Homework #3
Deadline: 21st of November (the solution has to be submitted before Monday)
Recommended reading
- Authentication
- The secret to online safety: Lies, random characters, and a password manager (written in 2013, so software recommendations are no longer valid)
- How to: Use KeePassXC
Written tasks
- How would it be possible to attack a two-factor authentication system of a bank that consists of a password and a one-time code delivered via SMS? The goal of an attacker is to do a transaction. Lets assume that this requires two one-time codes delivered over SMS, one for logging in and the second for confirming a transaction. Give a brief step-by-step description of the attack, which is written down as an ordered list of steps.
Restrictions:The attacker is not able to attack the bank and not able to get access to the phone containing the SIM card. However, an attacker may be able to message the user or infect the computer. You will not get full points for a vague answer, the steps for the successful attack have to be clearly stated. Hint: read Man in the Browser Attack vs. Two Factor Authentication (2012) in order to get ideas. (2p)
Submission form for the written tasks
The solution should be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf format if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).
We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.
11. Homework 3 - written tasks (PDF)Hash breaking task
Each student has a pseudonym for the information security course in this web site. The pseudonym was randomly connected to a hash value. Your task if to find the input that gave he hash value that is connected with your pseudonym and also the name of the hash function which was used to create that hash value.
This task illustrates why passwords have to be hashed and salted when stored in a database. The list of hashes for this task can be found from here: hash values and pseudonyms. (1p)
Hints and suggestions:
- You do not need any additional software to solve this task. You do not have to break that hash value on your own. However, you will have to find other means to find the input. Think back to the authentication lecture and try to remember what the attackers are doing if a database is breached and no salting was used.
- Make sure that you will be using the hash value that was assigned to your pseudonym. The solutions are graded automatically, which means that if you solve the wrong hash value then you will get 0 points.
- Information about the common hash functions (e.g., the length of the hash value) can be found from the following Wikipedia page: List of cryptographic hash functions
- Hash values are usually encoded using hex. In case the length of the hash is known (in number of bits), then it is easy to find its length in hex. To do that, one has to divide the number of bits with eight (to get the number of bytes) and then multiply the result with two (to represent one byte two hex symbols are required).
- You may need to use a search engine to find the solution. Thus, it is good to know some tricks that helps you to find exact matches for your queries: Google Search Tips You'll Want to Learn
The solution has to be in a simple text file (with .txt extension, not in a .docx file!!!) that contains only two rows. The first row must only contain the found input value. The second row must only contain the name of the hash function. In case you add any additional information or do not use the required file type or file format then the automatic grading script can give you 0 points. In case you are using Windows then you can create a simple text file with the software Notepad. 10. Homework3: hash breaking (.txt file)
KeePassXC task
Use KeePassXC to create a password database and submit this database (.kdbx file) below. You will find some background information from the lecture notes. The following guide can also help to solve the task: How to: Use KeePassXC. (2p)
The solution will have to follow the following guidelines:
- The master password for the database has to be 1234567 (in lowercase). This is deliberately too short to make verifying the solutions easier. You will get 0 points if a different master password is used.
- Enter a new row / entry to the database. The entry's name (title) must be your pseudonym for the information security course and username must be your study book number.
- Password must be randomly generated and 29 characters long. It should include characters from at least these classes: lower and upper case letters, numbers.