Homework 3 - Due before class February 14, 2018

In our discussion of key sizes, we saw that keys with 128 bits or more were essentially unbreakable - assuming they were selected randomly. The weakness, as always, is people. People cannot and, as we will see, do not choose passphrases randomly. This means that keys based on passphrases are not nearly random and are often breakable.

The way that these attacks often happen is attackers get a copy of a password file that has encrypted or hashed passwords. The attackers then try encrypting or hashing a variety of words to see if they match any of the encrypted values. This is called a dictionary attack

Part 1 - Password Cracking

The first part of the project is to run a dictionary attack against a password file. You have your choice of password files below. The passwords come from real sites and are actual user passwords. All other information (if any) is made up.

In attacking this password file, you may use whatever tools you can find and choose to use. Note that one file is Unix passwords, and the others are probably MD5 hashes. You might consider tools such as John the Ripper or hashcat

In running the attack, the only rule is this: if you run the password cracker on a multi-user system, you may not allow it to run for more than 10 minutes. This rule applies to running crackers on ia-class - which, quite franky, will suck at cracking. I expect the passwords in these file to be generally hard to crack, and running the software for longer than 10 minutes will only inconvenience others. If you run the attack on your own system, you can run it for as long as you like. I encourage you to let it run overnight if you can or even for a few days to see the benefits of letting it run a long time. Running on a machine with a decent video card will also be faster.

Part 2 - Work Factor Estimation

Most of the password cracking software will give you an estimate of how many encryptions it can try each second (on John the Ripper, hitting the space bar does this). Find this estimate to see how fast your machine runs. Once you have it, use it to calculate the following. Make sure to show your work. Don't just write down numbers. Please be neat and compact as possible.

a) Assuming that passwords of 8 characters are chosen from only lower-case letters, how long would it take to seach the entire password space?

b) Assuming that passwords of 8 characters are chosen from lower-case or upper-case letters, how long would it take to seach the entire password space?

c) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how long would it take to seach the entire password space?

d) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how long would it take to seach the entire password space?

e) Look at how many passwords you found in the first 10 minutes of your run. Assuming you found passwords at that rate, how long would it take you to crack all the passwords provided?

f) Assume that the passwords you found in the first 10 minutes represent weak passwords. What proportion were weak? Assuming that Georgetown has 10,000 network users, how many of their passwords might be weak?

Pre-computing Passwords

g) Assuming that passwords of 8 characters are chosen from only lower-case letters, how much storage space would it take to store all possible pre-computed passwords? Assume that passwords are Unix formatted passwords as described in Practical Unix and Internet Security. Notice that the password format in the file has a defined size, and that encrypted passwords are all this size plus two characters for the salt. See page 86 of the text for information on the Unix password format. Don't forget any end-of-string markers if you need them!

h) Assuming that passwords of 8 characters are chosen from lower-case or upper-case letters, how much storage space would it take to store all possible pre-computed passwords?

i) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

j) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, how much storage space would it take to store all possible pre-computed passwords?

Password to Key Mappings

k) Assuming that passwords of 8 characters are chosen from only lower-case letters, what proportion of a 128 bit key space would be covered? (To find this, you will need to determine how many possible password there are, and compare this to the number of possible values in 2128).

l) Assuming that passwords of 8 characters are chosen from lower-case or upper-case letters, what proportion of a 128 bit key space is covered?

m) Assuming that passwords of 8 characters are chosen from lower or upper case letters and numerical digits, what proportion of a 128 bit key space is covered

n) Assuming that passwords of 8 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, what proportion of a 128 bit key space is covered?

o) Assuming that passwords of 15 characters are chosen from lower or upper case letters, from a set of 32 punctuation marks,  and numerical digits, what proportion of a 128 bit key space is covered?

p) Bonus opportunity: Try a variety of different password crackers. Find additional word dictionaries to use for input. Create additional testing rules. Describe the word sets and/or rules you used. How many more passwords were you able to crack?


What to turn in:

Please turn in:

The name of the password cracker you used
Which passwords you attacked
Where you ran it
How long it ran
The list of passwords it cracked.

The number of encryptions per second you found

For questions a-f , how long it would take to search the password space. Please convert to days, weeks, months, and years as applicable. SHOW YOUR WORK! Don't just write down numbers.

The appropriate estimates for space for parts g-j. Please convert to megabytes, gigabytes, and terabytes as needed. Again, SHOW YOUR WORK! Don't just write down numbers.

The proportion of the keyspace covered for questions m-p. Show your work, of course.
For part question q, a description of what else you did to crack additional passwords, and how effective each thing was.

You will submit your work in Canvas. The deadline is before class time on February 14th, 2018.