Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Computer Security Assignment 1: PGP Key Exchange and Online Game Website Authentication, Assignments of Computer Science

University of Iowa (UI)Computer Science

An assignment for a computer security course focusing on pgp key exchange and authentication methods for an online game website. Students are required to complete exercises involving creating pgp keys, encrypting messages, and verifying signatures. The document also includes individual problems related to logging into an online game website with cleartext passwords and a more secure authentication scheme using public-key cryptography.

Typology: Assignments

Pre 2010

Uploaded on 09/17/2009

koofers-user-qm8-1
koofers-user-qm8-1 🇺🇸

10 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Spring 2008 22c:169 Computer Security
Assignment 1 - due by 1:05pm on Tuesday, Feb 26.
Exercise: PGP
This exercise requires a partner. Find your partner at
http://www.cs.uiowa.edu/ ejjung/courses/169/assignments/partner.html.
You can use “Email” feature in ICON to find your partner’s email address. Go to the course homepage in
ICON, and click on “Email” on the top line of the page. A new window will be open, and there is a link to
“Address Book” of the class.
i. Create a PGP public and private key pair for yourself.
ii. Email your partner your public key. Make sure that you are sending from the email address you used
to create the PGP key.
iii. Create a text file with human readable message (the size should be at most 1KB) and send it to your
TA. (If you are in offline course, send it to Peter Likarish at peter-likarish@uiowa.edu, and if you are
in online course, send it to Greg Nichols at gbnichol@cs.uiowa.edu.) Encrypt it with your private key.
iv. Send a signed email to your partner, including the encrypted file as an attachment. Make sure to CC
your TA.
v. Verify the signature of the email you received from the partner, and decrypt the attachment.
vi. Send the decrypted message to your TA.
THE FOLLOWING PROBLEMS ARE INDIVIDUAL ASSIGNMENT.
Problem 1: Online game website ZBoxlive.com is a big online multi-user game website. To set up an
account on the site, a user creates a username and a password. The password is stored as it is at the server.
When the user comes back to ZBoxlive.com, he sends (username, password) in cleartext to the server. The
website pulls the password from its database and compares the typed-in password with the password stored
in the database. If the two passwords match, access is granted.
Problem 1a Describe how you can log into another user’s account on ZBoxlive.com.
Problem 1b Because the server might be vulnerable to a hacking attack and also, the IT department of
ZBoxlive.com decided that it is too dangerous to keep passwords stored on the server, so they came up with
a clever way to avoid having to remember every user’s password. When the user creates a new account,
his password is hashed and the hash is stored in a Web cookie. Assume that the hash function is secure,
i.e. collision-resistant and one-way. When he comes to ZBoxlive.com again and types in his username and
password, the site pulls the cookie from his browser and compares the typed-in password with the password
stored in the cookie. If the two passwords match, access is granted.
Describe how you can log into another user’s account on ZBoxlive.com. (Assume that the victim’s computer
is offline and inaccessible; all you know is her username.)
Problem 1c Design an authentication scheme in which passwords are stored in cookies, but the attack
you discovered in Problem 2b is no longer feasible.
Problem 2: Online game website with PKI When a user sets up an account, ZBoxlive.com provides
a unique public and private key pair. When the user comes back to ZBoxlive.com, he sends (username,
password encrypted with his private key) to the server. The website pulls the password and the public
key for that user from its database and compares the decrypted password with the password stored in the
database. If the two passwords match, access is granted.
pf2

Partial preview of the text

Download Computer Security Assignment 1: PGP Key Exchange and Online Game Website Authentication and more Assignments Computer Science in PDF only on Docsity!

Spring 2008 – 22c:169 Computer Security Assignment 1 - due by 1:05pm on Tuesday, Feb 26.

Exercise: PGP

This exercise requires a partner. Find your partner at http://www.cs.uiowa.edu/ ejjung/courses/169/assignments/partner.html. You can use “Email” feature in ICON to find your partner’s email address. Go to the course homepage in ICON, and click on “Email” on the top line of the page. A new window will be open, and there is a link to “Address Book” of the class.

i. Create a PGP public and private key pair for yourself.

ii. Email your partner your public key. Make sure that you are sending from the email address you used to create the PGP key.

iii. Create a text file with human readable message (the size should be at most 1KB) and send it to your TA. (If you are in offline course, send it to Peter Likarish at peter-likarish@uiowa.edu, and if you are in online course, send it to Greg Nichols at gbnichol@cs.uiowa.edu.) Encrypt it with your private key.

iv. Send a signed email to your partner, including the encrypted file as an attachment. Make sure to CC your TA. v. Verify the signature of the email you received from the partner, and decrypt the attachment.

vi. Send the decrypted message to your TA.

THE FOLLOWING PROBLEMS ARE INDIVIDUAL ASSIGNMENT.

Problem 1: Online game website ZBoxlive.com is a big online multi-user game website. To set up an account on the site, a user creates a username and a password. The password is stored as it is at the server. When the user comes back to ZBoxlive.com, he sends (username, password) in cleartext to the server. The website pulls the password from its database and compares the typed-in password with the password stored in the database. If the two passwords match, access is granted.

Problem 1a Describe how you can log into another user’s account on ZBoxlive.com.

Problem 1b Because the server might be vulnerable to a hacking attack and also, the IT department of ZBoxlive.com decided that it is too dangerous to keep passwords stored on the server, so they came up with a clever way to avoid having to remember every user’s password. When the user creates a new account, his password is hashed and the hash is stored in a Web cookie. Assume that the hash function is secure, i.e. collision-resistant and one-way. When he comes to ZBoxlive.com again and types in his username and password, the site pulls the cookie from his browser and compares the typed-in password with the password stored in the cookie. If the two passwords match, access is granted.

Describe how you can log into another user’s account on ZBoxlive.com. (Assume that the victim’s computer is offline and inaccessible; all you know is her username.)

Problem 1c Design an authentication scheme in which passwords are stored in cookies, but the attack you discovered in Problem 2b is no longer feasible.

Problem 2: Online game website with PKI When a user sets up an account, ZBoxlive.com provides a unique public and private key pair. When the user comes back to ZBoxlive.com, he sends (username, password encrypted with his private key) to the server. The website pulls the password and the public key for that user from its database and compares the decrypted password with the password stored in the database. If the two passwords match, access is granted.

Problem 2a Describe how you can log into another user’s account on ZBoxlive.com.

Problem 2b Design an authentication scheme in which passwords are encrypted with private keys, but the attack you discovered in Problem 3a is no longer feasible.

Problem 3: Salty dish Including a 12-bit salt in UNIX password hashes increases the difficulty of a dictionary attack by a factor of 2^12 = 4096. Wouldn’t it be possible to completely thwart all password crackers by increasing the salt size to, say, 48 bits? Explain your answer.