CSCI262 Autumn2013 Workshops Lab 2 PDF

CSCI 262
Fall 2013
Lab #2
Date : 29/09/2013
Last First Student Signature

name Name ID
AUTHENTICATION
LEARNING OUTCOMES:
a) Assess password policies
b) Test password strength
c) Assess the false reject rate and the false accept rate of a biometric system
d) Assess the feasibility of a biometric system
1
1. Phonetic password
A phonetic password generator picks two segments randomly for each nine-letter
password. The form of each segment is CVC (consonant, vowel, consonant) where:
V   a, e, i, o, u 
C V
a) What is the total password population (total number of possible passwords)?
b) What is the probability of an adversary guessing a password correctly?
2
2. Password trial with feedback
Assume that passwords are selected from four-character combination of 26 alphabetic
characters. Assume also that an adversary is able to attempt passwords at a rate of one
password per second.
a) Assuming no feedback to the adversary until each attempt has been completed, what
is the expected time to discover the correct password?
b) Assuming feedback is provided to the adversary flagging an error as each incorrect

character is entered, what is the expected time to discover the correct password?
Hint: In other words,

a) The adversary types the first character; the system displays an error message if the wrong character
was entered.
b) The adversary types the second character; the system displays an error message if the wrong character
was entered.
c) The adversary types the third character; the system displays an error message if the wrong character
was entered
d) The adversary types the fourth character; the system displays an error message if the wrong character
was entered.
3. Password cracker
 Assume that in a UNIX system, passwords are limited to the use of 95 printable
ACSII characters and that all passwords are 10 characters in length.
 Further assume that you are provided with a password cracker that can decrypt 6.4
million encrypted passwords per second.
 How long will it take to test exhaustively all possible passwords in a Unix system
3
4. English text
The English language has an information content of about 1.25 bits per character. Thus,
when using the standard 8-bit ASCII encoding, about 6:75 bits per character are
redundant.
Compute the probability that a random array of t bytes corresponds to English text.
5. Cracking ATM machines
Benny is a thief who tried to break into an Automated Teller Machine (ATM) using a
screwdriver, but was only able to break five different keys on the numeric keypad and
jam the card reader, at which point he heard Alice coming, so he hid. Alice walked up,
put in her ATM card, successfully entered her 4-digit PIN, and took some cash. But she
was not able to get her card back, so she drove to find help. Benny then went back to the
ATM, and started entering numbers to try to discover Alice's PIN and steal money from
her account. What is the worst-case number of PINs that Benny has to enter before
correctly discovering Alice's PIN?
4
6. Thieves and Door Breakers
 The Acme Combination is rated as a two-hour lock, meaning that it takes two hours
to crack this lock by an experienced thief.
 The Smacme company has a half-hour lock that looks exactly the same as the Acme
lock and is much cheaper to buy.
 The XYZ Company wanted to save money, so they bought one Acme lock and one
Smacme lock. They put one on their front door and one on the back door of their
building.
Explain how an experienced thief should be able to break into the XYZ Company's
building in about an hour or less.
7. Salting passwords
If a password is salted with a 24-bit random number, how big is the dictionary attack
search space for a 200,000 word dictionary?
5
8. False reject rate and false accept rate
Some airports are installing face recognition systems to identify terrorists and criminals.
About one in a million people passing through the airport is a terrorist.
Suppose the False Accept Rate is about 1 precent. The False Reject Rate is about 30
precent.
Is this system likely to be workable? Explain using a spread sheet analysis with
reasonable assumptions. (assume 10, 000,000 persons visit the airport)
 How many terrorists are expected to be amongst the 10,000,000 passengers?
 How many legitimate passengers will you expect amongst the 10, 000,000
passengers?
 How many terrorists will be correctly identified?
 How many passengers will be incorrectly identified?
Cut and paste the spread sheet analysis into your homework file instead of handing it in
separately. Give a short paragraph giving your conclusion.
Terminal visitors
Terrorists
FRR
Terrorists identified
Legitimate passengers
FAR
Passengers incorrectly identified
Fraction of identified people who

are terrorists to passengers
incorrectly identified as terrorist
Any conclusions?

CSCI262 Autumn2013 Workshops Lab 2 PDF

Uploaded by

CSCI262 Autumn2013 Workshops Lab 2 PDF

Uploaded by

CSCI 262

Last First Student Signature

b) What is the probability of an adversary guessing a password correctly?

b) Assuming feedback is provided to the adversary flagging an error as each incorrect

Hint: In other words,

5. Cracking ATM machines

Fraction of identified people who

You might also like