quiz4_sol - Describe how password salting is applied...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
CIS 4360 Introduction to Computer Security QUIZ 4, Fall 2011 (5 minutes only) This quiz concerns the protection mechanisms used in general purpose Operating Systems. 1. Protecting the password fle : To validate passwords the system compares the password entered against a value stored in the password fle . There are two basic defenses. List them: (a) cryptographic protection, (b) access control enforced by the OS. 2. One-way hash functions f are a cryptographic mechanism that may be used to protect the password Fle. How is this done? Instead of storing the password in the password list, the hash f ( password ) is stored. The password list is organized as a two column table of user IDs ( usernames ) and the corresponding hashed values f ( password ). When the user logs in and enters the password , this is hashed (locally) into f ( password ). This value is then compared with the stored value: if there is a match the client is given access to the username account. 3. Dictionary attacks can be prevented by using password salting
Background image of page 1
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: . Describe how password salting is applied. Password salt consists of some random bits or a nonce (a number or bit string used only once). When salting a password additional information (the salt) is appended to it before it is hashed to get f ( password || salt ). This implies that even if two users have the same password their salted hashes will be di±erent. 4. ²or additional password protection multiple passwords may be used. With single sign-on , the keys are stored in the system, and only one key (to get authenticated) is needed to access them. Discuss the wisdom of this protection mechanism. Remembering many passwords is rather inconvenient. A single sign-on service solves this problem. This is very convenient. However cryptographically its not much strongetr thean using a single key: the adversary just needs to hack into your account to get the list of all keys (only one breakin is needed). Mike Burmester...
View Full Document

This document was uploaded on 12/04/2011.

Ask a homework question - tutors are online