Foundations of Cybersecurity (Winter 16/17) saarland

university
Prof. Dr. Michael Backes
CISPA / Saarland University computer science

Solution of Exercise Sheet 2

1 Password policies
Very often users are required to create their password according to a special policy
that dictates, for instance, the minimum length of the password or whether the
password must contain digits or special characters.
For simplicity, we assume that the passwords in the following tasks (a)-(e) are

• at least 6 characters and at most 8 characters long

• composed of characters from the following character set
– lowercase letters a-z (size=26)
– uppercase letters A-Z (size=26)
– digits 0-9 (size=10)
– and special characters/symbols (size=32)

For each of the following two password policies, calculate the number of possible
passwords and how long an attacker would need on average to crack a password
created according to this policy. To calculate the average value, you can assume
that the attacker has to test only half of the overall number of possible passwords to
succeed. The attacker uses a machine that can test 2,500,000 (2.5 million) passwords
per second.
(1 point) (a) Policy 1: “The user can freely choose her password.”

Solution:
We have P = 946 + 947 + 948 ≈ 6.12 ∗ 1015 possible passwords. The attacker
would need ≈ 39.1 years on average.

(2 points) (b) Policy 2 (UdS): “The password must at least have one digit or at least one
special character.”

Solution:
Approach 1:
First, compute all possible passwords that are betweem 6 and 8 characters
long. Second, substract all passwords that are invalid in our policy, which
means all passwords that do neither have a number nor a special character.
( 8l=6 94l ) − ( 8k=6 52k ) = 6.106 ∗ 1015 possible passwords
P P

Approach 2:

1/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

For all possible lengths, enumerate all passwords where at least one but
at most all characters are either numbers or special characters and the
remaining characters are letters.
P8 Pl k l−k ∗ l = 6.106 ∗ 1015 possible passwords


l=6 k=1 42 ∗ 52 k

The attacker would need ≈ 38.72 years on average.

(1 point) (c) Based on the number of possible passwords and assuming an ideal user that
always chooses random passwords, which of these two policies seems more secure
and why? Give a short explanation!

Solution:
In theory (i.e., assuming users choose their passwords truely randomly from
the set of all possible passwords) Policy 1 is more secure, because the set of
possible passwords is larger.

Users rarely choose their passwords randomly, but stick to certain simple patterns
that are easier to remember and to type. Let’s assume the typical user, when she
can freely choose her password, will prefer passwords that consist only of lowercase
and uppercase letters.
(2 points) (d) What is the number of possible passwords for such a typical user? How long
does the attacker need on average to break a password for this type of user?

Solution:
The number of all possible passwords is P = 526 + 527 + 528 ≈ 5.5 ∗ 1013 .
The attacker would need ≈ 127.3 days on average.

(1 point) (e) Assuming a typical user, which of the two policies from above seems to be the
better choice now? Give a short explanation!

Solution:
Policy 1 is, by experience, in practice insecure, since users will not choose
randomly. As the computed times for the attacker clearly indicate, Policy 2
is in practice preferable than letting users freely choose (a very likely weak)
password.

(1 point) (f) How can the performance of the attacker for testing passwords offline be
decreased? More precisely, assume that the attacker does not need to go through
an online portal to check passwords, but is only limited by his own computation
power. Give an example! (Hint: Look at the crypt tool used to hash the
passwords on a UNIX system.)

2/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

Solution:
Instead of using the result of the hash function directly as the result (i.e.,
one round), the result can be re-hashed several times (i.e., multiple rounds).
crypt, by default, uses 5000 rounds. Thus, to test a single password, 5000
hashes instead of 1 hash have to be computed, hence, slowing the attacker
down by a factor of (approximately) 5000. By intertwining the password
and the salt in every round, additional complexity and hence slowdown can
be introduced. For instance, hashcat on the build server of the IS&C group
can test ≈ 157M salted SHA-512 hashes per second, while it can only test
≈ 16.7K SHA-512 crypt passwords (e.g. from a passwd file), thus having a
slowdown factor of ≈ 9400.
Alternatively, a pepper achieves a similar result, because the attacker has to
compute multiple hashes for each guess. For instance, for an 8 bit pepper,
the attacker has to compute 256 (28 ) hashes to for each password guess,
because she has to try each possible password-pepper combination.
A salt does not affect the offline testing performance per se (see also answer
to question 3b). Salts prevent the attacker from using pre-computed dic-
tionaries and, hence, to test passwords “live”, i.e., once she knows the salt
value for password, she must test all possible password values in combina-
tion with this salt. However, the overhead of computing hash(password)
vs. hash(salt|password) is negligible (assuming the salt length is reason-
able and not in the range of megabytes or more).

2 Password salting
Assume we have a very simple password system that uses lowercase letters, uppercase
letters, and digits as character set (i.e., 62 characters), and that uses SHA-256 as
hash function. Passwords have a minimum length of 1 character and a maximum
length of 6 characters. We want to pre-compute a dictionary that maps every possible
password to its hash value, so that we can simply lookup a hash that we want to
crack. Assuming every character stored in the dictionary requires one byte, what
would be the required storage size for this dictionary if
(2 points) (a) passwords are unsalted?

Solution:
There are P = 6k=1 62k possiblePpasswords. To store all passwords in the
P
dictionary, we hence require S = 6k=1 k ∗ 62k bytes. To store every possible
hash, we require H = 32∗P bytes, because SHA-256 hashes are 32 bytes long.
Summing up we require S + H bytes, that are ≈ 1.99 TiB (1.99 ∗ 10244 bytes)
of data. If you use a separator between hash and password, this requires
additional P bytes—about ≈ 54 GiB (54 ∗ 10243 bytes) of extra storage.

3/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

This overall amount is very well feasible with today’s storage systems.

(1 point) (b) passwords are salted with an 8 character long salt value that is randomly chosen
from a character set with 64 characters?

Solution:
There are 648 = 281, 474, 976, 710, 656 = 248 possible salt values. We have
to have to hash every possible password-salt combination. So, our storage
requirement increases (at least) by factor 248 if the attacker creates one
dictionary file per salt value. In case of this very simple password scheme,
the dictionary would require about 510 YiB (yobibyte; 510 ∗ 10248 bytes),
which is pretty sure beyond the capacity of almost all attackers (today).

3 Cracking passwords with hashcat

The fictional company Federal Association of Internet Laymen (FAIL) has developed
a new popular forum software for websites. Since FAIL has no expertise in password
security and they want to optimize the performance and storage requirements of their
software, they implicitly truncate every user password to a length of 5 characters,
salt it with an 8 character long value, and hash it with SHA-1(salt|password).
Moreover, because their programmers had some problems with encoding special
characters, they only allow lowercase letters, uppercase letters, and digits as password
characters, but not special characters/symbols. Recently, one of the websites running
FAIL’s software was compromised and the user database including stored passwords
was leaked to the Internet. In the following are three of the leaked entries:

James: a5afd9cf33ff4d9b6fc5ac380e9991b7f69eed99:nohsoo6I
Lars: e9bc474b224e8115a185ef4d481a8fdff0a7d429:eiQuook5
Rob: c51920a4ede9523955303e912a4f16b034c82c3b:AiL8Eil5

(2 points) (a) Your task is to demonstrate to FAIL, that their password security is insufficient.
You should use hashcat (or oclHashcat) to crack the passwords of these three
users. The format of the above entries is hash:salt.
In your solution describe how you used hashcat (command line parameters,
etc.), provide a screenshot of your terminal or GUI from the finished hashcat
execution (similar to Figure 1), and of course the cracked passwords.

Solution:
A successful hashcat command could look like:
1 ./hashcat64.bin -m 120 -a 3 -o cracked -1 ?l?u?d leaked ?1?1?1?1?1 --&
increment

4/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

Figure 1: Screenshot from finished hashcat run.

2
3 Explanation of parameters:
4 -m 120: Use sha1($salt.$pass) hash
5 -a 3: brute-force password
6 --o: Write cracked passwords here
7 -1 ?l?u?d: Define custom character set composed of lowercase letters, &
uppercase letters, and digits
8 leaked: Input file containing the hash:salt values from question
9 ?1?1?1?1?1: Pattern for brute-force, i.e., every character of the password &
belongs to our custom character set
10 --increment: also try passwords with less characters than the given pattern

Cracked passwords:

User Password
James Iezi1
Lars Ue1ec
Rob Kirk

(1 point) (b) Does the the length of the salt add to the security of the password hash?
For instance, if James had used the salt value AS9rej8maeD8chus instead of
nohsoo6I, would it be harder to crack his password? Justify your answer!

Solution:
No. As seen earlier, the salt length affects how many dictionaries have
to be pre-computed in case one wants to create pre-computed hash lists
for lookup. However, for cracking the password “live” as done here with
hashcat, the password length (negligibly) affects the performance of testing
hash(salt|password) guesses.

4 Applying the security principles

After your successful attacks, the FAIL company now hires you as their new security

5/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

officer. Your first task is to design a system to control the access rights of FAIL’s
employees in their new building. The managing board asks you to implement this as
a smartcard-based system. At the entrance, offices, elevators and high security rooms,
only employees carrying their respective cards can unlock the smart lock and enter.
The idea is that every employee just needs a single smart card that she can hold in
front of the smart lock which will then open the door if she has the corresponding
access rights. Your job now is to design the system in a way that it satisfies security
best practices and follows the principles introduced in the lecture.
(6 points) (a) For each of the following security principles, briefly describe how to satisfy them
in the context of the new smartcard-based system: Open Design, Least Privilege
and Complete Mediation. For example, applying the principle of Traceability
might look like this:

Traceability
In order to detect errors and attacks, every smart lock should immediately create
a log entry for each card that it reads, including identifiers for the smart lock
and the scanned card, a timestamp and an indicator whether access was granted
or denied.

Solution:
Open Design
The authentication process should rely on well-known and provably secure
cryptography, so that its security does not depend on the secrecy of the
process itself.

Least Privilege
Every employee should at most get access to the places she actually needs to
do her job. For example, there is no need to grant every employee access to
the CEO’s office, but everybody should be allowed to pass the main entrance.

Complete Mediation
In order to fulfill Complete Mediation, there should be a security check at
each entrance of the building. Also, all security-relevant places need to be
secured by smart locks.

(2 points) (b) The managing board is concerned about the security of the building in the
presence of incidents like power breakdown. In the light of the Secure, Fail-Safe
Defaults principle, explain how your system would react to a breakdown of the
whole building’s power supply. So when the smart locks are not supplied with
power, are all doors open or are they closed? Also consider the case that the

6/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

breakdown is a result of another incident like a fire or earthquake, where people

that are still residing in smart lock guarded rooms might need to escape from
the building. For the latter scenario, discuss the trade-off between security and
personal safety. Can we achieve both?

Solution:
The idea is to design the system in a way that all guarded doors are locked by
default and can be opened electronically by using the smart locks. Therefore,
in case of a sudden power breakdown, those rooms cannot be entered. The
idea is to prevent burglars and thieves from intentionally shutting down the
power supply to get access to the building. However, if the breakdown is
triggered by a fire for example, then people might be trapped inside rooms.
So in order to guarantee individual safety, the above mentioned lock by
default only applies when trying to enter a room. Exiting should always be
possible.

(2 points) (c) To this point, employees that forget to bring their card cannot easily enter the
building. So in order to not prevent legit users from working, the company
proposes to let each employee choose a password as an alternative way to
authenticate. They argue that this will increase the productivity and security-
wise also improve the overall usability of the system. Discuss this suggestion
in terms of the principles of Usability and Generating Secrets and propose a
compromise.

Solution:
The company is right in that this will greatly enhance the Usability of
the system. Employees will definitely forget their cards from time to time,
so there needs to be a solution for this case. However, letting users freely
choose their passwords is a bad idea and hurts the Generate Secrets principle.
There are several solutions to this. First, the company can enforce a strong
password policy. Because those passwords are not used everyday but only in
rare situations, the inconvenience is reduced to a minimum while the security
is way better. Second, the company could generate the passwords itself and
distribute them to their employees. Again, inconvenience is restricted to
rare cases.

5 Two-factor authentication: Mobile banking

In recent years, online banking has become very popular. Bank customers can check
their account balance and initiate transactions from the comfort of their home by
simply using their bank’s web portal or mobile app. However, as those transactions are
promising targets for criminals, banks introduced transaction authentication numbers
(TANs) to secure the process. Besides the classical iTAN where the customer owns a
printed list of possible authentication numbers, there are also ways to obtain those

7/9
 Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

TANs on demand like mTAN, chipTAN and pushTAN. Recently, after researchers
attacked some of the measures, a discussion came up on the security of the above
mentioned TAN mechanisms. In this exercise, we will have a closer look and judge
whether they fulfill the requirements of a secure two-factor authentication method.
1. mTAN: The authentication number is sent to the customer’s phone via SMS.
2. chipTAN: The customer owns a special device where she inputs her bank card,
scans a bar code from the bank’s website, and a freshly generated authentication
number is shown on the small device screen.
3. pushTAN: The number is received by a special, separate application on the
customer’s phone which is not the banking app.
(3 points) (a) Consider the usage of an online banking app on a smartphone. For the above
TAN mechanisms mTAN, chipTAN and pushTAN, briefly state whether they
can be considered a secure two-factor authentication method. If they are not,
describe an attack.

Solution:
1. mTAN: Not a valid two-factor authentication mechanism. Assume a
successful attack on a the mobile device, for example a root exploit.
Then the attacker can initiate a transaction (banking app), receive
the mTAN (SMS app) and confirm the transaction. The problem is
that the two channels are not distinct so that a single compromise is
sufficient for the attack.
2. chipTAN: Yes, chipTAN is a valid two-factor authentication scheme
because the chipTAN device is a dedicated generator and therefore a
valid second channel. If either the smartphone is compromised or the
chipTAN device is stolen, having only one is still not enough.
3. pushTAN: Not a valid two-factor authentication mechanism for the
same reason as for mTAN. The two channels are not independent and
therefore a single compromise is enough. The only difference is that
using an app is more convenient than copying the TAN from the SMS
app.

(3 points) (b) This time, consider the usage of the bank’s web portal for online banking on a
PC. Once again, state whether the three mechanisms above can be considered
secure two-factor authentication methods. Again, describe possible attacks if
they are not.

Solution:
1. mTAN: In contrast to the first scenario, the mTAN is a valid two-factor
authentication here because the PC and the smartphone need to be
compromised for an attacker to succeed.

8/9
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 2

2. chipTAN: Still valid because the chipTAN device is also independent

of the PC.
3. pushTAN: Also fine for the same reason as mTAN.

9/9