ComputerScienceExpert
$18/per page/
Need help with question #2
My Answer: Choice 1 & 5
1) First, you need to hash the password with the private salt.
Note: It does not matter whether you put the private salt before or after the password as long as you stay consistent throughout and then hash it.
2) Second, you then need to hash the result of h(password, private salt) or h(private salt, password) to get the final hash output.
This leaves choices 1 & 5 as your best option, because the public salt is performed last. Note: You need to perform the public salt last.
CS 526Homework 1Fall 2016Question 1. (26 points)This question is about the use of public and private salts inpassword Fles, as explained in class (and on slide 11 of the online notes on authentication).The adversary X has managed to obtain the password Fle for a system that usespbits ofpublic salt andsbits of private salt. The number of user records in the password Fle isN. X carries out a dictionary attack against all the password Fle, hoping to Fgure out theweak passwords in it. The dictionary that X uses hasDcandidate passwords in it (in cleartext, i.e., neither hashed nor encrypted). ±or each of the following two cases, describe howX can best attack the password Fle, and state how many cryptographic hash computationsthe attack would involve (assuming that the attack ends in failure, i.e., that none of theNpasswords is in the dictionary). ±or each case, Frst give an answer as a function of thesymbolsp,s,N, andD(an exact answer – no “big oh” notation), then Fll numerical valuesforp,s,Nand write the answer as a function ofD.1.p=s= 12,N= 500,000.2.p=s= 12,N= 60.Question 2. (24 points)Suppose your employer asks you to add a private-salt capabilityto a legacy system that does not currently support private salt. The legacy system doesnot limit the number of allowed failed login attempts (i.e., no user gets locked out becauseof having entered the wrong password too many times), and you need to maintain this “nolockout” property when adding the private salt capability. You are asked to avoid modifyingthe internals of the legacy system, by writing a front-end to it, for both the login and thepassword selection and modiFcation. Of the following possible choices for the contents ofa user entry in the password Fle, some are more compatible than others with the task youwere assigned. Identify the choices that are more compatible with your assignment, andexplain in detail why.Choice 1: username, salt, h( password, private_salt, salt )Choice 2: username, salt, h( password, salt, private_salt )Choice 3: username, salt, h( salt, password, private_salt )Choice 4: username, salt, h( salt, private_salt, password )Choice 5: username, salt, h( private_salt, password, salt )Choice 6: username, salt, h( private_salt, salt, password )Question 3. (26 points)A company issues each employeeAa small calculator-like devicethat has a unique and secret 4-digit integerSAstored in it. ThatSAis known only to: (i)the employeeAwho is given that device; and (ii) the corporate authentication server thatgrants or denies access requests by employees (it storesSAalong with the username forAin the password Fle). No two devices have the same secretSA, hence an employee’sSAisnot known to any other employee. A device has a small 10-key numeric keypad (0 to 9), adisplay, and operates as follows: When userAentersSA, the device computes and displaysa one-time password to be used byA, by carrying out a cryptographic computation thatdepends only on the enteredSAand on thepreviousone-time password (call itPA). ThePA1
Attachments: