Homework #3 (5p)
Deadline: 3rd of December (the solution has to be submitted before Monday)
Recommended reading
- Authentication
- The secret to online safety: Lies, random characters, and a password manager (written in 2013, so software recommendations are no longer valid)
- How to: Use KeePassXC
Task 1: Hash breaking
Each student has a pseudonym for the information security course in this web site. The pseudonym was randomly connected to a hash value. Your task if to find the input that gave he hash value that is connected with your pseudonym and also the name of the hash function which was used to create that hash value.
This task illustrates why passwords have to be hashed and salted when stored in a database. The list of hashes for this task can be found from here: hash values and pseudonyms. (1p)
Hints and suggestions:
- You do not need any additional software to solve this task. You do not have to break that hash value on your own. However, you will have to find other means to find the input. Think back to the authentication lecture and try to remember what the attackers are doing if a database is breached and no salting was used.
- Make sure that you will be using the hash value that was assigned to your pseudonym. The solutions are graded automatically, which means that if you solve the wrong hash value then you will get 0 points.
- Information about the common hash functions (e.g., the length of the hash value) can be found from the following Wikipedia page: List of cryptographic hash functions
- Hash values are usually encoded using hex. In case the length of the hash is known (in number of bits), then it is easy to find its length in hex. To do that, one has to divide the number of bits with eight (to get the number of bytes) and then multiply the result with two (to represent one byte two hex symbols are required).
- You may need to use a search engine to find the solution. Thus, it is good to know some tricks that helps you to find exact matches for your queries: Google Search Tips You'll Want to Learn
The solution has to be in a simple text file (with .txt extension, not in a .docx file!!!) that contains only two rows. The first row must only contain the found input value. The second row must only contain the name of the hash function. In case you add any additional information or do not use the required file type or file format then the automatic grading script can give you 0 points. In case you are using Windows then you can create a simple text file with the software Notepad.
Task 2: KeePassXC
Use KeePassXC to create a password database file and submit this file (.kdbx file) below. You will find some background information from the lecture notes. We also did a demo in the lecture. The following guide can also help to solve the task: How to: Use KeePassXC. (2p)
The solution will have to follow the following guidelines:
- The master password for the database has to be 123456789. This is deliberately too short to make verifying the solutions easier. You will get 0 points if a different master password is used.
- Enter a new row / entry to the database. The entry's name (title) must be your pseudonym for the information security course and username must also be your pseudonym.
- Password must be randomly generated and 31 characters long. It must include characters from at least these classes: lower and upper case letters, numbers.
Task 3: Understanding the structure of email header
Phishing is one of the most common types of social engineering. This is partly due to the insecurity of email exchange and the underlying email protocol (read about the security / insecurity of email exchange from the lab notes). It is easy to change the address from where the email seems to originate from. Spoofing can be partially mitigated if the email server is using SPF and DKIM.
To check which security policies were used in the received email the email header has to be read. It contains information about the email servers that were used to deliver the email and whether TLS was used. In addition, it contains information regarding the usage of SPF and DKIM. In case of mail365.ut.ee (or outlook.office.com), you will find the email header by opening an email, then locating the button with three dots (see image below), and then selecting View -> View message details.
Your task is to take an email that you have received to your mail365.ut.ee email account and review its email header. Make a screenshot of the email header (crop out all irrelevant data from the screenshot) and highlight: all email servers that were used to transmit the email, TLS info, SPF validation result (Authentication-Results: spf) and DKIM signature (if available). Alternatively, you can copy the email header to Microsoft's Message Header Analyzer tool and make a screenshot of its output (categories: Received headers (describes the servers); Other headers: Authentication-Results (describes SPF and DKIM usage)). If the results do not fit into one screenshot, then make a second screenshot, zip them together and submit the zip file as a solution. (2p)