Homework 3 - Authentication and Project Milestone
Due: Friday April 25, 2014 at 11:55pm
Each question is worth 2 points.
- Passwords are typically stored as a cryptographic one-way hash instead of
in plain text. Does adding a salt to the hash function make it harder for
an attacker (who has access to the stored hashes) to recover the original
password? Explain why or why not.
- List at least two ways someone could attack a challenge-response system.
- One issue with passwords is that users tend to set passwords and then never
change them. Why is the policy of forcing a password change every month NOT
a good way to handle this issue? Answer in terms of the psychological
acceptability of this method.
- Is using a Kerberos ticket more secure, less secure or equivalent to
setting a session key in the user's browser? Justify your answer.
- If a password consists purely of 6 upper case letters, how long would it
take to test all possible passwords if the attacker could generate and test
500,000 passwords per second?
- If a password consists of 10 tokens, where each token can be an upper case
letter, a lower case letter, a number or a symbol chosen from ! @ # $ % ^
& * . = +, now how long would it take to test all possible passwords, again
assuming the attacker could generate and test 500,000 passwords per second?
Part 2: Project Milestone
Find two references for your research topic. Each reference is worth 4 points.
Send me your references using the following format, which is the standard
format for Computer Science references:
Conference proceeding:
Author List. Title. In Proceedings of the Conference Name, Conference Location, Month and Year of Conference, Page Numbers.
Journal proceeding:
Author List. Title. Journal Name, Volume Number, Issue Number, Page Numbers, Month and Year Published.
Book:
Author List. Title. Publisher, Year Published.
Online article:
Author List. Title. [Online] URL, Date Retrieved.
Examples of each reference style:
S. Jha, O. Sheyner, and J. Wing. Two Formal Analyses of Attack Graphs. In
Proceedings of the IEEE Computer Security Foundations Workshop, Cape Brenton,
Nova Scotia, Canada, June 2002, pp 49-63.
C.E. Landwehr, A.R. Bull, J.P. McDermott, and W.S. Choi. A Taxonomy of Computer
Program Security Flaws. ACM Computing Surveys, vol. 26, no. 3, pp 211-254,
September 1994.
E. Friedman-Hill. JESS in Action. Manning Publications Company, 2003.
MIT Press Release. MIT Lincoln Laboratory software aims to thwart cyber
hackers. [Online] http://web.mit.edu/newsoffice/2008/security-0827.html,
August 2008.
For each reference, also provide a brief description (1 paragraph) of the
contents of that reference.