The solutions for exercise09 of Missingsemester(2020)
Lecture 09. Security and Cryptography
Entropy
Suppose a password is chosen as a concatenation of four lower-case dictionary words, where each word is selected uniformly at random from a dictionary of size 100,000. An example of such a password is
correcthorsebatterystaple
. How many bits of entropy does this have?
In order to calculate the bits of entropy, we need to know how many possibilites there.
We can easily know the combinations count are $100000^4$ and the bits of entropy are $log_2 (100000^4)\approx 66\ bit$ 🤗
Consider an alternative scheme where a password is chosen as a sequence of 8 random alphanumeric characters (including both lower-case and upper-case letters). An example is
rg8Ql34g
. How many bits of entropy does this have?
We can calcaulte the bits of entropy are $log_2(62^8)\approx 47\ bit$ 🤗
Which is the stronger password?
Apprarenty, correcthorsebatterystaple
is the stronger one(its entropy is higher), which is kind of counter-intuitive. From a human perspective, rg8Ql34g
is harder to memorize 🤔.
Suppose an attacker can try guessing 10,000 passwords per second. On average, how long will it take to break each of the passwords?
correcthorsebatterystaple
: $100000^4/10000=10^{16}\ seconds\approx317097919\ years$ 🤧
rg8Ql34g
: $64^8/10000\approx892\ years$
Cryptographic hash functions
Download a Debian image from a mirror(e.g. from this Argentinean mirror). Cross-check the hash (e.g. using the
sha256sum
command) with the hash retrieved from the official Debian site (e.g. this file hosted atdebian.org
, if you’ve downloaded the linked file from the Argentinean mirror).
> shasum -a -256 debian-mac-11.2.0-amd64-netinst.iso
# 011f6754601985f46fcc670ce02faabcc8b5b8aadf51bc3d3fcfa3185b96b1df debian-mac-11.2.0-amd64-netinst.iso
# correct one
# 011f6754601985f46fcc670ce02faabcc8b5b8aadf51bc3d3fcfa3185b96b1df debian-mac-11.2.0-amd64-netinst.iso
# you can check them manually, or you do something like this
> diff <(shasum -a 256 debian-mac-11.2.0-amd64-netinst.iso) <(echo "011f6754601985f46fcc670ce02faabcc8b5b8aadf51bc3d3fcfa3185b96b1df debian-mac-11.2.0-amd64-netinst.iso")
Symmetric cryptography
Encrypt a file with AES encryption, usingOpenSSL:
openssl aes-256-cbc -salt -in {input filename} -out {output filename}
. Look at the contents usingcat
orhexdump
. Decrypt it withopenssl aes-256-cbc -d -in {input filename} -out {output filename}
and confirm that the contents match the original usingcmp
> echo "Hello world" >> sample.txt
> openssl aes-256-cbc -salt -in sample.txt -out sample.enc.txt
# I use `password` as my password
> cat sample.enc.txt
# Salted__n��siZ�>o;w>����k��.%
> openssl aes-256-cbc -d --in sample.enc.txt --out recover.txt
# Enter `password`
> cmp sample.txt recover.txt
- Set up SSH keys on a computer you have access to (not Athena, because Kerberos interacts weirdly with SSH keys). Make sure your private key is encrypted with a passphrase, so it is protected at rest.
- Set up GPG
- Send Anish an encrypted email (public key).
- Sign a Git commit with
git commit -S
or create a signed Git tag withgit tag -s
. Verify the signature on the commit withgit show --show-signature
or on the tag withgit tag -v
.
- I have tried this.
- Skip :)
- Skip :)
- Skip :)