CSCI262 - Spring 2022 Workshop - Week 3 Part 1: Passwords 1. The first questions relate to passwords and entropy: (a) Is there any harm in revealing old passwords? Why or why not? (b) What is the...

how to do it?


CSCI262 - Spring 2022 Workshop - Week 3 Part 1: Passwords 1. The first questions relate to passwords and entropy: (a) Is there any harm in revealing old passwords? Why or why not? (b) What is the entropy associated with a password chosen with uniform randomness from the set of length 8 strings with symbols taken from the lowercase alphabet {a,. . . ,z}? (c) How much entropy is there associated with a typical ATM PIN? (d) Look at http://www.datagenetics.com/blog/september32012/ (e) Is fDtk53$e3W22eSDmvfFp-4F a good password? (f) Without writing down your password, or the method of choosing your password, estimate the entropy associated with the password you use most. (g) How much confidence do you have in the method of choosing your password not being guessed? (h) How much confidence do you have in your password under the assumption the method of choosing your password was known by an attacker? (i) How does considering options that are not all equally likely impact on the entropy? 2. The next set of questions relate to hashing, partially in the context of password systems: (a) Does taking H(M), for H a cryptographic hash function, provide confidentiality for M? (b) How might hashing be used in generating a password? How does it influence the entropy? (c) What is the advantage of using a hash function like bcrypt rather than a classical cryptographic hash function such as MD5 or SHA1? (d) Hashing ”produces a fingerprint” of a message. In what way does this misrepresent the rela- tionship between hash and message, relative to the relationship between human fingerprint and human? (e) Look at Trapped.gif. What is the relevance to cryptographic hashing? Part 2: Access Control This part is Unix based, students need to be connected to Capa. 1. Find where passwd and shadow are located. It tells you in the lecture notes! (a) Find your own entry. Identify your userid number and native group number. grep and man are likely to help with this exercise. (b) How large are the passwd and shadow files? 1 2. I have almost 5000 files on Capa. (a) Assume we independently record read, write and execute permissions for every user on Capa on each of my files. How much space would be needed to do this? (b) How many bits actually need to be recorded for the access control of those files? (c) Why does this suggest about the use of different representations? 3. Alice can read and write with respect to the file O1, can execute the file O2, and can read the file O3. Bob can read O1, and can read and write with respect to O2. Carol can read O3 and execute O2. (a) Draw up an access control matrix for this situation. (b) Write the complete set of access control lists for this situation. (c) Write the complete set of capability lists for this situation. 2