Homework 3 - Authentication and Project Milestone

Due: Friday April 27, 2012 at midnight
Each question is worth 2 points.

  1. Passwords are typically stored as a cryptographic one-way hash instead of in plain text. Does adding a salt to the hash function make it harder for an attacker (who has access to the stored hashes) to recover the original password? Explain why or why not.
  2. List at least two ways someone could attack a challenge-response system.
  3. One issue with passwords is that users tend to set passwords and then never change them. Why is the policy of forcing a password change every month NOT a good way to handle this issue? Answer in terms of the psychological acceptability of this method.
  4. Is using a Kerberos ticket more secure, less secure or equivalent to setting a session key in the user's browser? Justify your answer.
  5. If a password consists purely of 6 upper case letters, how long would it take to test all possible passwords if the attacker could generate and test 500,000 passwords per second?
  6. If a password consists of 10 tokens, where each token can be an upper case letter, a lower case letter, a number or a symbol chosen from ! @ # $ % ^ & * . = +, now how long would it take to test all possible passwords, again assuming the attacker could generate and test 500,000 passwords per second?

Part 2: Project Milestone

Find two references for your research topic. Each reference is worth 4 points.

Send me your references using the following format, which is the standard format for Computer Science references: 

Conference proceeding:
Author List. Title. In Proceedings of the Conference Name, Conference Location, Month and Year of Conference, Page Numbers.

Journal proceeding:
Author List. Title. Journal Name, Volume Number, Issue Number, Page Numbers, Month and Year Published.

Book:
Author List. Title. Publisher, Year Published.

Online article:
Author List. Title. [Online] URL, Date Retrieved.
Examples of each reference style: 
S. Jha, O. Sheyner, and J. Wing. Two Formal Analyses of Attack Graphs. In
Proceedings of the IEEE Computer Security Foundations Workshop, Cape Brenton, 
Nova Scotia, Canada, June 2002, pp 49-63.

C.E. Landwehr, A.R. Bull, J.P. McDermott, and W.S. Choi. A Taxonomy of Computer
Program Security Flaws. ACM Computing Surveys, vol. 26, no. 3, pp 211-254,
September 1994.

E. Friedman-Hill. JESS in Action. Manning Publications Company, 2003.

MIT Press Release. MIT Lincoln Laboratory software aims to thwart cyber
hackers. [Online] http://web.mit.edu/newsoffice/2008/security-0827.html,
August 2008.
For each reference, also provide a brief description (1 paragraph) of the contents of that reference.