CO3326 Computer security | My Assignment Tutor

University of LondonComputing and Information Systems/CreativeComputingCO3326 Computer securityCoursework assignment 1 2020–21ImportantStudents have been allocated a unique simplified Unix shadow file to use for thiscoursework assignment. You can obtain this using your Student Reference Number (SRN) from the following URL:{srn}.For example, if your SRN is 887766554, you would obtain your data from If you have difficultiesobtaining your exercise data, please email us at: [email protected] may have noticed that recently there has been a considerable amount ofmedia attention directed towards cyberattacks, in which many organisationsand individuals have been caught up. During the first six months of 2020,several Fortune 500 businesses became victims of major data breaches, afterwhich hackers were able to sell account credentials and sensitive data, as well asconfidential and financial records of these organisations. Chapter 2 (pp. 11–22)of the subject guide discussed ways in which an identification system can beabused. This coursework assignment is designed to help extend your knowledgein this area by encouraging self-study and creativity. More specifically, throughan exercise it makes you carry out a password file and dictionary attack. Theinternet has plenty of information on the subject, so you will not find it difficultto research. Your reading should cover the following topics:• Cryptographic hash functions and security of SHA-256.• Dictionary attacks and salting.• Rainbow table attacks.The coursework is composed of two parts, an exercise and a report. Theexercise counts as 40% of your mark, in which you should crack the credentialsof the users included in the password file that you have been provided with, andsubmit the result in a specific format. The report counts as 60% of your mark,in which you should answer the questions laid out below.To solve the exercise, you may find it necessary to write a program. You arewelcome to use any programming language and you are welcome to use anythird-party libraries available for SHA-256 and JSON. Libraries are available for1most languages, including – and not limited to – Java, C/C++, Scala, Python,JavaScript. Please include key snippets of your code as an annex to your report.You should read the coursework assignment carefully and pay particular attentionto the Submission requirements.Part A – ExerciseYou have been provided with a simplified and adapted content of a password file,similar to what hackers who would carry out a successful password file attackwould obtain. Your password file looks like the following (this is an example forillustration): is in JSON format. The srn and name fields should correspond to your detailsand are there for marking purposes. The passwords field is an array of strings,each string corresponding to a line in the /etc/shadow file used under Linux orUNIX-like system that stores actual user credentials in encrypted format. Witha bit of research on shadow files, you will be able to interpret the lines. Yourtask is to crack all users’ credentials.For the example password file that Carl Davis would have received as assignment,from the example above, he would submit the following JSON, which reflects acorrect solution: every encrypted password line, similar tosophie:$5$eetpl$6b50e32287b598a35ca107a74d8901d94c1ae930e27c83d59aaa66cc39200a94the corresponding plaintext credentials should be devised:“sophie”: {“password”: “vigorous”,“salt”: “eetpl”}ClarificationsThe encrypted password lines have been simplified in the example and only thefirst two fields have been included, the subsequent six (ex. lastchanged, expire)have been omitted. You will understand this as well as the significance of $5$during the course of your research.Please pay particular attention to the example assignment and correspondingsolution provided. Looking carefully at the solution, alarm bells should beringing, which should help you with how you design your attack.2Part B – ReportPlease answer the questions briefly and in your own words. Use diagramswhere possible and explain them. Copy-pasting Wikipedia articles or verboseexplanations will not get you very far. Wherever you are asked to provide anexample, do so with references to fields and figures in the exercise.Question 1What are the ingredients used in the encrypted shadow file that makes thedecryption particularly hard?Question 2Would an exhaustive search attack be realistic on this shadow file? Why?Question 3Describe your chosen method of attack.Question 4Explain the thinking, and the heuristics behind your chosen method.Question 5Provide a time and space analysis of the attack with reference to lines in yourcode, and state the average running time to crack one, and all 26 passwords.Question 6How can you optimise the attack and what are the trade-offs of the optimisation?Question 7Explain, in practical terms and with an example from Carl Davis’s solutions andthe actual encryption function used in the exercise, how rainbow table attackswork.Question 8Would a rainbow table attack be practical in this case? Why?Question 9Explain how you worked around the password salting.3Question 10Describe briefly with the aid of diagrams the architecture and design of yourcode. Have you relied on any external system?Reminder Do not forget to acknowledge all sources. Make sure you acknowledge any code re-use. It is important that your submitted coursework assignmentis your own individual work and, for the most part, written in your own words.You must provide appropriate in-text citation for both paraphrase and quotation, with a detailed reference section at the end of your coursework. Copying,plagiarism and unaccredited and wholesale reproduction of material from booksor from any online source is unacceptable, and will be penalised (see our guideon how to avoid plagiarism on the VLE).Submission requirementsYou should upload two single files only. These must not be placed in a folder,zipped, etc.The report should be submitted as a PDF document using the below file-naming conventions: YourName_SRN_COxxxcw#.pdf, for exampleCarlDavis_887766554_CO3326cw1.pdf. YourName is your full name as itappears on your student record (check your student portal), SRN is your StudentReference Number, for example 887766554, COXXXX is the course number, forexample CO3326, and cw# is either cw1 (coursework 1) or cw2 (coursework 2).The exercise should be submitted as a JSON file with a strict format andnaming scheme. The exercise will be automatically checked by an algorithm,so pay particular attention to its format. The name of the file shouldbe YourName_{srn}_CO3326cw1.json; for example, Carl Davis with SRN887766554 would submit CarlDavis_887766554_CO3326cw1.json.NOTE: As the JSON is evaluated by an algorithm, every quote, comma, colon,curly brace upper/lower case is crucial. Please pay attention to these. It wouldbe a shame to lose a potential 40% of the total marks for this courseworkassignment because of a misplaced comma or a missing quote. There areonline tools you can use for JSON formatting and validation, for example, so double-check that your JSON issyntactically correct.4


Leave a Reply

Your email address will not be published.