HW#3 --- last modified February 07 2019 23:05:35..Due date: Nov 13
Files to be submitted: Purpose:To gain a better understanding of password security, biometrics, authentication in general, access control, and simple protocols. Related Course Outcomes: The main course outcomes covered by this assignment are: LO3 -- Understand the methods used to verify passwords as well as the inherent weaknesses of passwords; quantify the expected work to crack passwords under various assumptions; understand the strengths and weaknesses of biometric authentication. LO4 -- Understand Lampson's access control matrix and its relationship to access control lists and capabilities; understand the confused deputy problem and how to prevent it. LO5 -- Understand basic security issues in authentication and key establishment protocols, including, for example, replay attacks and their prevention. LO6 -- Analyze authentication and key establishment protocols for potential security flaws, and demonstrate attacks on flawed protocols. Specification: This homework consists of two parts: A set of book problems, which are to be done individually, should be handwritten (no typing), and must be turned in at the start of class on the day indicated; a coding assignment, which can be done in a team of at most three people. For the coding portion only one team member needs to submit -- just be sure to mention the names of your teammates in the documentation for your code. The book problems I want you to do are: Ch 5, Exercise 18 and 33 (due Oct 10); do stego problem that appears in next paragraph and Ch 7 Exercise 6 (due Oct. 17); Ch 7 Exercise 37 and Ch8 Exercise 3 (due Oct 24); and Ch 9 Exercise 4 and 6 (due Oct. 31). One problem each week will be graded and it will be worth up to 1pt. The score given will be one the following: 0 (incorrect answer or insufficient justification), 0.5 (incorrect answer but some reasonable justification; or correct answer but justification only partly correct), 1 (correct answer and well-reasoned and correct justification). Stego Problem for Oct 17. Suppose you want to store a hidden message in an English text whose max column length is 80 characters. To hide the text, you justify any lines whose length would otherwise be strictly less than 80 characters. Only lines of less than 79 character (before justification) will be data lines. If the first word on a data line is followed by 1 space then it means the next bit is 0; if it is followed by two spaces it encodes a 1. Using at least three articles from Wikipedia adjusted to this format estimate the number of bits/1000 words you could hide with this scheme. For the coding part of the assignment I want you to write tools for password creation, verification, and cracking. Before we describe the tools, let us describe the file format we expect to contains the password data. We expect a password containing file to consist of a sequence of lines, each line containing the password hash and login for one user, but also potentially containing other data. The various fields of data in a line are delimited by ":". One field is guaranteed to contain a login, one the password hash, but there may be more than two fields. A password hash will be in the format $0$md5hash or in the format $1$salt$md5hash . Here md5hash is the results of performing an md5 hash on the password string and then MIME base 64 encoding the result. Here are a couple rows from an example password file: superman:$1$1234$Ftek/KdELdo62TyacmWX5A==::16432:0:99999:7::: nosaltman:$0$Xr4ilOzQ4PCOq3aQ0qbuaQ==::15832:0:99999:7::: The main method for the first program you should write should be in a file PasswordTool.java. Your program will be compile from your homework folder, using the command javac PasswordTool.java To test your program the grader will execute (by typing from the command line or using a script), a command in the format: java PasswordTool operation num_columns login_col_num password_col_num login password file_name Here operation is either change_salt, change_no_salt or check, num_columns is the number of fields in a password file line, login_col_num is the field which contains the login (starting from 0), password_col_num is the field which contains the password, login is the user login that we want to operate on, password is the password to check or change, and file_name is the file that contains the password data. The operation change_salt and change_no_salt are used to change an existing login or password, or in the event that the login does not exist, add a row with that login and password hash (in the format above) of that password. If a row is being added all fields except the login and password should be blank. If the operation is change_salt, a salt should be used and be an integer chosen by a random number generator. Your code should alter the file, but otherwise produce no output. If the operation is check, then your program should output "PASS", "FAIL", "NOT_FOUND" on a line by itself, depending on whether the login and password successfully was found and matched, found and non matched, or not found respectively. Some examples of lines that might be used to run this program are: java PasswordTool change_no_salt 10 0 1 superman secret my_passwordfile.txt java PasswordTool change_salt 10 0 1 chris cantguessthis my_passwordfile.txt java PasswordTool check 10 0 1 chris cantguessthis my_passwordfile.txt java PasswordTool check 10 0 1 superman test my_passwordfile.txt java PasswordTool check 10 0 1 barbara salt my_passwordfile.txt You don't need to code md5 yourself for this homework, you can use the Bouncy Castle Crypto APIs. Be sure to include it in the zip file you submit. In addition, to the modes of operation above, I would also like PasswordTool to be runnable with a line like: java PasswordTool crack num_columns login_col_num password_col_num dictionary_file_name password_file_name Here crack indicates that the operation is to crack a password file; num_columns, login_col_num, password_col_num are as we said previously; dictionary_file_name is the name of some file containing passwords, one password per line, using Unix line endings; and password_file_name is the name of file containing lines in the password file format. Run in this fashion PasswordTool should for each user try all the passwords in dictionary_file_name and check for matches. Each found password should be output on a line by itself in the format: user name a space and the password. For example, suppose the password_file_name was my_passwordfile.txt and contained: superman:$1$1234$Ftek/KdELdo62TyacmWX5A==::16432:0:99999:7::: nosaltman:$0$Xr4ilOzQ4PCOq3aQ0qbuaQ==::15832:0:99999:7::: dummy:$0$KKdELdo62TCWQmH0NiwUa/w==::17832:0:99999:7::: Suppose dictionary_file_name was dictionary.txt and contained: secret test Then typing: java PasswordTool crack 10 0 1 dictionary.txt my_passwordfile.txt Should output: superman test nosaltman secret Point Breakdown
|