A cryptography problem

[ecy5maa]

Hi,

 

So basically there are 3 parts to this one question:

 

 

1a) Suppose an attacker tries to find out your password with an on-line attack by repeatedly trying to log onto your account with guessed passwords. Further suppose that the system logon is set up in such a way that no more than consecutive unsuccessful logon can be attempted within a period of 10 minutes (before the account would be temporarily disabled and the system administrator notified). Hence, an attacker can try at most 2 password guessing logon attempts every 10 minutes. Suppose your password consists of 6 (case sensitive) alphanumeric characters randomly chosen. How long it would take, on the average, for the attacker to guess your password right?

 

(note that you may assume that the total number of possible 6-character passwords = (26+26+10)⁶ = 5 × 10¹⁰)

 

 

 

 

Ans: Total no. of Pwds attacker has to try is 2.5x10^10. So total time it takes is ((2.5x10^10)x10)/2 = 1.25x10^11 mins.

 

 

b) Suppose the attacker was able to tap onto network and capture your logon communication. Specifically he/she was able to take a copy of your password in hashed form. That is, the attacker has h(PW), where PW is your password and h is a known hash function. The attacker mounts an off-line brute force guessing attack with a machine of power 2,000 MIPS. Assuming each guessing trail takes 2,000 instructions execution (effort), how long it will take, on the average, for your password to be guessed by the attacker?

 

 

 

Ans: I was a bit confused here, but this is what I did.... if there are 2.5x10^10 passwords on average the attacker has to go through this means he will have to break 2.5x10^10 hashed pwds.....and if it takes 2000 instructions to break one hashed pwd...it means 2.5x10^10x2000= 5x10^13 instructions for all the passwords. So if the machine executes 2000 MIPS it would mean 5x10^13/(2000x10^6)= 25000 seconds o around 7 hours to guess a correct password.

 

 

 

 

 

 

 

c)

 

In view of the above, what can be said about (i) the adequacy of a 6-digit ATM PIN; (ii) the need to protect the (hashed) password database of a (password based) login system?

 

 

i) a 6 digit pin is adequate in most cases except in exceptional circumstances where the attacker has high performing computing power to do a brute force search to break a system. ii) Hashing passwords dont necessarily provide enough protection.