Scribd
Upload
4 views4 pages

Lab 1 2

This document outlines a lab focused on authentication methods, including textual and graphical passwords, as well as password cracking techniques. It includes practical exercises such as encrypting passwords, analyzing graphical password patterns, and exploring brute force and rainbow table attacks. The lab encourages observation and analysis of security measures and vulnerabilities in authentication systems.

Uploaded by

victor.magzhan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views4 pages

Lab 1 2

This document outlines a lab focused on authentication methods, including textual and graphical passwords, as well as password cracking techniques. It includes practical exercises such as encrypting passwords, analyzing graphical password patterns, and exploring brute force and rainbow table attacks. The lab encourages observation and analysis of security measures and vulnerabilities in authentication systems.

Uploaded by

victor.magzhan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

SCC.

252 Secure Cyber Systems


Lab 1: Authentication

In this lab, we will learn and understand the basic concepts of authentication, such as textual
password, graphical password and password cracking. All are open questions so it is important
to observe the input/output and think about the reasons.

Part A: Textual Password for User Authentication.


Textual Password is the most widely used form of user authentication, where a user has
to input a textual string and the authentication system will check it. In practice, we
expect the password should be transformed (e.g., encrypted or hashed) and then stored
instead of storing the plaintext form.
Please enter this link: https://dnschecker.org/password-encryption-utility.php and input
the plaintext “Hello world”.

Please click “Encrypt my password” and check the output.

Question A.1 Please check the length of each encryption/hashing methods.

Question A.2 Please keep the same input and click “Encrypt my password” again, try to
observe any differences on the output? What is the reason?
Part B: Graphical Password
Android Unlock Pattern is one widely used graphical password scheme, which has a
distinctive 3 x 3 grid with dots. A user has to draw a pattern by connecting dots without
repeating any dot. A valid pattern should be at least 4 dots and up to 9 dots.
In practice, a brute force attack might be not suitable to crack such unlock patterns, but
a ‘hot-spot’ dictionary attack could be a better choice. That means, an attacker can
figure out many ‘hot-spots’ – that is, a user may very often to select as part of their
unlock patterns.
Question B.1: Please check the Unlock Pattern Generator from Berkeley Churchill
(https://www.berkeleychurchill.com/software/android-pwgen/pwgen.php)

i) Please set pattern length as 9, and run the program for at least 10 times. For each
time, please record the start point and end point, and check which dot has the highest
possibility to be selected.

ii) Please set pattern length as 4, 5 and 6, and run the program again for at least 10
times. Check again the start point and end point, and check which dot has the highest
possibility to be selected.

Question B.2: Please read the paper titled “Quantifying the Security of Graphical
Passwords: The Case of Android Unlock Patterns”
(https://dl.acm.org/doi/pdf/10.1145/2508859.2516700) and check whether you have
the same observations according to the below figure, e.g., the bias on dot selection.
Part C: A Taste on Password Cracking
Brute force attack is one main method of cracking a password, especially when you
don’t have an effective dictionary. In this case, Rainbow tables offer trade-off between
time and space. You can read more about Rainbow tables here
(https://en.wikipedia.org/wiki/Rainbow_table).
Simply, it is a precomputed table for caching the outputs of a cryptographic hash
function, usually for cracking password hashes.

Question C.1: There are some online password crackers, e.g., Hack Cracker
(https://crackstation.net/). Please copy the hash values from Question A.1 and input to
the Cracker.
i) See whether the Cracker can find the hash algorithm and the plaintext.
ii) Then please try another plaintext (You can propose a new one!)

Question C.2: The Hash Cracker uses “massive pre-computed lookup tables to crack
password hashes. These tables store a mapping between the hash of a password, and
the correct password for that hash.”
This is the application of Rainbow tables, please enter the website:
https://www.tobtu.com/rtcalc.php and check the storage requirement of performing a
Rainbow table attack.
Please try different parameters and check the required storage. Consider how to make a
balance between storage and cracking possibility.
Question C.3. Please use another hash algorithm called Bcrypt Hash
(https://bcrypt.online/). More information about Bcrypt, please read:
https://en.wikipedia.org/wiki/Bcrypt.
Please input a text, e.g., “Hello” and get the hash values.

Then please input the hash values to the Hash Crack. Whether it can output the
plaintext? Why?

You might also like