cryptographic and web security




Q1)The UNIX crypt function is a hash function that only looks at the first eight bytes ofthe input message. For example, crypt(helloworld) returns the same value as crypt(hellowor). Some web sites use the following authentication method to authenticate users: (1) the user types in a user-id and a password P into his web browser, (2) the site, upon verification of the password P , computes T = crypt(user-id||K ), where || denotes string concatenation, and K is a `-byte site secret key ` ≤ 8, (3) the site sends a cookie back to the user containing T , (4) the user can use T to authenticate himself to the site in future connections. Show that by choosing clever user-id’s (of varying length) an attacker can expose the site’s secret key K in time approximately 128`. More concretely, the user creates an account, logs in and receives the corresponding T ; he then creates another account (with a different user-id, logs in and receives another T . By repeating this sufficient times, the user recovers K completely. We are assuming there are 128 possible values for each character in a string. Hint: Try to recover one character of K for each account created. The attack is described in the pa- per “Dos and Don’ts of Client Authentication on the Web” in USENIX Security Symposium, 2001. Reading the paper is allowed.—————————————————————————————————————————————————————————————————————Q2)You are asked to implement a web server that requires each user to log in. You areasked to come up with a design to store users’ passwords securely. You can use a cryptographic hash function h, a symmetric cipher E, and a message authentication code function C . Your design should store the passwords on the server. However, as the file that stores these pass- words may be leaked, we want to make dictionary attacks on the password file very difficult. What will you store in the file? And how would you authenticate a user? (Give precise description using mathematical formula.) B)The other design is not to store the password on the server. When a user creates an account, the accountnumber is stored on the server and the user’s password is stored in a cookie on the user’s machine.Identify the possible attacks in this scenario. To prevent various attacks, what should the cookie con-tain? And how would you authenticate a user? (Give precise description using mathematical formula.)

WE’VE HAD A GOOD SUCCESS RATE ON THIS ASSIGNMENT. PLACE THIS ORDER OR A SIMILAR ORDER AND GET AN AMAZING DISCOUNT

Source link