Assignment 6: Authentication/Identity

Start date 28 October, due 9 November beginning of class.

Password / Authentication issues

You will be doing some analysis based on the recent Purdue password disclosure. You'll want to start by reading any articles you can find (at the very least, the above and the UNS article.)

Assume that the disclosure was that the intruders obtained the hashed value of some users passwords (i.e., the userid and the hashed password for that userid.)

  1. What is the issue? Describe briefly and succinctly what the intruder would be able to do based on the breach of security. Shorter answers receive more credit - you should try to identify as succinctly as possible precisely what could happen as a result of this breach. There is a one sentence answer that covers everything - a long list of possible effects resulting from the capability gained by the intruder will result in a lower score than a short and precise answer.
  2. Password choice: Are you personally concerned that your information could be compromised? Describe briefly why or why not.
  3. Explain briefly why obtaining hashed passwords gives the intruder something that they couldn't get by just trying to log in and guess at passwords. Formally describe (using Bishop's authentication system notation) what the attacker has gained, and use this formal description to justify your explanation.
  4. Estimate how long it would take an attacker to actually get access to your private data based on this security breach (or show formulas to estimate, and state what you need to know to do an estimate.)
  5. The question of password salting was brought up in class. If the goal of the intruder was to change their grade in CS526, does salting of passwords make a difference?
  6. Do you think this breach be a result of the CAREER account single id/password approach violating any of the design principles we have discussed? If so, can you describe a fix that wouldn't violate other design principles? (Keep your answer to half a page of 11pt text.)

Turning in assignment

Electronic submission preferred, using the turnin command (on expert.ics.purdue.edu, turnin -c cs526 -p asn6 filename). Pdf is the safest for capturing non-text, please check with the TA for formats other than text or pdf. Hard copy is acceptable, please hand in at the beginning of class.

Valid XHTML 1.1!