ecy5maa

Hi, So basically there are 3 parts to this one question: 1a) Suppose an attacker tries to find out your password with an on-line attack by repeatedly trying to log onto your account with guessed passwords. Further suppose that the system logon is set up in such a way that no more than consecutive unsuccessful logon can be attempted within a period of 10 minutes (before the account would be temporarily disabled and the system administrator notified). Hence, an attacker can try at most 2 password guessing logon attempts every 10 minutes. Suppose your password consists of 6 (case sensitive) alphanumeric characters randomly chosen. How long it would take, on the average, for the attacker to guess your password right? (note that you may assume that the total number of possible 6-character passwords = (26+26+10)6 = 5 × 1010) Ans: Total no. of Pwds attacker has to try is 2.5x10^10. So total time it takes is ((2.5x10^10)x10)/2 = 1.25x10^11 mins. b) Suppose the attacker was able to tap onto network and capture your logon communication. Specifically he/she was able to take a copy of your password in hashed form. That is, the attacker has h(PW), where PW is your password and h is a known hash function. The attacker mounts an off-line brute force guessing attack with a machine of power 2,000 MIPS. Assuming each guessing trail takes 2,000 instructions execution (effort), how long it will take, on the average, for your password to be guessed by the attacker? Ans: I was a bit confused here, but this is what I did.... if there are 2.5x10^10 passwords on average the attacker has to go through this means he will have to break 2.5x10^10 hashed pwds.....and if it takes 2000 instructions to break one hashed pwd...it means 2.5x10^10x2000= 5x10^13 instructions for all the passwords. So if the machine executes 2000 MIPS it would mean 5x10^13/(2000x10^6)= 25000 seconds o around 7 hours to guess a correct password. c) In view of the above, what can be said about (i) the adequacy of a 6-digit ATM PIN; (ii) the need to protect the (hashed) password database of a (password based) login system? i) a 6 digit pin is adequate in most cases except in exceptional circumstances where the attacker has high performing computing power to do a brute force search to break a system. ii) Hashing passwords dont necessarily provide enough protection.

3. Suppose the NSA (National Security Agency of the US) has a specialized computer system that can break a DES cipher by brute force search in 1 minutes on the average. Estimate the length of time the same system will take to break an AES cipher of key length 192 bits by brute force, assuming that the amount of time the system takes to try an AES key and a DES key are the same. Express the answer I terms of the number of years and also in terms of the earth’s age (assume earth age is 4.5 billion years). (Note that in cryptographic calculations such as these estimates, exact numbers are not necessary. Rather the orders of magnitude should suffice.) Ans: So what I get is....56x10^31 years and in terms of the current age of the earth: 56x10^25. Can some please check....this is using a DES with a 56 bit key.

Fair enough. Thank you!! Now if u can help me with the second part as well..i will be great full. (a) Bob gives {m, h(m)}to Alice directly (face to face), can Alice be sure that there was no tampering by a third party? Ans: Similar to the first part, i would think that even if Bob gave Alice the message face to face.....she would have no way of knowing what the original message was so cannot know if the message was tampered with by a third party. She would have to accept the message that she receives as the original message.

Ohh yes. Off-course!. Alice would have no way of knowing the message is tampered with as she would believe message=n. But what i said about 2 bits cancelling does that make sense too?

hmm...I would assume that it cant unless its some sort of clever hack where the message is corrupted via bits that cancel each other? I think that should then have no effect on the hashed value. Is that correct?

Suppose Bob produced document m and h(m) using a hash function h which is known publicly. (a) Bob sends {m, h(m)} to Alice over the Internet. Can Alice verify that m has not been tampered with (say during its transit over the Internet)? Explain. My answer: I assume Alice can verify that m has not been tampered with, since h(m) should still compute correctly regardless of whether a replay attack has occurred or not. SO yes Alice can check message tampering. Can anyone let me know if this is correct?

Hi guys, Traditional voting via paper ballots at polling stations, meant that each individual was free to vote for his candidate in complete privacy. A father could vote for a separate candidate and a son for another candidate. So I was wondering is there any way in which to ensure similar privacy when using Internet voting as well ? Or will that then depend on the voter to ensure that he is in a 'private' environment? I understand its probably not big of an issue since at worst one would vote in front of friends and family...but doesnt it regardless prove a security flaw in internet voting? Thanks Regards evy5maa

thanks arete!!! best advice so far!

Thank you for your reply. I have understood your points, but let me just clarify one last thing. University centric meant that, all research projects were marked/reviewed inside the University itself in the context of what other students also did in there projects. This doesnt mean that the academic standards itself were poor, but rather that my work is judged based on the work of 25 others in my Post grad class, as compared to prob 100s in case of a paper submission. I apologize for not elucidating on this point earlier. Thanks for your response once again.

Thanks for your reply but i am not in Undergrad. I am a post grad student as I have mentioned. And I dont think asking for names of peer reviewed journals is ridiculous as you have implied. Let me clarify what I meant one more time. I am a post grad student doing my Masters in Computer Science. When I say I want to publish a paper, that does not mean that I am fresh out of undergrad and want to cut/copy and paste something I read on the internet and have it published. Obviously, the fact that I am a post graduate student I do have the 'necessary' research training but the only difference is that everything that I have done so far is primarily university centric. What my professor meant was that if I am able to get a paper published in addition to the necessary research 'experience' that I gain in my university during the course of my Msc..then this improves my chance of getting admission into Phd. You are right that I need to be a part of a team, but the other option that came to my mind was that I work on a topic, under supervision of my professor. Can that not work? As far as asking for journal submission procedures and which journals I should submit too I meant something like this: http://www.ntu.edu.sg/home/assourav/jrank.htm . Sure I can ask my professor too, but I can also ask you or others in this forum, as it is a rather generic question. As far as the Phd question is concerned, with funding obviously mean that the university gives funding. Thanks again for your reply

Hi, So let me get straight to the point. I am currently studying for my Msc in Computer Science at a uni that is 110th in the world. However, my grades suffered in my first semester due to some emotional trouble i faced and now I can only reasonably achieve abt 3.0 to 3.2 GPA. So I was wondering if anyone knew of any Phd programs that accept students in with a 3.0-3.2 GPA but with funding? I corresponded with a few (IIT(US) and HKPU(Hong Kong)) and they all said the MINIMUM requirement is 3.0 but said nothing specific abt funding. I dont really need to get into a top tier uni, ill be fine with middle tier unis as well as long as I get funding to do Phd. My Career goals are to become a professor in my Home Country(Pakistan) and there they, at the moment, are fine with a Phd as long as our education commission can verify it, i.e. its not fake. Secondly, I talked to some of my professors and they said that my chances will improve if i can get 1-2 papers published. So I was wondering if anyone knew of peer review journals that I should target and what exactly is the procedure of submitting your paper. For instance, i want to write a paper on Security policy for E-voting. So which journals will accept a submission on this topic? Thank You in advance.

Its an exam question, worth 4 marks. Thanks for your reply!!

Q. Given a pair of plaintext P and ciphertext C encrypted under a DES key, in the worst case, how long does an attacker have to try for finding a key K such that C = DES(K, P) which represents the DES encryption of P under key K? Assume that the attacker can perform 10^13 encryptions per second. Give your answer to the nearest hours. Allright so the book(Stallings) says that if the key is 56 bits long, then the total number of Keys is 7.2x10^16 keys. So I assume that this means that the time taken is simply (no. of keys)/(10^13) which means it will take 2 hours to find the key K. Is this correct? If not can you suggest an alternative means to answer this?

What I was asking was that if the non hashed time stamp can be used via manipulation, why not the hashed time stamp as well. But I read the book again and i have cleared up what a hashed value actually is. So i agree with you.....B&D are secure. Thanks again for the help!

But why would you need hashed value of the timestamp, is it not possible to just simply use h(timestamp) like we use h(password) in C? Thanks for responding!