Assignment# In Python

profileunique12
OSSecurityIISlide4-8.pptx
Home>Computer Science homework help>Assignment# In Python

Password Security

The basic approach to guessing passwords from the password file is to conduct a dictionary attack, where each word in a dictionary is hashed and the resulting value is compared with the hashed passwords stored in the password file.

A dictionary of 500,000 “words” is often enough to discover most passwords.

The dictionary attack is a well-known approach to guess passwords.

And a dictionary of 500,000 “words” is often enough to break most passwords.

In that case, if we can test 1,000 passwords in a second, it takes only 500 seconds (or less than 10 minutes) to test the entire words in the dictionary.

Obviously we don’t want this to happen.

We want to make it hard to break the password even if it comes from a word in the dictionary.

1

Password Salt

One way to make the dictionary attack more difficult to launch is to use salt.

Associate a random number with each userid.

Rather than comparing the hash of an entered password with a stored hash of a password, the system compares the hash of an entered password and the salt for the associated userid with a stored hash of the password and salt.

Password salting is a technique to make the dictionary attack more difficult by adding some random number to the password.

2

How Password Salt Works

Without salt:

With salt:

1. User types userid, X, and password, P.

2. System looks up H, the stored hash of X’s password.

3. System tests whether h(P) = H.

1. User types userid, X, and password, P.

2. System looks up S and H, where S is the random salt for userid X and H is stored hash of S and X’s password.

3. System tests whether h(S||P) = H’.

X: H

Password file:

X: H’

Password file:

In the old mechanism, there was no concept of salting.

Now, let’s talk about how authentication takes place in the system without the use of salting.

When a new user is added to the system, the user sets up a new password.

Then the system makes a new entry in the password file for this new user.

But for greater security, the plaintext of password is not kept in the system.

Instead, the hashed result of the password is stored in the password file.

In the figure, we can see the hashed password H is stored for user ID 'X' in the password file.

Later, the user gives the user ID and password to get into the system.

Then the system computes the hash with the password given by the user, and if the hashed result is the same as the one in the password file for that user, the authentication is done successfully and the user can get into the system.

To hack the password, how many trials the attacker needs in case of dictionary attack?

It is 500,000 times, which takes less than 10 minutes to finish.

3

How Password Salt Works

Without salt:

With salt:

1. User types userid, X, and password, P.

2. System looks up H, the stored hash of X’s password.

3. System tests whether h(P) = H.

1. User types userid, X, and password, P.

2. System looks up S and H, where S is the random salt for userid X and H is stored hash of S and X’s password.

3. System tests whether h(S||P) = H’.

X: H

Password file:

X: H’

Password file:

With the salting technique, the system uses a long random number, also known as a salt, in addition to the password.

And the extended password with the random number is being hashed and stored in the password file.

With the salt, the length of the password increases, which makes the attacker to hack the password much more difficult.

4

How Salt Increases Search Space Size

Assuming that an attacker cannot find the salt associated with a userid he is trying to compromise, then the search space for a dictionary attack on a salted password is of size

2B*D,

where B is the number of bits of the random salt and D is the size of the list of words for the dictionary attack.

For example, if a system uses a 32-bit salt for each userid and its users pick passwords in a 500,000 word dictionary, then the search space for attacking salted passwords would be

232 * 500,000 = 2,147,483,648,000,000,

which is over 2 quadrillion.

Let’s say there are 500,000 words in the dictionary, and the length of salt is 32 bits.

Then all the possible combinations becomes 2^32 times 500,000, which makes over 2 quadrillion.

Try to calculate how long it takes to test this large number of combinations if the attacker can make 1000 trials per second.

It should be huge, longer than a million years.

5