Posted:

11 Jun 2024

Sun 23 Jun @ 18:00

In this assignment, you’ll play with ciphers and passwords.

All students should complete parts 1 and 2 of this assignment. ENGI 9823 students should also complete part 3. Submit your work — in a single PDF file — to Gradescope.

Part 1: Host security

  1. On a computer with Unix permissions, identify eight files with different combinations of owner, group and permissions. Explain the meaning of each file’s permissions.

  2. Suppose that a popular website suffers a breach of their user password database. What could we infer about the password database from each of the following?

    1. An attacker is able to immediately access every user’s password.

    2. An attacker is able, with the addition of a leaked key, to access any user’s password.

    3. An attacker is able to tell that 4,000 users have the same password.

    4. An attacker is able to crack the stolen passwords in milliseconds per guess.

  3. Compute the Shannon entropy of the following distributions.

    1. $ \left\{ \frac{1}{8}, \frac{1}{2}, \frac{1}{16}, \frac{1}{4}, \frac{1}{16} \right\} $

    2. Passwords drawn from a Diceware list of $6^5$ passwords

    3. Passwords with one of the Diceware words from above followed by one of 16 special characters

    4. Passwords with four of the Diceware words from above

Part 2: Symmetric-key cryptography

  1. Consider a trivial "block cipher" that simply multiplies its 8b input by an 8b key mod 256, i.e.:

    \[ C = k \cdot P \mod 256 \]

    Assume that this cipher is used in CBC mode to encrypt the ASCII-encoded plaintext "hello". Compute — showing your workings — the output ciphertext when a key of 197 (which is coprime with 256) and an IV of 201 (11001001) are used. Show the resulting ciphertext in both binary and integer form.

  2. Given the following implementation of the djb2 hash algorithm:

    unsigned long
hash(unsigned char *str)
{
    unsigned long hash = 5381;
    int c;

    while (c = *str++)
    {
        hash = ((hash << 5) + hash) + c; /* hash * 33 + c */
    }

    return hash;
}

    1. Write a program (in a language of your choice) that will search for collisions.

    2. Run your program. How many input strings did you need to check before you found a collision?

    3. Is this hash function suitable for use as a cryptographic hash function? Explain why or why not.

Part 3: Password entropy (ENGI 9823 only)

  1. Using the this table of symbol frequencies[1], write a program in a language of your choice to calculate the following quantities. Submit your answers to the questions as well as a listing of your code in your submission PDF. Your code must calculate, for the provided input file:

    1. the total number of times that each symbol was observed by Jones and Mewhord in their data collection

    2. the relative frequency of each character as a percentage of the total characters

  2. Calculate the Shannon entropy of the password distributions that could have produced the following passwords via random selection. State all assumptions that go into your calculations.

    1. secure

    2. secure1

    3. secure!6@

    4. s3cur31ty

    5. y9]z'626:g