48ffaae759e81d3b4:o|%Eg
   nopainnogain21:810225544dab8028701275a3c460d3782b49f1db761d4e5c825926af3ab93e7c:p}[eD
   abzgae:34604383be265e3e74132ee54d406364e03cae9181b613683c220c96f4d76868:j&/|!
   

   It should be slower as you cannot reuse prior hash values with different salts.

5. What is the difference between online and offline password guessing attack? Which are you doing above?

   Reveal Solution

   In an online attack, each guess must be sent to the server to be checked. In an offline attack, you can assume the attacker has already exfiltrated a set of password hashes and can check them at their leisure.

6. Provide three different techniques to mitigate an online guessing attacks, with a brief explanation.

   Reveal Solution

   1. Do not provide feedback if the username or the password are incorrect, either could be or both, which makes it more difficult for the attacker to know what to change.
   2. Incorporate longer, mutli-second, delays in responding with a correct/incorrect log in. This increases the burden of performing multiple guesses.
   3. Impose lock out windows, minutes or days, when a certain number of failed attempts occur.

7. Explain how using pepper can slow down an offline guessing attack?

   Reveal Solution

   Peper is like salting, but you do not store the salt. Instead, the server iterates over all possible salts when checking the password against the stored hash. This can potentially slow down offline guessing attacks by further increasing the burden of each hash comparison because each password requires creating mulitple hashes.

8. Finally, can you crack the following passwords, with salt, and 5 iterations of sha256? How long did this take compared to the examples above?

   3d12b4e927a859255d952e9810c73c5e831dd926698c37756336765ba506423e:{d31"
   efea8db5e83417453447131337b2cbdc031a4125c5e35cb872bca04c3f94c431:{ahw)
   0bdf1284a4228fbe1b5747aea2a6fb7dbd651a7d8e60828aea6b54691fb37b09:"B}AV
   

   Reveal Solution

   nobeta:3d12b4e927a859255d952e9810c73c5e831dd926698c37756336765ba506423e:{d31"
   rmiles group:efea8db5e83417453447131337b2cbdc031a4125c5e35cb872bca04c3f94c431:{ahw)
   dayannah:0bdf1284a4228fbe1b5747aea2a6fb7dbd651a7d8e60828aea6b54691fb37b09:"B}AV
   

9. Explain how 2FA relates to the following security principles:

   • Sufficient work-factor
   • Defense-in-depth
   • Independent confrrmation

   Reveal Solution

   • Sufficient work-factor : icreases the work factor because they also need the 2fa
   • Defense-in-depth : Another layer of security
   • Independent Confirmation : The 2FA is independent of knowledge of the password

10. Read the following wikipedia article about the Sarah Palin email hack. Provide a short summary of how question-based account recovery can be problematic based on the hack.

    Reveal Solution

    In this hack, David Kernell used known biographical details about Sarah Palin to gain authorized access to her Yahoo! email account. The password recovery was based on question-based information, like Sarah Palin’s birthdate.

11. Read the following press releases from Lastpass of a recent security incident (and the follow up).

    • Write a brief summary of these incidents
    • Explain why/how master passwords were or were not compromised?

    Be sure to relate this discussion back to how password managers function. See Chapter 3.6 in the book.

    Reveal Solution

    DISCUSSION

12. Provide three threats that a CAPTCHA can help mitigate?

    Reveal Solution

    1. Ensuring the account sign up is done by a human
    2. Limiting automated posting on web forums
    3. Making it difficult to scrape webpages by prompting to solve a captcha if too many requests are made

13. Read the following wikipedia article on reCAPTCHA v1 – explain why two English words were used in the test one a control and one a test? (Do no copy and paste, try explaining yourself.)

    Reveal Solution

    Google recognized that the CAPTCHA field could be used to help with OCR assistance by using words with low confidence as CAPTCHAS. Once humans correctly identify the words, up to some threshold of correct identifications, it can be helped to retrain the OCR.