Information Assurance
back to projects page
|
In our discussion of authentication, we talked about password as the
most common mechanism for authentication. One weakness of passwords is
that they are subject to a dictionary attack. In this project, we
will experiment with password attacks.
The first part of the project is to run a dictionary attack against a
Unix password file. A sample password file is here. This
file was created by me solely for the purpose of this assignment, and
is not the password file to any real-world site. If it were real, I
wouldn't post it. :) That being said, the passwords come from a real site, and are actual user passwords. All other information is made up.
In attacking this password file, you may use whatever tools you can
find and choose to use. Make sure that the tools you find are for Unix
system passwords - John the Ripper
is a sturdy tool, available for many systems.
In running the attack, the only rule is this: if you run the password
cracker on a multi-user system, you may not allow it to run for more than
10 minutes. This rule applies to running crackers on ia-class. I expect the passwords in this file to be generally
hard to crack, and running the software for longer than 10 minutes will
only inconvenience others. If you run the attack on your own system,
you can run it for as long as you like. I encourage you to let it run
overnight if you can or even for a few days to see the benefits of
letting it run a long time.
Most of the password cracking software will give you an estimate of how
many encryptions it can try each second (on John the Ripper, hitting the space bar does this). Find this estimate.Once you
have it, use it to calculate the following. Make sure to show your work. Don't just write down numbers.
Password Cracking
a) Assuming that passwords of 1 to 8 characters are chosen from only
lower-case letters, how long would it take to seach the entire password
space?
b) Assuming that passwords of 1 to 8 characters are chosen from
lower-case or upper-case letters, how long would it take to seach the
entire password space?
c) Assuming that passwords of 8 characters are chosen from lower or
upper case letters and numerical digits, how long would it take to
seach the entire password space?
d) Assuming that passwords of 8 characters are chosen from lower or
upper case letters, from a set of 32 punctuation marks, and
numerical digits, how long would it take to seach the entire password
space?
e) Look at how many passwords you found in the first 10 minutes of
your run. Assuming you found passwords at that rate, how long would it
take you to crack all the passwords provided?
f) Assume that the passwords you found in the first 10 minutes
represent weak passwords. What proportion were weak? Assuming that
Georgetown has 10,000 network users, how many of their passwords
might be weak?
Pre-computing Passwords
g) Assuming that passwords of 1 to 8 characters are chosen from only
lower-case letters, how much storage space would it take to store all
possible pre-computed passwords? Notice that the password format in the file has a defined size, and that
encrypted passwords are all this size plus two characters for the salt. See page 86 of the text for information
on the Unix password format. Don't forget any end-of-string markers if you need them!
h) Assuming that passwords of 1 to 8 characters are chosen from
lower-case or upper-case letters, how much storage space would it take
to store all possible pre-computed passwords?
i) Assuming that passwords of 8 characters are chosen from lower or
upper case letters and numerical digits, how much storage space would
it take to store all possible pre-computed passwords?
j) Assuming that passwords of 8 characters are chosen from lower or
upper case letters, from a set of 32 punctuation marks, and
numerical digits, how much storage space would it take to store all
possible pre-computed passwords?
k) Now assume a two-character salt is added to the passwords, as
described on page 86 of the text. Recompute each of the storage
requirements in g-j above.
l) Describe how you would organize the stored passwords in questions g
to j above to be able to perform efficient lookups. Specifically, given the sizes
you computed, how do you store and search these pre-computed passwords?
Password to Key Mappings
m) Assuming that passwords of 1 to 8 characters are chosen from only
lower-case letters, what proportion of a 128 bit key space would be covered? (To find this,
you will need to determine how many possible password there are, and compare this to the
number of possible values in 2128).
n) Assuming that passwords of 1 to 8 characters are chosen from
lower-case or upper-case letters, what proportion of a 128 bit key space is covered?
o) Assuming that passwords of 8 characters are chosen from lower or
upper case letters and numerical digits, what proportion of a 128 bit key space is covered
p) Assuming that passwords of 8 characters are chosen from lower or
upper case letters, from a set of 32 punctuation marks, and
numerical digits, what proportion of a 128 bit key space is covered?
q) Bonus opportunity: Try a variety of different password crackers. Find
additional word dictionaries to use for input. Create additional
testing rules. Describe the word sets and/or rules you used. How many
more passwords were you able to crack?
What to turn in:
Please turn in:
The name of the password cracker you used
Where you ran it
How long it ran
The list of passwords it cracked.
The number of encryptions per second you found
For questions a-f , how long it would take to search the password
space. Please convert to days, weeks, months, and years as
applicable. SHOW YOUR WORK! Don't just write down numbers.
The appropriate estimates for space for parts g-j. Please convert to
megabytes, gigabytes, and terabytes as needed. Again, SHOW YOUR WORK!
Don't just write down numbers.
For question l, describe the data structure and its storage overhead
(that is, how much data if any is used for indexing rather than
password storage).
The proportion of the keyspace covered for questions m-p. Show your work, of course.
For part question q, a description of what else you did to crack additional
passwords, and how effective each thing was.
Submission will be by e-mail to the instructor. The deadline is before
class on October 6th, 2009.
|