COMP3334 Computer Systems Security 2021/22 Semester 2
Tutorial 5 Solutions Authentication I Question1 PasswordSecurity
If there is a password with a length of 8, containing any of lowercase letters, uppercase letters, numerals and special characters. Allowable special characters are
~ ! @ # $ % ^ & * ( ) _ + | ` – = \ { } [ ] : ” ; ’< > ? , . / a) How many possible passwords can be formed?
Copyright By PowCoder代写 加微信 powcoder
26 lowercase letters
26 uppercase letters
10 numerals
32 special characters
Total number of possible passwords = (26+26+10+32)8 = 6.1 * 1015
b) What is the entropy of this password?
Entropy = log2 6.1 * 1015 = 52.4 bits
Question2 One-wayAuthentication
Consider a one-way authentication technique based on asymmetric encryption:
B → A: E(PKA, R) A→B: R
a) Explain the protocol.
A sends her ID to B. B uses A’s public key to encrypt a random picked message R. This is a means of authenticating A to B. Only A can decrypt the second message, to recover R.
COMP3334 Computer Systems Security 2021/22 Semester 2
b) What type of attack is this protocol susceptible to?
Someone (e.g., C) can use this mechanism to get A to decrypt a message (i.e., send that message as R) that it has eavesdropped from the network (originally sent to A).
Question3 BiometricAuthenticationSystems
A bank uses a biometric system to authenticate employees entering the safe where the money is stored overnight. To get in the room, one has to type in the username and put his/her finger on the sensor. The fingerprint is then digitalized and sent to the authentication server, which accepts or rejects access to the room. The authentication server relates the username with the digital version of the fingerprint. Statistical analysis show that the authentication server has a false-reject rate of 10% and a false-accept rate of 0.5%. The user is allowed to try five attempts, after which security guards are called and the user is intercepted.
a) Explain what false-accepts and false-rejects are. Are the above-mentioned rates suitable for this kind of application?
If a non-authorized person is successfully authenticated to the server and given access to the room, we talk about False Acceptance. A false rejection means that the fingerprint of an authorized person (employee) was wrongly rejected as unauthorized. Since the False Acceptance Rate and the False Rejection Rate are negatively related (increasing one decreases the other and vice versa), it is essential in the current application that the FAR be much less than the FRR, and low enough in general. The fact that the user is allowed to attempt five times partially compensates for the given relatively high FRR.
b) If Tom finds a way to manipulate the fingerprint-reader as he wants, what interesting data would he be able to collect? How can he exploit what he collects?
If Tom can hack the fingerprint-reader as he wants, then he could basically read and copy all digital fingerprints of the employees using this reader. Having the digital fingerprints available, he could then potentially counter the authentication server by directly sending the fingerprints of other employees and access the room.
COMP3334 Computer Systems Security 2021/22 Semester 2
Question 4 Salted Password
Consider the following simple password-based authentication system. A secret key X is embedded inside the application software. The application software requires access to a file called userlist.txt for its functioning. userlist.txt is a text file recording the list of legitimate users. Each line in userlist.txt records the login credential of a user and is of the following format: USERID#SALT#SH#HMAC, where the character # is used as a separator. The fields are explained below.
ID of the user
A random string of 64 bits
Hash of the salt concatenated with the user’s password. SHA-1 is used.
HMAC of salt concatenated with SH using X as the secret key. Again, SHA-1 is used and HMAC is 160 bits.
a) How can the program verify the user’s password?
The user supplies a user id and a password PW.
The system looks for the record for id of the form USERID#SALT#SH#HMAC. The system accepts the user if and only if
SH = H(SALT||PW) and HMAC = H(SALT||SH||X)
b) What is the purpose of SALT? Compare the security if SH is only hash of the user’s password.
Comparing to the case of storing the hash of password directly, the attacker can hash and check once for one user at a time only, instead of hashing once and checking against all users’ hashes. Hence, salt slows down the attacker.
c) Discuss the conditions under which this authentication system is secure.
Case I: Attacker cannot read userlist.txt. Then only online password guessing is possible. Restricted attempts should be sufficient.
Case II: Attacker can read userlist.txt. Offline dictionary attack is possible. Require SHA-1 to be one-way and passwords are of high entropy.
COMP3334 Computer Systems Security 2021/22 Semester 2
Case III: Attacker can modify userlist.txt. Attacker may create a new entry. In this case, we need to ensure the attacker cannot get X from the implementation. That is why we need HMAC = H(SALT||SH||X) to prevent the attacker from forging this value.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com