CSCI262/CSCI862 System Security Assignment 1

$30.00

Category:

Description

5/5 - (2 votes)

Part One: Short answer questions: 4 Marks
1. Determine the entropy associated with the following method of generating a password. 1 Mark
Choose, and place in this order, one lower case letter, following by one upper case letter,
followed by two digits, followed by @, followed by two letters, each upper or lower case,
and then followed by three symbols drawn from the set {$,9,5,v,w,J}. Finally, apply the
hash function Tiger to give an output string in hex which will be used as a password.
Assume random choices are made with equal likelihood of each symbol from the space being chosen
from. So for a random digit there are 10 possibilities, each chosen with probability 1/10.
2. Generate a BLP lattice–structured system where the objects and subjects are appropriately levelled
to give access consistent with the access control matrix below. You need to describe the process by
which you obtain your lattice. R and W correspond, respectively, to read and append. You are to
use only the mandatory BLP rules, and a default allow in place of the discretionary rule. Be sure to
add a level as necssary to ensure this is a lattice. 1 Mark
O1 O2 O3 O4 O5 O6
S1 R R R R R RW
S2 R W W W
S3 R RW RW W W
S4 R R W
S5 R
S6 R R R R
3. Describe a one–time password system where the user has a hardware token which has no connectivity
with the server. The token should somehow be generating pins specific to the user and the system
they are connecting too, and checkable by the server. 1 Mark
1
4. For the following collection of statements, describe the sets of actions, objects, and subjects; and
draw an access control matrix to represent the scenario. 1 Mark
Alice can climb trees and eat apples.
Bob can climb fences, eat apples, and wave flags.
Trees can hurt apples.
Carol can jump waves and wave flags.
Part Two: Implementing a rainbow table 6 Marks
You are to write a program, in C/C++ or Java, that compiles on Banshee with an instruction you provide
in a file readme.txt. Your program should run on Banshee using the following instruction:
$ ./Rainbow Passwords.txt
where the file Passwords.txt contains a list of possible passwords. The password file contains a password
per line, as in /usr/dict/words and consists of strings of printable characters. Any password used must
be taken from this file, so the only stored hash information needs to relate to those entries in the file.
The program is used to find pre–images for given hash values. Rainbow tables can be used to solve
pre–image problems for hash functions. At the simplest level they can simply be a list of hash values
and the corresponding pre-images, often from some dictionary. This can be expensive in terms of storage
space however, and a more efficient way of identifying pre-images involves the use of the hash function
and reduction functions.
Your program will do some initial computations to generate the rainbow table. The process is as
follows:
1. Read in the list of possible passwords. Report on the number of words read in.
2. For each previously unused word W, first mark it as used and then carry out the following process:
(a) Apply the hash function H to the word W to produce a hash value H(W), which we refer to
as the current hash.
(b) Apply the reduction function R to the current hash, which will give a different possible password
which should be marked as used and then hashed. The resulting hash value is recorded as the
current hash.
(c) Repeat the previous step four times. You can deal with collisions if you like but are not required
to.
(d) Store the original word W and the final current hash as an entry in your rainbow table.
3. To assist with the later identification of the pre–images you should sort the rainbow table based on
the hash values.
4. Output the list of words and corresponding ”final current hashes” to a text file Rainbow.txt. Report
to standard out the number of lines in your rainbow table.
2
You are now ready to carry out the second part of the exercise, finding pre–images. Request a hash
value from the user. There should be appropriate error checking as to the length of the input string etc.
The process of identifying the pre–image for the provided hash value is sketched as follows:
1. Check if the hash value is in the rainbow table.
2. If the hash value isn’t in the rainbow table you reduce and hash until you get a hash value that is in
the rainbow table, or until you have done the reduce and hash enough times that it’s clear from the
way the rainbow table is generated that something is wrong. Display an appropriate message if this
happens.
3. Once you have identified the relevant hash value in the table you take the corresponding password
and hash it. If that is your hash value you have your pre–image. If it isn’t, then reduce and hash
again, until the reduced word hashes to the hash value being searched for.
4. Output the releative reduced word, that is your pre–image.
A reduction function is designed to take a valid hash value and return a valid password, in this case
a valid word from Passwords.txt. The reduction function to be used should be based on the number of
words in the Passwords.txt file, and since that isn’t a fixed length file your method needs to be dynamic.
You should find a way to convert a hash value to an integer that identifies one of the passwords. You
should describe how your reduction function works in readme.txt.
You should use MD5 as the hash function. There are implementations of MD5 on Banshee. One is
incorrect. Check agianst standards to make sure your hashing is working correctly.
1. Submission is via Moodle.
2. Your program will be compiled and tested on Banshee. if it doesn’t compile you will likely receive 0
for the coding part of the assignment.
3. Include the compilation instructions with your submission in a file readme.txt. That file should
also contain a description of how you do the reduction.
4. Late submissions will be marked with a 25% deduction for each day, including days over the weekend.
5. Submissions more than three days late will not be marked, unless an extension has been granted.
6. If you need an extension apply through SOLS, if possible before the assignment deadline.
7. Plagiarism is treated seriously. Students involved will receive zero.

3