Homework2_Solutions (1)

pdf

School

Rutgers University *

*We aren’t endorsed by this school

Course

446

Subject

Computer Science

Date

Jan 9, 2024

Type

pdf

Pages

Uploaded by dan47433

ECE 446/579:04 (Spring 2023) Homework #2 Solutions 1. ( Authentication Methods ) Please list the categories of methods that can be used for a verifier to authenticate a prover (e.g., using what property of information of the prover to prove the identity). Please provide 1 or 2 real world examples for each category and discuss their pros and cons (e.g., security and overhead). - Something known. e.g., password, security questions. - Something possessed. e.g., ID card, credit card. - Something inherent. e.g., fingerprint, face ID, voice. The different methods would have different pros and cons in terms of security and overhead. For example, the “something inherent” category (e.g., fingerprint and face ID) may be more secure and harder to compromise than the “something known” category (e.g., password) because of the inherent nature. However, it may take more effort and more system storage space to record the reference biometric information in the authentication system and conduct the comparison for verification. For example, recording a fingerprint may take several steps capturing different portion of the fingers at different angles; also, comparing an input finger print with the reference one in the system is non-trivial, as an inexact match is often needed due to non-ideal fingerprint capturing. 2. (Password Guessing Attacks) Assuming an attacker is capable of conducting dictionary attacks on the target passwords. (1) Please describe how the dictionary attack works in general. (2) What might be the “dictionary” that the attacker can leverage? (3) Given a password that a user has created, can you please design an evaluation scheme to uncover how secure the target password is against the dictionary attack? (1) Attacker conducts brute-force password guessing attempts based on known database (a.k.a., the “dictionary”). (2) Under this context, the “dictionary” could include a broad range of datasets that are relevant to the target password, such as the English dictionary, the leaked password databases, as well as the patterns of combining multiple sources of dictionaries and the user’s thinking process while creating the password. (3) We need to define a reasonable threat model to evaluate the password. For example, the threat model can be a dictionary attack based on a commonly used password dataset. The target password can be claimed secure if it cannot be hit by the dictionary attack in a given period of time (i.e., a threshold). In summary, a threat model and a threshold time window are the two key components in the evaluation scheme. 3. (Password Entropy) What is password entropy and how is it related to password security? In particular, for a 7-character password with only lowercase letters, what is the entropy? Do you think entropy is a good enough metric for the password security against dictionary attack? Password entropy refers to the uncertainty in a password, i.e., an indicator of how large the search space would be under a brute-force password guessing attack. For a 7-charcter password with only lowercase letters, the entropy is log_2 (26^7) = 32.9 While entropy is an effective metric for generic brute-force attacks, it may not be sufficient to represent password security under dictionary attacks, as the “dictionary” adopted by the attacker may significantly reduce the search space compared to generic brute-force attacks.

4. (Password Stealing Attacks) Please list a number of possible ways for an attacker to steal the password (instead of guessing) throughout the entire process of password-based authentication. Then, please discuss 1 or 2 countermeasures for each attack and discuss their pros and cons. Attackers may steal the password from (1) the prover, (2) the communication channel, and (3) the verifier. Countermeasures: (1) improve the prover’s security awareness to prevent the exposure of password to the attacker; (2) the password in transmission over the network should always be encrypted; and (3) the passwords stored at the verifier should also be encrypted or isolated from other system components/users. Among these countermeasures, the encryption-based solutions are easy to implement and deploy, but obviously they will introduce additional overhead (e.g., delay) while achieving the confidentiality of the passwords. Improving the prover’s security awareness is an important but very challenging task due to phishing attacks, which often becomes a weak point in the system in terms of security. 5. (Challenge/Response-based Authentication) On Page 14 of Slides 2, we discussed a challenge/response-based protocol for System B to authenticate User A based using a random number ( r B ). Please answer the following questions about this authentication protocol: (1) Why do we need the random number ( r B )? Are there any alternatives other than using a random number? (2) Why do we need the B* in this protocol? To answer this question, please analyze and compare the two versions of the protocol with and without B* . (3) Please show how to extend this protocol to do mutual authentications between User A and System B. (1) To prevent replay attacks (2) To prevent reflection attacks, details in Page 401 of the reading material – Chapter 10, Handbook of Applied Cryptography (3) See page 402 of the reading material – Chapter 10, Handbook of Applied Cryptography: 6. (PUF Design and Implementation) As we discussed in the lecture, PUFs are typically implemented by employing certain random and unique properties of the hardware. (1) Please summarize such properties introduced in the lecture. (2) Please think out of the box and explore if any other hardware properties can be possibly employed to implement PUF. Please justify your ideas. (1) The example PUFs in the lecture have used delay/frequency and SRAM power-up states as the random properties. (2) There are many other PUFs that employs different random and unique properties. For example, optical PUF uses unique and random and unique speckle pattern (https://nbviewer.org/github/rpappu/pdf-publications/blob/master/Pappu-Science-2002.pdf). 7. (PUF Security) As we discussed in the lecture, PUF modeling can be a powerful attack to compromise PUF security. (1) Please briefly explain how PUF modeling attack works in general. (2) Please discuss the possible countermeasures to defend against PUF modeling attacks, including their effectiveness and potential overhead. (1) Given enough challenge/response pairs, an attacker may be able to build a software PUF model using machine learning. (2) The ones we discussed in the lecture are (1) adding an XOR gate (Internal approach); and (2) controlled PUF (external approach). The former effectively addresses PUF modeling attacks by significantly increasing the required training time and training data, and the latter achieves the defense goal by preventing the attackers from accessing the true challenge response pairs. Regarding overhead, both need to add additional component to the PUF and thus increase its size.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

Related Documents

5-2CertGenerationRupert.docx

CIS 377 Midterm Questions FA23.docx

CIS 377 Final FA 23.docx

CIS 377 Midterm Questions FA23 Nittin Raj.docx

HW4 (2).pdf

ihlp-2022-question-paper-solved.pdf

Homework6_Solution (1).pdf

Homework5_Solution (1).pdf

Homework8_Solution (1).pdf

Homework10_Solution (1).pdf

Homework12_Solution (1).pdf

Homework9_Solution (1).pdf

Recommended textbooks for you

Operations Research : Applications and Algorithms

Computer Science

ISBN:9780534380588

Author:Wayne L. Winston

Publisher:Brooks Cole

C++ for Engineers and Scientists

Computer Science

ISBN:9781133187844

Author:Bronson, Gary J.

Publisher:Course Technology Ptr

Principles of Information Systems (MindTap Course...

Computer Science

ISBN:9781285867168

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Principles of Information Systems (MindTap Course...

Computer Science

ISBN:9781305971776

Author:Ralph Stair, George Reynolds

Publisher:Cengage Learning

Enhanced Discovering Computers 2017 (Shelly Cashm...

Computer Science

ISBN:9781305657458

Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell

Publisher:Cengage Learning

Management Of Information Security

Computer Science

ISBN:9781337405713

Author:WHITMAN, Michael.

Publisher:Cengage Learning,

SEE MORE TEXTBOOKS

Recommended textbooks for you

Operations Research : Applications and Algorithms
Computer Science
ISBN:9780534380588
Author:Wayne L. Winston
Publisher:Brooks Cole
C++ for Engineers and Scientists
Computer Science
ISBN:9781133187844
Author:Bronson, Gary J.
Publisher:Course Technology Ptr
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781285867168
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Principles of Information Systems (MindTap Course...
Computer Science
ISBN:9781305971776
Author:Ralph Stair, George Reynolds
Publisher:Cengage Learning
Enhanced Discovering Computers 2017 (Shelly Cashm...
Computer Science
ISBN:9781305657458
Author:Misty E. Vermaat, Susan L. Sebok, Steven M. Freund, Mark Frydenberg, Jennifer T. Campbell
Publisher:Cengage Learning
Management Of Information Security
Computer Science
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:Cengage Learning,