COSC 352
Information Assurance
Spring 2002
Homework/Project 2
Crypto cracking
Due February 19, 2002, 4:14 P.M.

This assignment must be submitted by e-mail in one of two file formats: plain ASCII text, or Adobe Portable Document Format (PDF). However, you don't have to purchase Adobe Acrobat to generate PDF. Instead, print your document to a file (this works on Macs, PCs, and Unix) and then use the Unix command ps2pdf on cssun to convert PostScript to PDF.  Regardless of how you generate your PDF file, please stick to the basic fonts-Times, Helvetica, Courier, and Symbol-to ensure that it'll display correctly on most computers and printers. Keep a copy of the file you send on either CSSUN or GUSUN to ensure that the timestamp remains, in case your e-mail goes awry.

1. Find the plaintext and key of the following Vigenere cipher, and describe how you obtained it. You may learn to do it by hand (perhaps from section 9.2.1 of the Bishop text), you can write code to do it, or you may find already written tools to use as long as you cite where the tools came from.  For this problem, you may not discuss your solution with others in the class. Instead, you may ask the instructor if you have questions or problems.

jrwlg hlcec zcvfg pgekq xuvcr tlmmn xmvmz cvoxz etzps oedmr wgrfj crczd vafij
ojroy bcrnq zpoui ecjcw tomsd zgkhk alogj rifrl gjyhe jyxtw kttwb xolcp lxpin
ufxes alejk edski szyti jmebg sxaxg vealx hwemr dqweu mrdxj sojze tzpso eksnv
ycofj ctgzi ojbir wbxok niacd vefal efdva faeik cwhsn mrgrs lvrle xpenl ggwaj
hlqei slggu dyxif eflga osajc amlje mbenk jiwub mtwqq oaben kjels lkuwn vohpi
dsago jbflg aotzc rtjgi dlmwa qyplq qsnvm vnwpx hjcaa dgxca eerwr xealx hweer
tykes lhilz yrkrm nlmjl skiss lhngu xhwpi ssfyg wdmrw qtrwy hifee ldmze jrlet
yxhjm smalj rwlgh tsxgg rwtma oofrl eomvd xmvtz piw
The purpose of this assignment is to convince you that using an older cipher like this is a very bad idea in a computer age.
 

2.  A common problem with computer systems is that users choose weak passwords. When attackers are able to obtain a copy of a system's password file (perhaps through a misconfigured ftp or http server), they are able to run a dictionary attack against the password file to obtain passwords on the system. Often, system administrators will run password cracking programs themselves in order to be able to pre-emptively get users to change passwords before  attackers do.

For this assignment, you will find tools that attempt to crack a Unix system password file, and try those tools on the password file linked below. This file contains user passwords from a production system password file (that is, from a real system), though the user names and all other identifying information have been changed.
 

You will turn in a description of what tools you used, which passwords were cracked, and where you ran the cracking programs. Estimate how many passwords were checked per second on the system used, then estimate how long it would take to try all passwords of length 5, 6, 7, and 8 characters for each of: only lower case letter passwords; mixed upper and lower case passwords; mixed upper and lower case letters and numbers; mixed upper and lower case letters, numbers, and punctuation.


IMPORTANT: For the purposes of this assignment, you are only allowed to use the files provided. Do not attempt to crack passwords from any Georgetown University system or any system that you do not personally own and administer. Do not use a shared university system (such as GUSUN) to crack passwords. If you have access to CSSUN you may run a password cracker there only for a short time (less than 15 minutes), and should use the nice command to lower the priority so that others can get work done. If you use a public PC to run the cracking programs, then you may only run the program as long as your are physically present at the terminal, and you must remove the tools when you leave. The intent of the previous instructions is that you do not tie up CPU cyles that other students need, so if you are in doubt about what to do, follow that intent. Of course, you may run the program as much as you like on your own system.

sort-of fake password file