Worksheet 04: Authentication
Worksheets are self-guided activities that reinforce lectures. They are not graded for accuracy, only for completion. Worksheets are due by the start of the next lecture via Blackboard link as a single PDF document. Be sure to properly label each question.
Questions
-
What is the difference between authentication and identification? Provide an example to show the difference.
-
Instead of storing the plain-text password, servers store a cryptographic hash of the password. How is it the case that the server can still check a password without actually knowing which passwords each user has?
-
However, hashing may not be enough because of a pre-computed dictionary attack. To demonstrate this, below are three hashes of common (bad) passwords. Checkout the list of common passwords RockYou data set. Below, are three sha256 hashes of one of those common passwords. Use a pre-computed dictionary of hashes (namely the RockYou dataset) to determine which passwords are hashed here. Also, take note for how long it took to do the matching.
c231726a6fdad30f6c67ba99bc2243c807e1a51b4327f7eacef27ca59ea2e64b 8126bda31755b97d6bb694cccf2551c0a5d0fdcdeddb74ca2b82d1292dca8652 e0979293ed2bc2d485aea84a955d3d982bc4ba60d8f4d8f4b363ec04abc7ae91
Note 1: I computed these hashes using python’s
hashlib
with sha256 with the newline stripped away. The encoding is usingdigest().hexstring()
Note 2: You should write a program to do this, but the routine is simple. Hash all the passwords and compare to the hashes above.
-
Let’s now consider salting passwords. This time, I’ve included three hashed passwords with random 5 letter salt. Can you crack these using the RockYou data set? How long did it take compared to the attack above?
8c47d907a41c1ed2118c7e55eaec35c77f5c7e42f540fac48ffaae759e81d3b4:o|%Eg 810225544dab8028701275a3c460d3782b49f1db761d4e5c825926af3ab93e7c:p}[eD 34604383be265e3e74132ee54d406364e03cae9181b613683c220c96f4d76868:j&/|!
Note: Anything following the
:
the salt. The colon is not included in the salt. -
What is the difference between online and offline password guessing attack? Which are you doing above?
-
Provide three different techniques to mitigate an online guessing attacks, with a brief explanation.
-
Explain how using pepper can slow down an offline guessing attack?
-
Finally, can you crack the following passwords, with salt, and 5 iterations of sha256? How long did this take compared to the examples above?
3d12b4e927a859255d952e9810c73c5e831dd926698c37756336765ba506423e:{d31" efea8db5e83417453447131337b2cbdc031a4125c5e35cb872bca04c3f94c431:{ahw) 0bdf1284a4228fbe1b5747aea2a6fb7dbd651a7d8e60828aea6b54691fb37b09:"B}AV
-
Explain how 2FA relates to the following security principles:
- Sufficient work-factor
- Defense-in-depth
- Independent confrrmation
-
Read the following wikipedia article about the Sarah Palin email hack. Provide a short summary of how question-based account recovery can be problematic based on the hack.
-
Read the following press releases from Lastpass of a recent security incident (and the follow up).
- Write a brief summary of these incidents
- Explain why/how master passwords were or were not compromised?
Be sure to relate this discussion back to how password managers function. See Chapter 3.6 in the book.
-
Provide three threats that a CAPTCHA can help mitigate?
-
Read the following wikipedia article on reCAPTCHA v1 – explain why two English words were used in the test one a control and one a test? (Do no copy and paste, try explaining yourself.)